About CAs and Digital Certificates
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
PKI Enrollment Support
Enrollment is the process of obtaining an identity certificate for the switch that is used for applications
like IPsec/IKE or SSH. It occurs between the switch requesting the certificate and the certificate
The PKI enrollment process for a switch involves the following steps:
Manual Enrollment Using Cut-and-Paste Method
Cisco MDS SAN-OS supports certificate retrieval and enrollment using a manual cut-and-paste method.
Cut-and-paste enrollment literally means you must cut and paste the certificate requests and resulting
certificates between the switch and the CA, as follows:
Multiple RSA Key-Pair and Identity CA Support
Multiple identity CA support enables the switch to enroll with more than one trust point. This results in
multiple identity certificates; each from a distinct CA. This allows the switch to participate in IPsec and
other applications with many peers using certificates issued by appropriate CAs that are acceptable to
The multiple RSA key-pair support feature allows the switch to maintain a distinct key pair for each CA
with which it is enrolled. Thus, it can match policy requirements for each CA without conflicting with
the requirements specified by the other CAs, such as key length. The switch can generate multiple RSA
key-pairs and associate each key-pair with a distinct trust point. Thereafter, when enrolling with a trust
point, the associated key-pair is used to construct the certificate request.
Peer Certificate Verification
The PKI support on an MDS switch provides the means to verify peer certificates. The switch verifies
certificates presented by peers during security exchanges pertaining to applications, such as IPsec/IKE
and SSH. The applications verify the validity of the peer certificates presented to them. The peer
certificate verification process involves the following steps:
Cisco MDS 9000 Family CLI Configuration Guide
Generate an RSA private and public key-pair on the switch.
Generate a certificate request in standard format and forward it to the CA.
Manual intervention at the CA server by the CA administrator may be required to approve the
enrollment request, when it is received by the CA.
Receive the issued certificate back from the CA, signed with the CA's private key.
Write the certificate into a nonvolatile storage area on the switch (bootflash).
Create an enrollment certificate request, which is displayed in base64-encoded text form.
Cut and paste the encoded certificate request text in an e-mail message or in a web form and send it
to the CA.
Receive the issued certificate (in base64-encoded text form) from the CA in an e-mail message or
in a web browser download.
Cut and paste the issued certificate to the switch using the certificate import facility.
Verifies that the peer certificate is issued by one of the locally trusted CAs.
Configuring Certificate Authorities and Digital Certificates
OL-16184-01, Cisco MDS SAN-OS Release 3.x