Crl Downloading, Caching, And Checking Support; Ocsp Support; Import And Export Support For Certificates And Associated Key Pairs; Configuring Cas And Digital Certificates - HP Cisco MDS 9020 - Fabric Switch Configuration Manual

Chapter 34 Configuring Certificate Authorities and Digital Certificates
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
•
•
For revocation checking, two methods are supported: certificate revocation list (CRL) and Online
Certificate Status Protocol (OCSP). A trust point uses one or both of these methods to verify that the
peer certificate has not been revoked.

CRL Downloading, Caching, and Checking Support

Certificate revocation lists (CRLs) are maintained by CAs to give information of prematurely revoked
certificates, and the CRLs are published in a repository. The download URL is made public and also
specified in all issued certificates. A client verifying a peer's certificate should obtain the latest CRL
from the issuing CA and use it to determine if the certificate has been revoked. A client can cache the
CRLs of some or all of its trusted CAs locally and use them later if necessary until the CRLs expire.
Cisco MDS SAN-OS allows the manual configuration of pre-downloaded of CRLs for the trust points,
and then caches them in the switch bootflash (cert-store). During the verification of a peer certificate by
IPsec or SSH, the issuing CA's CRL is consulted only if the CRL has already been cached locally and
the revocation checking is configured to use CRL. Otherwise, CRL checking is not performed and the
certificate is considered to be not revoked if no other revocation checking methods are configured. This
mode of CRL checking is called CRL optional.

OCSP Support

Online Certificate Status Protocol (OCSP) facilitates online certificate revocation checking. You can
specify an OCSP URL for each trust point. Applications choose the revocation checking mechanisms in
a specified order. The choices are CRL, OCSP, none, or a combination of these methods.

Import and Export Support for Certificates and Associated Key Pairs

As part of the CA authentication and enrollment process, the subordinate CA certificate (or certificate
chain) and identity certificates can be imported in standard PEM (base64) format.
The complete identity information in a trust point can be exported to a file in the password-protected
PKCS#12 standard format. It can be later imported to the same switch (for example, after a system crash)
or to a replacement switch. The information in a PKCS#12 file consists of the RSA key-pair, the identity
certificate, and the CA certificate (or chain).

Configuring CAs and Digital Certificates

This section describes the tasks you must perform to allow CAs and digital certificates your Cisco MDS
switch device to interoperate. This section includes the following sections:
•
•
•
•
•
OL-16184-01, Cisco MDS SAN-OS Release 3.x
Verifies that the peer certificate is valid (not expired) with respect to current time.
Verifies that the peer certificate is not yet revoked by the issuing CA.
Configuring the Host Name and IP Domain Name, page 34-6
Generating an RSA Key-Pair, page 34-6
Creating a Trust Point CA Association, page 34-8
Authenticating the CA, page 34-8
Configuring Certificate Revocation Checking Methods, page 34-9
Configuring CAs and Digital Certificates
Cisco MDS 9000 Family CLI Configuration Guide
34-5