Cisco MDS 9000 Series Configuration Manual page 138

Manual Enrollment Using Cut-and-Paste Method
Manual Enrollment Using Cut-and-Paste Method
Cisco MDS NX-OS supports certificate retrieval and enrollment using a manual cut-and-paste method.
Cut-and-paste enrollment literally means you must cut and paste the certificate requests and resulting certificates
between the switch and the CA, as follows:
1. Create an enrollment certificate request, which is displayed in base64-encoded text form.
2. Cut and paste the encoded certificate request text in an e-mail message or in a web form and send it to
the CA.
3. Receive the issued certificate (in base64-encoded text form) from the CA in an e-mail message or in a
web browser download.
4. Cut and paste the issued certificate to the switch using the certificate import facility.
Multiple RSA Key-Pair and Identity CA Support
Multiple identity CA support enables the switch to enroll with more than one trust point. This results in
multiple identity certificates; each from a distinct CA. This allows the switch to participate in IPsec and other
applications with many peers using certificates issued by appropriate CAs that are acceptable to those peers.
The multiple RSA key-pair support feature allows the switch to maintain a distinct key pair for each CA with
which it is enrolled. Thus, it can match policy requirements for each CA without conflicting with the
requirements specified by the other CAs, such as key length. The switch can generate multiple RSA key-pairs
and associate each key-pair with a distinct trust point. Thereafter, when enrolling with a trust point, the
associated key-pair is used to construct the certificate request.
Peer Certificate Verification
The PKI support on an MDS switch provides the means to verify peer certificates. The switch verifies
certificates presented by peers during security exchanges pertaining to applications, such as IPsec/IKE and
SSH. The applications verify the validity of the peer certificates presented to them. The peer certificate
verification process involves the following steps:
• Verifies that the peer certificate is issued by one of the locally trusted CAs.
• Verifies that the peer certificate is valid (not expired) with respect to current time.
• Verifies that the peer certificate is not yet revoked by the issuing CA.
For revocation checking, use the certificate revocation list (CRL) method. A trust point uses CRL method to
verify that the peer certificate has not been revoked.
CRL Downloading, Caching, and Checking Support
Certificate revocation lists (CRLs) are maintained by CAs to give information of prematurely revoked
certificates, and the CRLs are published in a repository. The download URL is made public and also specified
in all issued certificates. A client verifying a peer's certificate should obtain the latest CRL from the issuing
CA and use it to determine if the certificate has been revoked. A client can cache the CRLs of some or all of
its trusted CAs locally and use them later if necessary until the CRLs expire.
Cisco MDS NX-OS allows the manual configuration of pre-downloaded of CRLs for the trust points, and
then caches them in the switch bootflash (cert-store). During the verification of a peer certificate by IPsec or
SSH, the issuing CA's CRL is consulted only if the CRL has already been cached locally and the revocation
checking is configured to use CRL. Otherwise, CRL checking is not performed and the certificate is considered
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
120
Configuring Certificate Authorities and Digital Certificates