Feature |
Product |
Release introduced |
---|---|---|
Digital Certificate/PKI |
5320 Series |
Fabric Engine 8.6 |
5420 Series |
VOSS 8.4 |
|
5520 Series |
VOSS 8.2.5 |
|
Subject alternative name |
5320 Series |
Fabric Engine 8.6 |
5420 Series |
VOSS 8.4 |
|
5520 Series |
VOSS 8.2.5 |
|
Certificate fingerprint validation |
5320 Series |
Fabric Engine 8.6 |
5420 Series |
VOSS 8.4 |
|
5520 Series |
VOSS 8.3 |
|
Multiple CA Trustpoints and multiple Certificate Identities |
5320 Series |
Fabric Engine 8.6 |
5420 Series |
VOSS 8.5 |
|
5520 Series |
VOSS 8.3.100 |
This section provides information on the digital certificate framework and offline certificate management.
A digital certificate is an electronic document that identifies the subject, proves the ownership of a public key, and is digitally signed by a certificate authority (CA) that certifies the validity of the information in the certificate. A digital certificate is valid for a specific time period.
The switch uses Public Key Infrastructure (PKI) support to obtain and use digital certificates for secure communication in the network.
To be certified, a switch performs the following tasks:
Generate a certificate signing request.
Verify that a present certificate has not been revoked.
Validate the certificate.
Renew the certificate before it expires.
Remove the certificate, if required.
An administrator configures the subject parameters, such as common name, organization name, organization unit, locality, state, country, and subject name for requesting the identity certificate.
You can configure up to 10 distinguished subject names.
A subject alternative name associates host name values, such as an e-mail address, an IP address, or a Fully qualified domain name (FQDN) with a security certificate. You can protect these additional host names with a single certificate.
A password is required for Simple Certificate Enrollment Protocol (SCEP) operations, such as the enrollment and renewal of identity certificates. This password is given offline by the CA during end entity registration. The administrator provides this password during enroll and renew operations.
There are different types of CAs such as EJBCA, Win2012, and others. The usePost parameter enables you to choose the style of HTTP request. The value for the usePost parameter can be True or False.
For example, if Win2012 SCEP does not support the POST mode of HTTP request, configure the usePost as False for Win2012 and configure usePost as True for EJBCA.
The Root CA certificate obtained offline from a CA must be installed for SCEP operations. This Root CA certificate is transferred to the device during the certificate installation. SCEP operations cannot be performed if the offline Root CA certificate is not installed and if error messages are logged.
The supported key type is RSA with RSA key of size 2048. There can be only one active key-pair associated with the trustpoint CA and digital certificate. A new key-pair cannot be generated if there is a key-pair already associated with the active digital certificate. The system logs the error message if such new key generation is attempted. In such a case, the certificate must be revoked before a new key-pair is generated.
Use trustpoints to manage and track CAs and certificates. A trustpoint is a representation of a CA or of an identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one generated key. The switch can enroll with a trustpoint to obtain an identity certificate. Trustpoint is configured after the RSA key pair is generated and the CA identity and other configuration parameters are available. You can configure up to eight CA trustpoints by providing the CA name.
You can configure a SHA-256 fingerprint to authenticate a received CA certificate that matches the configured common name. The switch first checks for an installed, offline root certificate and validates against it. If no root certificate is present, the switch checks the SHA-256 fingerprint in the received CA certificate. The SHA-256 fingerprint does not authenticate the root certificate.
Certificate enrollment involves generating a certificate signing request (CSR). Before certificate enrollment, the trustpoint CA must be configured and the user configuration parameters should be available. The key usage extension parameter is required as an input; it indicates the purpose of the key contained in the certificate, that the key can be used for encipherment, digital signature, certificate signing and so on.
The certificate enrollment is not allowed if there is an active certificate already available. If new certificate enrollment is required, the existing active certificate must be revoked first. The system logs the enrollment success or failure responses.
The administrator must renew the certificate before it expires. A trap is configured for a pre-defined period before the expiry date of the certificate, and the system logs the certificate renewal due warning message. A certificate renewal request is not performed if an active certificate is not available. The system replaces the existing certificate with the newly obtained certificate on successful renewal. The system logs the renewal success or failure responses.
The certificate can be revoked or withdrawn from the specific device for a specific reason at any time. A certificate revocation request is not performed if an active certificate is not available. The system releases the existing certificate on successful revocation. The system logs the revocation success or failure responses.
During boot up, the system checks whether an active installed certificate is available. If a valid certificate is not available, the system logs the warning message.
Offline certificate management supports switches that cannot communicate with the Certificate Authority to obtain the identity certificate or certificates online by certificate enrollment operation.
The certificate signing request (CSR) is used to obtain the offline identity certificate. Configure the subject and RSA key-pair to obtain the offline identity certificate. You can generate and store up to 10 RSA keys identified by the key name label. To obtain multiple offline certificates, you must specify a distinguished subject-name and key-name.
You must install the Root CA certificate and all the intermediate CA certificates of the certificate chain in the device before installing the offline identity or device certificate. All the intermediate and Root CA certificates are stored in the certificate store and are used for CA certificate chain validation. The CA certificate chain validation is performed starting from the issuing CA certificate to the Root CA certificate during the installation of offline identity certificate. The offline identity certificate is installed only if the CA certificate chain validation, subject, and key match.
No digital certificate configuration is visible if you use the show running-config command. Instead, use the commands appropriate for displaying digital certificate information. For more information, see View the Certificate Details.