Product Updates; Configure Reference Identifier - Cisco ASR 1000 Series Common Criteria Operational User Guidance And Preparative Procedures

4.7 Product Updates

Verification of authenticity of updated software is done in the same manner as ensuring that the
TOE is running a valid image. See Section 2, steps 7 and 9 above for the method to download
and verify an image prior to running it on the TOE.
4.8

Configure Reference Identifier

This section describes configuration of the peer reference identifier which is achieved through a
certificate map.
Certificate maps provide the ability for a certificate to be matched with a given set of criteria.
You can specify which fields within a certificate should be checked and which values those
fields may or may not have. There are six logical tests for comparing the field with the value:
equal, not equal, contains, does not contain, less than, and greater than or equal. ISAKMP and
ikev2 profiles can bind themselves to certificate maps, and the TOE will determine if they are
valid during IKE authentication.
Step1 (config)# crypto pki certificate map
label sequence-number
Step2 (ca-certificate-map)# field-name match-
criteria match-value
Starts certificate-map mode
In ca-certificate-map mode, you specify one or more
certificate fields together with their matching criteria and the
value to match.

field-name—Specifies one of the following case-
insensitive name strings or a date:
–subject-name
–issuer-name
–unstructured-subject-name
–alt-subject-name
–name
–valid-start
–expires-on
Note Date field format is dd mm yyyy hh:mm:ss or mm dd
yyyy hh:mm:ss.

match-criteria—Specifies one of the following
logical operators:
–eq—Equal (valid for name and date fields)
–ne—Not equal (valid for name and date fields)
–co—Contains (valid only for name fields)
–nc—Does not contain (valid only for name fields)
–lt —Less than (valid only for date fields)
–ge —Greater than or equal (valid only for date
fields)
Page 43 of 72