Cisco MDS-9124 Troubleshooting Guide - Page 476
RSA Key Pairs and Identity Certificates, Peer Certificate Verification, CRLs and OCSP Support
View all Cisco MDS-9124 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 476 highlights
Overview Chapter 24 Troubleshooting Digital Certificates Send documentation comments to [email protected] RSA Key Pairs and Identity Certificates You can generate one or more RSA key pairs and associate each RSA key pair with a trusted CA where the MDS switch intends to enroll to obtain an identity certificate. The MDS switch needs only one identity per CA, which consists of one key pair and one identity certificate per CA. Peer Certificate Verification The peer certificate verification process involves the following steps: • Verifies that the peer certificate is issued by one of the locally trusted CAs. • Verifies that the peer certificate is valid (not expired) with respect to current time. • Verifies that the peer certificate is not yet revoked by the issuing CA. CRLs and OCSP Support Two methods are supported for verifying that the peer certificate has not been revoked: certificate revocation list (CRL) and Online Certificate Status Protocol (OCSP). The switch uses one or both of these methods to verify that the peer certificate has not been revoked. CRLs are maintained by CAs to give information of prematurely revoked certificates, and the CRLs are published in a repository. Cisco MDS SAN-OS allows the manual configuration of pre-downloaded CRLs for the trusted CAs, and then caches them in the switch bootflash (cert-store). During the verification of a peer certificate by IPsec or SSH, the issuing CA's CRL is consulted only if the CRL has already been cached locally and the revocation checking is configured to use CRL. Otherwise, CRL checking is not performed and the certificate is considered to be not revoked if no other revocation checking methods are configured. OCSP facilitates online certificate revocation checking. You can specify an OCSP URL for each trusted CA. Import and Export Support for Certificates and Associated Key Pairs As part of the CA authentication and enrollment process, the CA certificate (or the entire chain in the case of a subordinate CA) and the identity certificates can be imported in standard PEM (base64) format. The complete identity information in a trust point can be exported to a file in the password-protected PKCS#12 standard format. The information in a PKCS#12 file consists of the RSA key pair, the identity certificate, and the CA certificate (or chain). PKI Enrollment Support The PKI enrollment process for a switch involves the following steps: 1. Create a trust point and authenticate the CA to it. 1. Generate an RSA private and public key pair on the switch. 2. Associate the RSA key pair to the trust point. 3. Generate a certificate request in standard format and forward it to the CA. 24-2 Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x OL-9285-05