Feature |
Product |
Release introduced |
---|---|---|
For configuration details, see VOSS User Guide. |
||
Digital Certificate/PKI Note:
VOSS Releases 6.0 and 6.0.1 do not support this feature. |
5520 Series |
VOSS 8.2.5 |
VSP 4450 Series |
VOSS 5.1.2 |
|
VSP 4900 Series |
VOSS 8.1 |
|
VSP 7200 Series |
VOSS 5.1.2 |
|
VSP 7400 Series |
VOSS 8.0 |
|
VSP 8200 Series |
VOSS 5.1.2 |
|
VSP 8400 Series |
VOSS 5.1.2 |
|
VSP 8600 Series |
VSP 8600 6.1 |
|
XA1400 Series |
VOSS 8.0.50 |
|
Subject alternative name |
5520 Series |
VOSS 8.2.5 |
VSP 4450 Series |
VOSS 7.1.3 |
|
VSP 4900 Series |
VOSS 8.1 |
|
VSP 7200 Series |
VOSS 7.1.3 |
|
VSP 7400 Series |
VOSS 8.0.6 |
|
VSP 8200 Series |
VOSS 7.1.3 |
|
VSP 8400 Series |
VOSS 7.1.3 |
|
VSP 8600 Series |
Not Supported |
|
XA1400 Series |
VOSS 8.1 |
|
Certificate fingerprint validation |
5520 Series |
VOSS 8.3 |
VSP 4450 Series |
VOSS 8.3 |
|
VSP 4900 Series |
VOSS 8.3 |
|
VSP 7200 Series |
VOSS 8.3 |
|
VSP 7400 Series |
VOSS 8.3 |
|
VSP 8200 Series |
VOSS 8.3 |
|
VSP 8400 Series |
VOSS 8.3 |
|
VSP 8600 Series |
Not Supported |
|
XA1400 Series |
VOSS 8.3 |
This section provides information on the digital certificate framework and offline certificate management.
A digital certificate is an electronic document that identifies the subject, proves the ownership of a public key, and is digitally signed by a certificate authority (CA) that certifies the validity of the information in the certificate. A digital certificate is valid for a specific time period.
The switch uses Public Key Infrastructure (PKI) support to obtain and use digital certificates for secure communication in the network.
To be certified, a switch performs the following tasks:
Generate a certificate signing request.
Verify that a present certificate has not been revoked.
Validate the certificate.
Renew the certificate before it expires.
Remove the certificate, if required.
An administrator configures the subject parameters such as common name, organization name, organization unit, locality, state, and country for requesting the identity certificate.
A subject alternative name associates host name values such as an email address, an IP address, or a Fully qualified domain name (FQDN) with a security certificate. You can protect these additional host names with a single certificate.
A password is required for Simple Certificate Enrollment Protocol (SCEP) operations such as the enrollment and renewal of identity certificates. This password is given offline by the CA during end entity registration. The administrator provides this password during enroll and renew operations.
There are different types of CAs such as EJBCA, Win2012, and others. The usePost parameter enables you to choose the style of HTTP request. The value for the usePost parameter can be True or False.
For example, if Win2012 SCEP does not support the POST mode of HTTP request, configure the usePost as False for Win2012 and configure usePost as True for EJBCA.
The Root CA certificate obtained offline from a CA must be installed for SCEP operations. This Root CA certificate is transferred to the device during the certificate installation. The system does not allow any SCEP operations if the offline Root CA certificate is not installed and if error messages are logged.
The supported key type is RSA with RSA key of size 2048. There can be only one active key-pair associated with the trustpoint CA and digital certificate. The system does not allow generating a new key-pair if there is a key-pair already associated with the active digital certificate. The system logs the error message if such new key generation is attempted. In such a case, the certificate must be revoked before a new key-pair is generated.
Use trustpoints to manage and track CAs and certificates. A trustpoint is a representation of a CA or of an identity pair. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one generated key. The switch can enroll with a trustpoint to obtain an identity certificate. Trustpoint is configured after the RSA key pair is generated and the CA identity and other configuration parameters are available. The CA name to configure a trustpoint should be unique.
You can configure a SHA-256 fingerprint to authenticate a received CA certificate that matches the configured common name. The switch first checks for an installed, offline root certificate and validates against it. If no root certificate is present, the switch checks the SHA-256 fingerprint in the received CA certificate. The SHA-256 fingerprint does not authenticate the root certificate.
Certificate enrolment involves generating a certificate signing request (CSR). Before certificate enrollment, the trustpoint CA must be configured and the user configuration parameters should be available. The key usage extension parameter is required as an input; it indicates the purpose of the key contained in the certificate, that the key can be used for encipherment, digital signature, certificate signing and so on.
The certificate enrollment is not allowed if there is an active certificate already available. If new certificate enrollment is required, the existing active certificate must be revoked first. The system logs the enrollment success or failure responses.
The administrator must renew the certificate before it expires. A trap is configured for a pre-defined period before the expiry date of the certificate, and the system logs the certificate renewal due warning message. The system does not allow a certificate renewal request if an active certificate is not available. The system replaces the existing certificate with the newly obtained certificate on successful renewal. The system logs the renewal success or failure responses.
The certificate can be revoked or withdrawn from the specific device for a specific reason at any time. The system does not allow a certificate revocation request if an active certificate is not available. The system releases the existing certificate on successful revocation. The system logs the revocation success or failure responses.
During boot up, the system checks whether an active installed certificate is available. If a valid certificate is not available, the system logs the warning message.
Offline certificate management supports switches that cannot communicate with the Certificate Authority to obtain the identity certificate online by certificate enrollment operation.
Configure the subject and RSA key-pair to obtain the offline identity certificate. The configured subject parameters and RSA key are used to generate the CSR. This CSR is used to obtain the offline identity certificate.
You must install the Root CA certificate and all the intermediate CA certificates of the certificate chain in the device before installing the offline identity or device certificate. All the intermediate and Root CA certificates are stored in the certificate store and are used for CA certificate chain validation. The CA certificate chain validation is performed starting from the issuing CA certificate to the Root CA certificate during the installation of offline identity certificate. The offline identity certificate is installed only if the CA certificate chain validation, subject, and key match.
No digital certificate configuration is visible if you use the show running-config command. Instead, use the commands appropriate for displaying digital certificate information. For more information, see View the Certificate Details.