Security
7450 ESS System Mangement Guide Page 153
• The system will perform following checks against configured cert-file when a no shutdown
command is issued:
→ Configured cert-file must be a DER formatted X.509v3 certificate file.
→ All non-optional fields defined in section 4.1 of RFC5280 must exist and conform to the
RFC 5280 defined format.
→ Check the version field to see if its value is 0x2.
→ Check The Validity field to see that if the certificate is still in validity period.
→ X509 basic constraints extension must exists, and CA Boolean must be True.
→ If Key Usage extension exists, then at least keyCertSign and cRLSign should be
asserted.
→ If the certificate is not a self-signing certificate , then system will try to look for issuer’s
CA’s certificate to verify if this certificate is signed by issuer’s CA; but if there is no
such CA-profile configured, then system will just proceed with a warning message.
→ If the certificate is not a self-signing certificate, then system will try to look for issuer’s
CA’s CRL to verify that it has not been revoked; but if there is no such CA-profile
configured or there is no such CRL, then system will just proceed with a warning
message.
If any of above checks fails, then the no shutdown command will fail.
• Changing or removing of cert-file is only allowed when the ca-profile is in a shutdown state.
The no form of the command removes the filename from the configuration.
Parameters filename — Specifies a local CF card file URL.
accept-unprotected-errormsg
Syntax [no] accept-unprotected-errormsg
Context config>system>security>pki>ca-profile>cmpv2
Description This command enables the system to accept both protected and unprotected CMPv2 error message.
Without this command, system will only accept protected error messages.
The no form of the command causes the system to only accept protected PKI confirmation message.
Default no
accept-unprotected-pkiconf
Syntax [no] accept-unprotected-pkiconf
Context config>system>security>pki>ca-profile>cmpv2
Description This command enables the system to accept both protected and unprotected CMPv2 PKI confirma-
tion messages. Without this command, system will only accept protected PKI confirmation message.
The no form of the command causes the system to only accept protected PKI confirmation message.
To Next Page
Loading...
