Maintaining and Monitoring the CA
| If you need to obtain the latest CRL from a CA that does not support an RA, you would issue the following command: R1 (config)# crypto ca crl request MYCA If your RSA keys have become compromised, you need to delete the local keys on the router. To delete the local router's RSA keys, issue the following command: R1 (config)# crypto key zeroize rsa
If your IPSec peer has obtained new RSA keys, you need to delete your local copy of their public keys. To delete a peer's RSA public key, issue the following commands: R1 (config)# crypto key pubkey-chain rsa R1 (config-pubkey-chain)# no addressed-key <IP address> [encryption signature] R1 (config-pubkey-chain)# exit If you need to delete a certain digital certificate from your configuration, you must first obtain the serial number of the certificate you want to delete. To find the serial number of a digital certificate as well as its certificate chain, issue the following command: R1# show crypto ca certificates Once you obtain the serial number of the digital certificate you want to delete, issue the following: R1 (config)# crypto ca certificate chain < chain-name > R1 (config-cert-chain)# no certificate < serial-number > To view your router's RSA public keys, issue the following command: R1# show crypto key mypubkey rsa To view a list of all RSA public keys stored on your router, issue the following command: R1# show crypto key pubkey-chain rsa To view information about your certificate, the CA's certificate, and any RA certificate, issue the following command: R1# show crypto ca certificates |
