Send documentation comments to mdsfeedback-doc@cisco.com
43-12
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-17256-03, Cisco MDS NX-OS Release 4.x
Chapter 43 Configuring Certificate Authorities and Digital Certificates
Configuring CAs and Digital Certificates
Configuring Certificate Revocation Checking Methods
During security exchanges with a client (for example, an IKE peer or SSH user), the MDS switch
performs the certificate verification of the peer certificate sent by the client and the verification process
may involve certificate revocation status checking.
You can use different methods for checking for revoked sender certificates. You can configure the switch
to check the CRL downloaded from the CA (see the
“Configuring a CRL” section on page 43-15), you
can use OSCP if it is supported in your network, or both. Downloading the CRL and checking locally
does not generate traffic in your network. However, certificates can be revoked between downloads and
your switch would not be aware of the revocation. OCSP provides the means to check the current CRL
on the CA. However, OCSP can generate network traffic that can impact network efficiency. Using both
local CRL checking and OCSP provides the most secure method for checking for revoked certificates.
Note You must authenticate the CA before configuring certificate revocation checking.
Fabric Manager allows you to configure certificate revocation checking methods when you are creating
a trust point CA. See
“Creating a Trust Point CA Association” section on page 43-8.
Generating Certificate Requests
You must generate a request to obtain identity certificates from the associated trust point CA for each of
your switch’s RSA key-pairs. You must then cut and paste the displayed request into an e-mail message
or in a website form for the CA.
To generate a request for signed certificates from the CA using Fabric Manager, follow these steps:
Step 1 Expand Switches > Security and then select PKI in the Physical Attributes pane.
Step 2 Click the Trust Point Actions tab in the Information pane (see Figure 43-8).
Figure 43-8 Trust Point Actions Tab
Step 3 Select the certreq option from the Command drop-down menu. This generates a pkcs#10 certificate
signing request (CSR) needed for an identity certificate from the CA corresponding to this trust point
entry. This entry requires an associated key-pair. The CA certificate or certificate chain should already
be configured through the caauth action. See
“Authenticating the CA” section on page 43-10.
Step 4 Enter the output file name for storing the generated certificate request. It will be used to store the CSR
generated in PEM format. Use the format bootflash:filename. This CSR should be submitted to the CA
to get the identity certificate. Once the identity certificate is obtained, it should be installed in this trust
point. See
“Installing Identity Certificates” section on page 43-13.
Step 5 Enter the challenge password to be included in the CSR.
To Next Page
Loading...
Need help?
General
