Digital Certificate/PKI

Table 1. Digital Certificate/PKI product support

Feature

Product

Release introduced

For configuration details, see VOSS User Guide.

Digital Certificate/PKI

Note:

VOSS Releases 6.0 and 6.0.1 do not support this feature.

5520 Series

VOSS 8.2.5

VSP 4450 Series

VOSS 5.1.2

VSP 4900 Series

VOSS 8.1

VSP 7200 Series

VOSS 5.1.2

VSP 7400 Series

VOSS 8.0

VSP 8200 Series

VOSS 5.1.2

VSP 8400 Series

VOSS 5.1.2

VSP 8600 Series

VSP 8600 6.1

XA1400 Series

VOSS 8.0.50

Subject alternative name

5520 Series

VOSS 8.2.5

VSP 4450 Series

VOSS 7.1.3

VSP 4900 Series

VOSS 8.1

VSP 7200 Series

VOSS 7.1.3

VSP 7400 Series

VOSS 8.0.6

VSP 8200 Series

VOSS 7.1.3

VSP 8400 Series

VOSS 7.1.3

VSP 8600 Series

Not Supported

XA1400 Series

VOSS 8.1

Certificate fingerprint validation

5520 Series

VOSS 8.3

VSP 4450 Series

VOSS 8.3

VSP 4900 Series

VOSS 8.3

VSP 7200 Series

VOSS 8.3

VSP 7400 Series

VOSS 8.3

VSP 8200 Series

VOSS 8.3

VSP 8400 Series

VOSS 8.3

VSP 8600 Series

Not Supported

XA1400 Series

VOSS 8.3

This section provides information on the digital certificate framework and offline certificate management.

A digital certificate is an electronic document that identifies the subject, proves the ownership of a public key, and is digitally signed by a certificate authority (CA) that certifies the validity of the information in the certificate. A digital certificate is valid for a specific time period.

The switch uses Public Key Infrastructure (PKI) support to obtain and use digital certificates for secure communication in the network.

To be certified, a switch performs the following tasks:

Subject

An administrator configures the subject parameters such as common name, organization name, organization unit, locality, state, and country for requesting the identity certificate.

Subject Alternative Name

A subject alternative name associates host name values such as an email address, an IP address, or a Fully qualified domain name (FQDN) with a security certificate. You can protect these additional host names with a single certificate.

Challenge Password

A password is required for Simple Certificate Enrollment Protocol (SCEP) operations such as the enrollment and renewal of identity certificates. This password is given offline by the CA during end entity registration. The administrator provides this password during enroll and renew operations.

UsePost

There are different types of CAs such as EJBCA, Win2012, and others. The usePost parameter enables you to choose the style of HTTP request. The value for the usePost parameter can be True or False.

For example, if Win2012 SCEP does not support the POST mode of HTTP request, configure the usePost as False for Win2012 and configure usePost as True for EJBCA.

Root CA Certificate

The Root CA certificate obtained offline from a CA must be installed for SCEP operations. This Root CA certificate is transferred to the device during the certificate installation. The system does not allow any SCEP operations if the offline Root CA certificate is not installed and if error messages are logged.

Key Generation

The supported key type is RSA with RSA key of size 2048. There can be only one active key-pair associated with the trustpoint CA and digital certificate. The system does not allow generating a new key-pair if there is a key-pair already associated with the active digital certificate. The system logs the error message if such new key generation is attempted. In such a case, the certificate must be revoked before a new key-pair is generated.

Trustpoint CA

Use trustpoints to manage and track CAs and certificates. A trustpoint is a representation of a CA or of an identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one generated key. The switch can enroll with a trustpoint to obtain an identity certificate. Trustpoint is configured after the RSA key pair is generated and the CA identity and other configuration parameters are available. The CA name to configure a trustpoint should be unique.

You can configure a SHA-256 fingerprint to authenticate a received CA certificate that matches the configured common name. The switch first checks for an installed, offline root certificate and validates against it. If no root certificate is present, the switch checks the SHA-256 fingerprint in the received CA certificate. The SHA-256 fingerprint does not authenticate the root certificate.

Certificate Enrollment

Certificate enrolment involves generating a certificate signing request (CSR). Before certificate enrollment, the trustpoint CA must be configured and the user configuration parameters should be available. The key usage extension parameter is required as an input; it indicates the purpose of the key contained in the certificate, that the key can be used for encipherment, digital signature, certificate signing and so on.

The certificate enrollment is not allowed if there is an active certificate already available. If new certificate enrollment is required, the existing active certificate must be revoked first. The system logs the enrollment success or failure responses.

Certificate Renewal

The administrator must renew the certificate before it expires. A trap is configured for a pre-defined period before the expiry date of the certificate, and the system logs the certificate renewal due warning message. The system does not allow a certificate renewal request if an active certificate is not available. The system replaces the existing certificate with the newly obtained certificate on successful renewal. The system logs the renewal success or failure responses.

Certificate Revocation or Removal

The certificate can be revoked or withdrawn from the specific device for a specific reason at any time. The system does not allow a certificate revocation request if an active certificate is not available. The system releases the existing certificate on successful revocation. The system logs the revocation success or failure responses.

During boot up, the system checks whether an active installed certificate is available. If a valid certificate is not available, the system logs the warning message.

Offline Certificate Management

Offline certificate management supports switches that cannot communicate with the Certificate Authority to obtain the identity certificate online by certificate enrollment operation.

Configure the subject and RSA key-pair to obtain the offline identity certificate. The configured subject parameters and RSA key are used to generate the CSR. This CSR is used to obtain the offline identity certificate.

You must install the Root CA certificate and all the intermediate CA certificates of the certificate chain in the device before installing the offline identity or device certificate. All the intermediate and Root CA certificates are stored in the certificate store and are used for CA certificate chain validation. The CA certificate chain validation is performed starting from the issuing CA certificate to the Root CA certificate during the installation of offline identity certificate. The offline identity certificate is installed only if the CA certificate chain validation, subject, and key match.

Storage

No digital certificate configuration is visible if you use the show running-config command. Instead, use the commands appropriate for displaying digital certificate information. For more information, see View the Certificate Details.