To manually install a CA certificate, use the ca-certificate install command in Global Configuration mode. To remove a static CA certificate, use the no form of this command.

Syntax

ca-certificate install name name [owner owner]

no ca-certificate install {name name | owner owner}

Parameters

• name—Specifies the certificate name. The range is from 1 to 160 characters.

• owner—specifies the owner of the certificate. This is a string of 0 to 32 characters. If an owner is not specified, the default owner is "Static".

When adding a certificate, the certificate itself should follow the command on the command line.

Default Configuration

There are no installed certificates.

Command Mode

Global Configuration mode

User Guidelines

Use the ca-certificate install name command to install a CA certificate.

Following the command, the user will be prompted to enter the certificate in the command line.

The user will need to enter or paste the certificate. Entering a period on a separate line indicates that the certificate input is complete.

The entered certificate must use the pem format.

A certificate will not be valid if the system clock was not set by user or synchronized with SNTP, or based on hardware based Real Time Clock (RTC).

Up to 256 certificates can be installed.

When using the no form of the command to remove certificates, a specific certificate can be removed by name. Alternatively, the owner keyword can be used to remove all static certificates belonging to a specific owner.

To add a certificate to the revocation list, use the ca-certificate revoke command in Global Configuration mode. To remove a certificate from the revocation list, use the no form of this command.

Syntax

ca-certificate revoke issuer issuer serial-number serial-number

no ca-certificate revoke issuer issuer serial-number serial-number

Parameters

• issuer—The issuer string as it appears in the revoked certificate - including all parameters (Range: 1-160 characters).

• serial-number—The serial number of the revoked certificate. This is a string in hexadecimal format (Range: 1-16 pairs of characters).

Default Configuration

There are no revoked certificates.

Command Mode

Global Configuration mode

User Guidelines

Use the ca-certificate revoke command to add a certificate to the revocation list.

When entering the issuer information, the full issuer string should be entered as it appears in the certificate. If the string contains spaces, it must be contained in quotation marks.

Adding a certificate to this list will change the status of this certificate to "revoked" if it is installed. If the certificate is not installed, it will receive the revoked status if it is installed at a later date.

Up to 512 certificates can be added to the revocation list.

To display the CA certificates installed on the device and their status, use the show ca-certificate command in Privileged EXEC mode.

Syntax

show ca-certificate [name name][type type][owner owner-name][detailed]

Parameters

• name name - Specifies the certificate name. (Range: 1-160 characters).

• type type—Specifies the certificate type. The possible values are static, dynamic or signer.

• owner owner-name—Specifies the name of the certificate owner - this is the application that installed a dynamic certificate. (Range: 1-32 characters).

• detailed - This optional parameter shows detailed information of the displayed certificates. If this parameter is not used, only limited information will be displayed for each certificate.

Command Mode

Privileged EXEC mode

User Guidelines

Use the show ca-certificate command to display all installed CA certificates.

Use the optional name, type and owner parameters to display the information of a subset of certificates.

To display the CA certificate revocation list, use the show ca-certificate revocation command in Privileged EXEC mode.

Syntax

show ca-certificate revocation

Command Mode

Privileged EXEC mode

User Guidelines

Use the show ca-certificate revocation command to display the CA certificate revocation list.