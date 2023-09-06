On This Page
Cryptography (X.509, IPSec)
|
crypto ipsec ike {clear sa [peer {any | <ipv4v6-address>} local <ip-address>] | restart}
Manage the IKE (ISAKMP) process or database state.
|
Syntax Description
|
clear
|
Clears IKE (ISAKMP) peering state
|
sa
|
Clears IKE generated ISAKMP and IPSec security associations (remote peers are affected)
|
peer
|
Clears security associations for the specified IKE peer (remote peers are affected).
|
local
|
Clear security associations for the specified/all IKE peering (remote peer is affected)
|
restart
|
Restarts the IKE (ISAKMP) daemon (clears all IKE state, peers may be affected)
|
Default
|
N/A
|
Configuration Mode
|
config
|
History
|
1.1.0
|
Example
|
|
Related Commands
|
Notes
|
crypto ipsec peer <ipv4v6-address> local <ipv4v6-address> {enable | keying {ike [auth {hmac-md5 | hmac-sha1 | hmac-sha256 | null} | dh-group | disable | encrypt | exchange-mode | lifetime | local-identity | mode | peer-identity | pfs-group | preshared-key | prompt-preshared-key | transform-set] | manual [auth | disable | encrypt | local-spi | mode | remote-spi]}}
Configures ipsec in the system.
|
Syntax Description
|
enable
|
Enables IPSec peering
|
ike
|
Configures IPSec peering using IKE ISAKMP to manage SA keys.
|
keying
|
Configures key management for this IPSec peering:
|
manual
|
Configures IPSec peering using manual keys
|
Default
|
N/A
|
Configuration Mode
|
config
|
History
|
1.1.0
|
Example
|
|
Related Commands
|
Notes
|
crypto certificate ca-list [default-ca-list {name {<CA list name> | system-self-signed}}]
Adds the specified CA certificate to the default CA certificate list.
|
Syntax Description
|
cert-name
|
Name of the certificate
|
Default
|
N/A
|
Configuration Mode
|
config
|
History
|
1.1.0
|
Example
|
|
Related Commands
|
Notes
|
|
crypto certificate default-cert [{name {<cert-name> | system-self-signed}}]
Designates the named certificate as the global default certificate role for authentication of this system to clients.
|
Syntax Description
|
cert-name
|
Name of the certificate
|
Default
|
N/A
|
Configuration Mode
|
config
|
History
|
1.1.0
|
Example
|
|
Related Commands
|
Notes
|
|
crypto certificate generation {default {country-code | days-valid | email-addr | key-size-bits | locality | org-unit | organization | state-or-prov}
Configures default values for certificate generation.
|
Syntax Description
|
country-code
|
Configures the default certificate value for country code with a two-alphanumeric-character code or – for none
|
days-valid
|
Configures the default certificate valid days. Default: 365 days.
|
email-addr
|
Configures the default certificate value for email address
|
key-size-bits
|
Configures the default certificate value for private key size. (Private key length in bits – at least 1024, but 2048 is strongly recommended.)
|
locality
|
Configures the default certificate value for locality
|
org-unit
|
Configures the default certificate value for organizational unit
|
organization
|
Configures the default certificate value for the organization name
|
state-or-prov
|
Configures the default certificate value for state or province
|
Default
|
N/A
|
Configuration Mode
|
config
|
History
|
1.1.0
|
Example
|
|
Related Commands
|
Notes
|
crypto certificate name {<name> | system-self-signed} {comment <new comment> | generate self-signed [comment <cert-comment> | common-name <domain> | country-code <code> | days-valid <days> | email-addr <address> | key-size-bits <bits> | locality <name> | org-unit <name> | organization <name> | serial-num <number> | state-or-prov <name>]} | private-key pem <PEM string> | prompt-private-key | public-cert [comment <comment string> | pem <PEM string>] | regenerate days-valid <days> | rename <new name>}
Configures default values for certificate generation.
|
Syntax Description
|
cert-name
|
Unique name by which the certificate is identified
|
comment
|
Specifies a certificate comment
|
generate self-signed
|
Generates certificates. This option has the following parameters which may be entered sequentially in any order:
|
private-key pem
|
Specifies certificate contents in PEM format
|
prompt-private-key
|
Prompts for certificate private key with secure echo
|
public-cert
|
Installs a certificate
|
regenerate
|
Regenerates the named certificate using configured certificate generation default values for the specified validity period
|
rename
|
Renames the certificate
|
Default
|
N/A
|
Configuration Mode
|
config
|
History
|
1.1.0
|
Example
|
|
Related Commands
|
Notes
|
crypto certificate system-self-signed regenerate [days-valid <days>]
Configures default values for certificate generation.
|
Syntax Description
|
days-valid
|
Specifies the number of days the certificate is valid
|
Default
|
N/A
|
Configuration Mode
|
config
|
History
|
1.1.0
|
Example
|
|
Related Commands
|
Notes
|
show crypto certificate [detail | public-pem | default-cert [detail | public-pem] | [name <cert-name> [detail | public-pem] | ca-list [default-ca-list]]
Displays information about all certificates in the certificate database.
|
Syntax Description
|
ca-list
|
Specifies the number of days the certificate is valid
|
default-ca-list
|
Displays information about the currently configured default certificates of the CA list
|
default-cert
|
Displays information about the currently configured default certificate
|
detail
|
Displays all attributes related to the certificate
|
name
|
Displays information about the certificate specified
|
public-pem
|
Displays the uninterpreted public certificate as a PEM formatted data string
|
Default
|
N/A
|
Configuration Mode
|
Any configuration mode
|
History
|
1.1.0
|
Example
|
|
Related Commands
|
Notes
|
show crypto ipsec [brief | configured | ike | policy | sa]
Displays information ipsec configuration.
|
Syntax Description
|
N/A
|
Default
|
N/A
|
Configuration Mode
|
Any configuration mode
|
History
|
1.1.0
|
Example
|
|
Related Commands
|
Notes