Digital Certificate/PKI

Table 1. Digital Certificate/PKI product support

Feature

Product

Release introduced

Digital Certificate/PKI

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

Subject alternative name

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

Certificate fingerprint validation

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.4

5520 Series

VOSS 8.3

Multiple CA Trustpoints and multiple Certificate Identities

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.5

5520 Series

VOSS 8.3.100

This section provides information on the digital certificate framework and offline certificate management.

A digital certificate is an electronic document that identifies the subject, proves the ownership of a public key, and is digitally signed by a certificate authority (CA) that certifies the validity of the information in the certificate. A digital certificate is valid for a specific time period.

The switch uses Public Key Infrastructure (PKI) support to obtain and use digital certificates for secure communication in the network.

To be certified, a switch performs the following tasks:

Subject

An administrator configures the subject parameters, such as common name, organization name, organization unit, locality, state, country, and subject name for requesting the identity certificate.

Subject Name

You can configure up to 10 distinguished subject names.

Subject Alternative Name

A subject alternative name associates host name values, such as an e-mail address, an IP address, or a Fully qualified domain name (FQDN) with a security certificate. You can protect these additional host names with a single certificate.

Challenge Password

A password is required for Simple Certificate Enrollment Protocol (SCEP) operations, such as the enrollment and renewal of identity certificates. This password is given offline by the CA during end entity registration. The administrator provides this password during enroll and renew operations.

UsePost

There are different types of CAs such as EJBCA, Win2012, and others. The usePost parameter enables you to choose the style of HTTP request. The value for the usePost parameter can be True or False.

For example, if Win2012 SCEP does not support the POST mode of HTTP request, configure the usePost as False for Win2012 and configure usePost as True for EJBCA.

Root CA Certificate

The Root CA certificate obtained offline from a CA must be installed for SCEP operations. This Root CA certificate is transferred to the device during the certificate installation. SCEP operations cannot be performed if the offline Root CA certificate is not installed and if error messages are logged.

Key Generation

The supported key type is RSA with RSA key of size 2048. There can be only one active key-pair associated with the trustpoint CA and digital certificate. A new key-pair cannot be generated if there is a key-pair already associated with the active digital certificate. The system logs the error message if such new key generation is attempted. In such a case, the certificate must be revoked before a new key-pair is generated.

Trustpoint CA

Use trustpoints to manage and track CAs and certificates. A trustpoint is a representation of a CA or of an identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one generated key. The switch can enroll with a trustpoint to obtain an identity certificate. Trustpoint is configured after the RSA key pair is generated and the CA identity and other configuration parameters are available. You can configure up to eight CA trustpoints by providing the CA name.

You can configure a SHA-256 fingerprint to authenticate a received CA certificate that matches the configured common name. The switch first checks for an installed, offline root certificate and validates against it. If no root certificate is present, the switch checks the SHA-256 fingerprint in the received CA certificate. The SHA-256 fingerprint does not authenticate the root certificate.

Certificate Enrollment

Certificate enrollment involves generating a certificate signing request (CSR). Before certificate enrollment, the trustpoint CA must be configured and the user configuration parameters should be available. The key usage extension parameter is required as an input; it indicates the purpose of the key contained in the certificate, that the key can be used for encipherment, digital signature, certificate signing and so on.

The certificate enrollment is not allowed if there is an active certificate already available. If new certificate enrollment is required, the existing active certificate must be revoked first. The system logs the enrollment success or failure responses.

Certificate Renewal

The administrator must renew the certificate before it expires. A trap is configured for a pre-defined period before the expiry date of the certificate, and the system logs the certificate renewal due warning message. A certificate renewal request is not performed if an active certificate is not available. The system replaces the existing certificate with the newly obtained certificate on successful renewal. The system logs the renewal success or failure responses.

Certificate Revocation or Removal

The certificate can be revoked or withdrawn from the specific device for a specific reason at any time. A certificate revocation request is not performed if an active certificate is not available. The system releases the existing certificate on successful revocation. The system logs the revocation success or failure responses.

During boot up, the system checks whether an active installed certificate is available. If a valid certificate is not available, the system logs the warning message.

Offline Certificate Management

Offline certificate management supports switches that cannot communicate with the Certificate Authority to obtain the identity certificate or certificates online by certificate enrollment operation.

The certificate signing request (CSR) is used to obtain the offline identity certificate. Configure the subject and RSA key-pair to obtain the offline identity certificate. You can generate and store up to 10 RSA keys identified by the key name label. To obtain multiple offline certificates, you must specify a distinguished subject-name and key-name.

You must install the Root CA certificate and all the intermediate CA certificates of the certificate chain in the device before installing the offline identity or device certificate. All the intermediate and Root CA certificates are stored in the certificate store and are used for CA certificate chain validation. The CA certificate chain validation is performed starting from the issuing CA certificate to the Root CA certificate during the installation of offline identity certificate. The offline identity certificate is installed only if the CA certificate chain validation, subject, and key match.

Storage

No digital certificate configuration is visible if you use the show running-config command. Instead, use the commands appropriate for displaying digital certificate information. For more information, see View the Certificate Details.