Multiple Trusted Ca Support - HP Cisco MDS 9020 - Fabric Switch Configuration Manual

Chapter 34 Configuring Certificate Authorities and Digital Certificates
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
The following list summarizes the relationship between trust points, RSA key-pairs, and identity
certificates:
•
•
•
•
•
•
•
•
•
•

Multiple Trusted CA Support

An MDS switch can be configured to trust multiple CAs by configuring multiple trust points and
associating each with a distinct CA. With multiple trusted CAs, you do not have to enroll a switch with
the specific CA that issued a certificate to a peer. Instead, you configure the switch with multiple trusted
CAs that the peer trusts. A switch can then use a configured trusted CA to verify certificates offered by
a peer that were not issued by the same CA defined in the identity of the switch.
Configuring multiple trusted CAs allows two or more switches enrolled under different domains
(different CAs) to verify the identity of each other when using IKE to set up IPsec tunnels.
OL-16184-01, Cisco MDS SAN-OS Release 3.x
A trust point corresponds to a specific CA that the MDS switch trusts for peer certificate verification
for any application (such as IKE or SSH).
An MDS switch can have many trust points and all applications on the switch can trust a peer
certificate issued by any of the trust point CAs.
A trust point is not restricted to a specific application.
An MDS switch enrolls with the CA corresponding to the trust point to obtain an identity certificate.
You can enroll your switch with multiple trust points thereby obtaining a separate identity certificate
from each trust point. The identity certificates are used by applications depending upon the purposes
specified in the certificate by the issuing CA. The purpose of a certificate is stored in the certificate
as certificate extensions.
When enrolling with a trust point, you must specify an RSA key-pair to be certified. This key-pair
must be generated and associated to the trust point before generating the enrollment request. The
association between the trust point, key-pair, and identity certificate is valid until it is explicitly
removed by deleting the certificate, key-pair, or trust point.
The subject name in the identity certificate is the fully qualified domain name for the MDS switch.
You can generate one or more RSA key-pairs on a switch and each can be associated to one or more
trust points. But no more than one key-pair can be associated to a trust point, which means only one
identity certificate is allowed from a CA.
If multiple identity certificates (each from a distinct CA) have been obtained, the certificate that an
application selects to use in a security protocol exchange with a peer is application specific (see the
"IPsec Digital Certificate Support" section on page 35-7
Certificates" section on page
You do not need to designate one or more trust points for an application. Any application can use
any certificate issued by any trust point as long as the certificate purpose satisfies the application
requirements.
You do not need more than one identity certificate from a trust point or more than one key-pair to
be associated to a trust point. A CA certifies a given identity (name) only once and does not issue
multiple certificates with the same subject name. If you need more than one identity certificate for
a CA, then define another trust point for the same CA, associate another key-pair to it, and have it
certified, provided CA allows multiple certificates with the same subject name.
39-18).
Cisco MDS 9000 Family CLI Configuration Guide
About CAs and Digital Certificates
and the "SSH Authentication Using Digital
34-3