Cisco MDS 9000 Series Configuration Manual page 137

Configuring Certificate Authorities and Digital Certificates
• An MDS switch enrolls with the CA corresponding to the trust point to obtain an identity certificate.
• When enrolling with a trust point, you must specify an RSA key-pair to be certified. This key-pair must
• The subject name in the identity certificate is the fully qualified domain name for the MDS switch.
• You can generate one or more RSA key-pairs on a switch and each can be associated to one or more
• If multiple identity certificates (each from a distinct CA) have been obtained, the certificate that an
• You do not need to designate one or more trust points for an application. Any application can use any
• You do not need more than one identity certificate from a trust point or more than one key-pair to be
Multiple Trusted CA Support
An MDS switch can be configured to trust multiple CAs by configuring multiple trust points and associating
each with a distinct CA. With multiple trusted CAs, you do not have to enroll a switch with the specific CA
that issued a certificate to a peer. Instead, you configure the switch with multiple trusted CAs that the peer
trusts. A switch can then use a configured trusted CA to verify certificates offered by a peer that were not
issued by the same CA defined in the identity of the switch.
Configuring multiple trusted CAs allows two or more switches enrolled under different domains (different
CAs) to verify the identity of each other when using IKE to set up IPsec tunnels.
PKI Enrollment Support
Enrollment is the process of obtaining an identity certificate for the switch that is used for applications such
as IPsec/IKE or SSH. It occurs between the switch requesting the certificate and the certificate authority.
The PKI enrollment process for a switch involves the following steps:
1. Generate an RSA private and public key-pair on the switch.
2. Generate a certificate request in standard format and forward it to the CA.
3. Manual intervention at the CA server by the CA administrator may be required to approve the enrollment
request, when it is received by the CA.
4. Receive the issued certificate back from the CA, signed with the CA's private key.
5. Write the certificate into a nonvolatile storage area on the switch (bootflash).
You can enroll your switch with multiple trust points thereby obtaining a separate identity certificate
from each trust point. The identity certificates are used by applications depending upon the purposes
specified in the certificate by the issuing CA. The purpose of a certificate is stored in the certificate as
certificate extensions.
be generated and associated to the trust point before generating the enrollment request. The association
between the trust point, key-pair, and identity certificate is valid until it is explicitly removed by deleting
the certificate, key-pair, or trust point.
trust points. But no more than one key-pair can be associated to a trust point, which means only one
identity certificate is allowed from a CA.
application selects to use in a security protocol exchange with a peer is application specific.
certificate issued by any trust point as long as the certificate purpose satisfies the application requirements.
associated to a trust point. A CA certifies a given identity (name) only once and does not issue multiple
certificates with the same subject name. If you need more than one identity certificate for a CA, then
define another trust point for the same CA, associate another key-pair to it, and have it certified, provided
CA allows multiple certificates with the same subject name.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
Multiple Trusted CA Support
119