Digital Certificates for Fabric IPsec Gateway

Fabric IPsec Gateway supports digital certificates for IPsec authentication of Fabric Extend tunnels. To support different certificates for different IPsec tunnels, you can configure multiple certificate authority (CA) trustpoints and identity subject certificates.

If you are not familiar with digital certificates, see Digital Certificate/PKI for additional background information like digital certificate terminology.

Online Certificate Provisioning

The switch uses IPsec Simple Certificate Enrollment Protocol (SCEP) to obtain the CA certificate, and then validates the CA certificate against the certificate chain.

Note

Note

Extreme validated the Fabric IPsec Gateway SCEP implementation with EJBCA CA Server only. Fabric IPsec Gateway SCEP cannot currently use Win CA like digital certificate support in VOSS.

Use trustpoints to manage and track CAs and certificates. The switch can enroll with a trustpoint to obtain an identity certificate. You must configure the CA URL, the CA common name, and select the HTTP request type to configure the CA server trustpoint.

Configure the certificate subject parameters to provide the device distinguished name (DN) and key name for the generated key pair (the private key). If you do not configure a private key, the switch generates one. The switch validates the returned certificate against the trustpoint's CA certificate.

You can remove subject certificates from the CA trustpoint or clean the CA trustpoint only if the subject-label is not configured on an IPsec tunnel.

Offline Certificate Provisioning

Offline certificate management supports switches that cannot communicate with the CA to obtain the identity certificate online by certificate enrollment operation.

The switch generates the certificate signing request (CSR) using the subject DN and the private key that you configure in the CLI. If you do not configure a private key, the switch generates one.

Transfer the CSR to the offline CA to be signed. Retrieve the signed certificate to validate against the original CSR. You must manually transfer all certificates in the certificate chain to the switch. The signed certificate must include the subject-label to map it to a locally-generated CSR for validation.

You must manually download Certificate Revocation List (CRL) files. You can remove offline subject certificates only if the subject-label is not configured on an IPsec tunnel.