Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


How to setup PKI CA Server and client "how to" document

After a long time, many documents and even many more Internet web searches, I have figured out how to setup Cisco PKI CA server and clients.

I have this documented STEP-BY-STEP.

I start off with Crypto preshared-keys and then migrate to RSA-Signatures.

Step-by-step guide.

Before I waste your time posting it, just wanted to ensure someone would find this useful.

If you would like this document, drop me a note here and I'll paste it in.

Thanks for all the help each of you have provided

This is my attempt to give back!!!



This is the first page.

BTW, no charge.

OBJECTIVE: R1 as PKI CA Server and Client and R2 as PKI Client

This setup starts with two Cisco routers configured with pre-shared keys. The link is a single broadcast domain, no tunnels or Telcos or Internet clouds involved. Once communications is tested and verified with pre-shared keys, migration to PKI RSA-Signatures is provided.

Router-1 will be setup as a PKI CA server; the PKI CA server validates and grants certificates. Router-1 will also be setup as a PKI client, receives its’ certificates from the PKI CA server which just happens to be the same physical router, Rotuer-1. Router-2 is setup as a PKI client, receives its’ certificates from PKI CA server, Router-1.

In case you haven’t figured this out, there are only 2 routers and a single cat-5 Ethernet cable involved here and nothing else except IOS c2800nm-advsecurityk9-mz.151-2.T1.bin.

If you don’t want to have an operational setup using pre-shared keys to validate configurations along the way, just skip to the configuring PKI CA server section and follow the step by step CLI directions and provided output.

If you want to run through the setup of a PKI client a second time, we clear router-2 and start over with different values. This is demonstrated following the successful setup of the PKI CA server and PKI clients.

If you just want the quick list of CLI commands for setting up basic PKI between two Cisco routers jump to the very end.

Last updated October 28, 2010

Cisco Employee

Re: How to setup PKI CA Server and client "how to" document


It looks like people might benefit from this. I can't promise it will be the most read document on the forums but it's definetly something other might use.

Before posting I'd strongly suggest to make sure you utilize formatting and provide some structure.

In case of document like this I'd stick to following structure (attached below) - this is one of the templetes we're encouraged to use.

If you have your observations or something you'd recommend (and why!), I'd leave it to a blog post.



This  document provides a sample configuration for ... (this introduction  should provide a description of the subject matter and any contextual  information describing a real-world scenario in which this information  might be used).



There are no specific requirements for this document.


Ensure that you meet these requirements before you attempt this configuration:

Components Used


This section describes the information you need to configure the features described in this document.

Network Diagram

This document uses this network setup:


This document uses these configurations:


Use this section to confirm that your configuration works properly.

CreatePlease login to create content