Configuring Certificate Revocation Checking Methods; Generating Certificate Requests - HP Cisco MDS 9216 - Fabric Switch Configuration Manual

Configuring CAs and Digital Certificates
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m

Configuring Certificate Revocation Checking Methods

During security exchanges with a client (for example, an IKE peer or SSH user), the MDS switch
performs the certificate verification of the peer certificate sent by the client and the verification process
may involve certificate revocation status checking.
You can use different methods for checking for revoked sender certificates. You can configure the switch
to check the CRL downloaded from the CA (see the
can use OSCP if it is supported in your network, or both. Downloading the CRL and checking locally
does not generate traffic in your network. However, certificates can be revoked between downloads and
your switch would not be aware of the revocation. OCSP provides the means to check the current CRL
on the CA. However, OCSP can generate network traffic that can impact network efficiency. Using both
local CRL checking and OCSP provides the most secure method for checking for revoked certificates.
Note You must authenticate the CA before configuring certificate revocation checking.
Fabric Manager allows you to configure certificate revocation checking methods when you are creating
a trust point CA. See

Generating Certificate Requests

You must generate a request to obtain identity certificates from the associated trust point CA for each of
your switch's RSA key-pairs. You must then cut and paste the displayed request into an e-mail message
or in a website form for the CA.
To generate a request for signed certificates from the CA using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security and then select PKI in the Physical Attributes pane.
Step 2 Click the Trust Point Actions tab in the Information pane (see
Figure 43-8
Select the certreq option from the Command drop-down menu. This generates a pkcs#10 certificate
Step 3
signing request (CSR) needed for an identity certificate from the CA corresponding to this trust point
entry. This entry requires an associated key-pair. The CA certificate or certificate chain should already
be configured through the caauth action. See
Step 4 Enter the output file name for storing the generated certificate request. It will be used to store the CSR
generated in PEM format. Use the format bootflash:filename. This CSR should be submitted to the CA
to get the identity certificate. Once the identity certificate is obtained, it should be installed in this trust
point. See
Enter the challenge password to be included in the CSR.
Step 5
Cisco MDS 9000 Family CLI Configuration Guide
43-12
"Creating a Trust Point CA Association" section on page
Trust Point Actions Tab
"Installing Identity Certificates" section on page
Chapter 43 Configuring Certificate Authorities and Digital Certificates
"Configuring a CRL" section on page
Figure
"Authenticating the CA" section on page
43-13.
OL-16184-01, Cisco MDS SAN-OS Release 3.x
43-15), you
43-8.
43-8).
43-10.