Overview
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
RSA Key Pairs and Identity Certificates
You can generate one or more RSA key pairs and associate each RSA key pair with a trusted CA where
the MDS switch intends to enroll to obtain an identity certificate. The MDS switch needs only one
identity per CA, which consists of one key pair and one identity certificate per CA.
Peer Certificate Verification
The peer certificate verification process involves the following steps:
•
•
•
CRLs and OCSP Support
Two methods are supported for verifying that the peer certificate has not been revoked: certificate
revocation list (CRL) and Online Certificate Status Protocol (OCSP). The switch uses one or both of
these methods to verify that the peer certificate has not been revoked.
CRLs are maintained by CAs to give information of prematurely revoked certificates, and the CRLs are
published in a repository.
Cisco MDS SAN-OS allows the manual configuration of pre-downloaded CRLs for the trusted CAs, and
then caches them in the switch bootflash (cert-store). During the verification of a peer certificate by
IPsec or SSH, the issuing CA's CRL is consulted only if the CRL has already been cached locally and
the revocation checking is configured to use CRL. Otherwise, CRL checking is not performed and the
certificate is considered to be not revoked if no other revocation checking methods are configured.
OCSP facilitates online certificate revocation checking. You can specify an OCSP URL for each trusted
CA.
Import and Export Support for Certificates and Associated Key Pairs
As part of the CA authentication and enrollment process, the CA certificate (or the entire chain in the
case of a subordinate CA) and the identity certificates can be imported in standard PEM (base64) format.
The complete identity information in a trust point can be exported to a file in the password-protected
PKCS#12 standard format. The information in a PKCS#12 file consists of the RSA key pair, the identity
certificate, and the CA certificate (or chain).
PKI Enrollment Support
The PKI enrollment process for a switch involves the following steps:
1.
1.
2.
3.
Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x
24-2
Verifies that the peer certificate is issued by one of the locally trusted CAs.
Verifies that the peer certificate is valid (not expired) with respect to current time.
Verifies that the peer certificate is not yet revoked by the issuing CA.
Create a trust point and authenticate the CA to it.
Generate an RSA private and public key pair on the switch.
Associate the RSA key pair to the trust point.
Generate a certificate request in standard format and forward it to the CA.
Chapter 24
Troubleshooting Digital Certificates
OL-9285-05