CHAPTER
Send documentation comments to mdsfeedback-doc@cisco.com
24-1
Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x
OL-9285-05
24
Troubleshooting Digital Certificates
This chapter describes how to troubleshoot digital certificates created and maintained in the Cisco MDS
9000 Family. It includes the following sections:
• Overview, page 24-1
• Initial Troubleshooting Checklist, page 24-3
• Digital Certificate Issues, page 24-4
Overview
Public Key Infrastructure (PKI) support provides the means for the Cisco MDS 9000 Family of switches
to obtain and use digital certificates for secure communication in the network. PKI support provides
manageability and scalability for IPsec/IKE and SSH.
Digital Certificates
Digital signatures, based on public key cryptography, digitally authenticate devices and individual users.
In public key cryptography, each device or user has a key pair containing both a private key and a public
key. Digital certificates link the digital signature to the remote device. A digital certificate contains
information to identify a user or device, such as the name, serial number, company, department, or IP
address. It also contains a copy of the entity’s public key. The certificate is itself signed by a certificate
authority (CA), a third party that is explicitly trusted by the receiver to validate identities and to create
digital certificates.
Certificate Authorities
The trust model used in PKI support is hierarchical with multiple configurable trusted CAs. Each
participating entity is configured with a list of CAs to be trusted so that the peer’s certificate obtained
during the security protocol exchanges can be verified, provided it has been issued by one of the locally
trusted CAs. To accomplish this, the CA’s self signed root certificate (or certificate chain for a
subordinate CA) is locally stored. The MDS switch can also enroll with a trusted CA (trust point CA) to
obtain an identity certificate (for example, for IPsec/IKE).
To Next Page
Loading...
Need help?
General