Peer Certificate Verification; Crl Downloading, Caching, And Checking Support; Ocsp Support; Import And Export Support For Certificates And Associated Key Pairs - Cisco AP775A - Nexus Converged Network Switch 5010 Configuration Manual

Chapter 43 Configuring Certificate Authorities and Digital Certificates
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m

Peer Certificate Verification

The PKI support on an MDS switch provides the means to verify peer certificates. The switch verifies
certificates presented by peers during security exchanges pertaining to applications, such as IPsec/IKE
and SSH. The applications verify the validity of the peer certificates presented to them. The peer
certificate verification process involves the following steps:
•
•
•
For revocation checking, two methods are supported: certificate revocation list (CRL) and Online
Certificate Status Protocol (OCSP). A trust point uses one or both of these methods to verify that the
peer certificate has not been revoked.

CRL Downloading, Caching, and Checking Support

Certificate revocation lists (CRLs) are maintained by CAs to give information of prematurely revoked
certificates, and the CRLs are published in a repository. The download URL is made public and also
specified in all issued certificates. A client verifying a peer's certificate should obtain the latest CRL
from the issuing CA and use it to determine if the certificate has been revoked. A client can cache the
CRLs of some or all of its trusted CAs locally and use them later if necessary until the CRLs expire.
Cisco MDS NX-OS allows the manual configuration of pre-downloaded of CRLs for the trust points,
and then caches them in the switch bootflash (cert-store). During the verification of a peer certificate by
IPsec or SSH, the issuing CA's CRL is consulted only if the CRL has already been cached locally and
the revocation checking is configured to use CRL. Otherwise, CRL checking is not performed and the
certificate is considered to be not revoked if no other revocation checking methods are configured. This
mode of CRL checking is called CRL optional.

OCSP Support

Online Certificate Status Protocol (OCSP) facilitates online certificate revocation checking. You can
specify an OCSP URL for each trust point. Applications choose the revocation checking mechanisms in
a specified order. The choices are CRL, OCSP, none, or a combination of these methods.

Import and Export Support for Certificates and Associated Key Pairs

As part of the CA authentication and enrollment process, the subordinate CA certificate (or certificate
chain) and identity certificates can be imported in standard PEM (base64) format.
The complete identity information in a trust point can be exported to a file in the password-protected
PKCS#12 standard format. It can be later imported to the same switch (for example, after a system crash)
or to a replacement switch. The information in a PKCS#12 file consists of the RSA key-pair, the identity
certificate, and the CA certificate (or chain).
OL-17256-03, Cisco MDS NX-OS Release 4.x
Verifies that the peer certificate is issued by one of the locally trusted CAs.
Verifies that the peer certificate is valid (not expired) with respect to current time.
Verifies that the peer certificate is not yet revoked by the issuing CA.
Cisco MDS 9000 Family Fabric Manager Configuration Guide
About CAs and Digital Certificates
43-5