Configuring Public-Key Infrastructure

This section provides default Public-Key Infrastructure values and a procedure for configuring a Public-Key Infrastructure system.

Default Public-Key Infrastructure Parameters

Parameter	Description	Default Value
OCSP certificate revocation checking	A function that determines whether the Certificate Authority (CA) revocation checking is enabled or disabled.	enabled
outgoing OCSP request nonce extension inclusion	Specifies whether the nonce extension is included in the outgoing OCSP request to guard against replay attacks.	enabled

The following table describes Public-Key Infrastructure configuration on the Extreme Networks S- and K-Series devices. All set commands used to configure Public-Key Infrastructure can be entered in any command mode with admin privilege.

Configuring PKI

Task	Command(s)
To add a PEM formatted certificate to a certificate list.	set pki certificate pki-cert-list [no-confirm]
To globally enable or disable OCSP certificate revocation checking.	set pki ocsp {enable | disable}
To specify a list of trusted CA certificates used to verify OCSP response signatures.	set pki ocsp signature-ca-list pki-cert-list
To enable or disable the inclusion of a nonce extension in the outgoing OCSP request that must be included in the corresponding response.	set pki ocsp nonce enable | disable}
To configure an alternate OCSP responder (OCSR) URL for the OCSR used to check revocation status.	set pki ocsp responder url [preferred]
To restrict the system to a single specified authorization credential which must be shared by all users.	set pki authorization username username
To configure a dynamic extracted username from the X.509 certificate subject field.	set pki authorization username attribute attribute [prefix prefix] [match expression] [suffix suffix]

Refer to the S-, K-, and 7100 Series CLI Reference Guide for more information about each command.