This section provides default Public-Key Infrastructure values and a procedure for configuring a Public-Key Infrastructure system.
Parameter | Description | Default Value |
---|---|---|
OCSP certificate revocation checking | A function that determines whether the Certificate Authority (CA) revocation checking is enabled or disabled. | enabled |
outgoing OCSP request nonce extension inclusion | Specifies whether the nonce extension is included in the outgoing OCSP request to guard against replay attacks. | enabled |
The following table describes Public-Key Infrastructure configuration on the Extreme Networks S- and K-Series devices. All set commands used to configure Public-Key Infrastructure can be entered in any command mode with admin privilege.
Task | Command(s) |
---|---|
To add a PEM formatted certificate to a certificate list. | set pki certificate pki-cert-list [no-confirm] |
To globally enable or disable OCSP certificate revocation checking. | set pki ocsp {enable | disable} |
To specify a list of trusted CA certificates used to verify OCSP response signatures. | set pki ocsp signature-ca-list pki-cert-list |
To enable or disable the inclusion of a nonce extension in the outgoing OCSP request that must be included in the corresponding response. | set pki ocsp nonce enable | disable} |
To configure an alternate OCSP responder (OCSR) URL for the OCSR used to check revocation status. | set pki ocsp responder url [preferred] |
To restrict the system to a single specified authorization credential which must be shared by all users. | set pki authorization username username |
To configure a dynamic extracted username from the X.509 certificate subject field. | set pki authorization username attribute attribute [prefix prefix] [match expression] [suffix suffix] |
Refer to the S-, K-, and 7100 Series CLI Reference Guide for more information about each command.