Specifications
Setting Up Secure Survivable Remote Site Telephony
How to Configure Secure SRST
118
Cisco Unified Survivable Remote Site Telephony Version 4.0 System Administrator Guide
Disabling Automatic Certificate Enrollment
The command grant auto allows certificates to be issued and was activated in the optional task
documented in the “Configuring a Certificate Authority Server on a Cisco IOS Certificate Server”
section on page 113.
Note A security best practice is to disable the grant auto command so that certificates cannot be continually
granted.
SUMMARY STEPS
1. crypto pki server cs-label
2. shutdown
3. no grant auto
4. no shutdown
DETAILED STEPS
What to Do Next
For manual enrollment instructions, see the Manual Certificate Enrollment (TFTP and Cut-and-Paste)
feature.
Verifying Certificate Enrollment
If you used the Cisco IOS certificate server as your CA, use the show running-config command to verify
certificate enrollment or the show crypto pki server command to verify the status of the CA server.
Command or Action Purpose
Step 1
crypto pki server
cs-label
Example:
Router (config)# crypto pki server srstcaserver
Enables the certificate server and enters certificate server
configuration mode.
Note If you manually generated an RSA key pair, the
cs-label argument must match the name of the key
pair.
Step 2
shutdown
Example:
Router (cs-server)# shutdown
Disables the Cisco IOS certificate server.
Step 3
no grant auto
Example:
Router (cs-server)# no grant auto
Disables automatic certificates to be issued to any
requestor.
• This command was for use during enrollment only and
thus needs to be removed in this task.
Step 4
no shutdown
Example:
Router (cs-server)# no shutdown
Enables the Cisco IOS certificate server.
• You should issue this command only after you have
completely configured your certificate server.