Let's summarize:
1. update-crypto-policies --set DEFAULT:SHA1
make set of SCEP security, described in 5.8.2. Configuring Security
Settings for SCEP
https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html-single/administration_guide/index#renewing-certificates
2. With last generation Cisco devices - all correct with SCEP enrolment
and Dogtag 11.8.4, optionally
- crypto pki trustpool import clean [terminal | url url]
- crypto pki trustpool import {terminal} {url url | ca-bundle} {vrf
vrf-name | source interface
interface-name}
- chain-validation stop
- password [stroke]
- hash sha256
- rsakeypair [key-label key-size encryption-key-size]
not work with eckeypair [label], no any csr request, with error: not
found private key for eckeypair :(
3. Router(config)# crypto ca auth [trustpoint name]
4. Unmark UID: and PWD in flatfile.txt, set UID:ip_addr_of_router and
PWD:[stroke], then, with debug
Crypto PKI Msg debugging is on
Crypto PKI Trans debugging is on
Crypto PKI Certificate Server debugging is on
Crypto PKI SCEP Messages debugging is on
Router(config)# crypto pki enroll [trustpoint name]
Insert serial number(yes/no)?
Request certificate from CA(yes/no)?
All done.
5. Unfortunately, the old Cisco hardware with IOS >=12.X and SHA-1
cannot request certs, due Subj.
_______________________________________________
Pki-users mailing list -- users@lists.dogtagpki.org
To unsubscribe send an email to users-le...@lists.dogtagpki.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
