Public Key Infrastructure Configuration Guide, Cisco IOS Release 15MT
PKI Trustpool Management
Downloads: This chapterpdf (PDF - 1.31MB) The complete bookPDF (PDF - 4.83MB) | The complete bookePub (ePub - 0.96MB) | Feedback

PKI Trustpool Management

The PKI Trustpool Management feature is used to authenticate sessions, such as HTTPS, that occur between devices by using commonly recognized trusted agents called certificate authorities (CAs). The Cisco IOS software uses the PKI Trustpool Management feature, which is enabled by default, to create a scheme to provision, store, and manage a pool of certificates from known CAs in a way similar to the services a browser provides for securing sessions.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for PKI Trustpool Management

The use of certificates requires that a crypto subsystem is included in the Cisco IOS software image.

Restrictions for PKI Trustpool Management

Device certificates that use CA certificates cannot be enrolled in a PKI trustpool.

Information About PKI Trustpool Management

CA Certificate Storage in a PKI Trustpool

The router uses a built-in CA certificate bundle that is contained in a special certificate store called a PKI trustpool, which is updated automatically from Cisco. This PKI trustpool is known by Cisco and other vendors. A CA certificate bundle can be in the following formats:

  • X.509 certificates in Distinguished Encoding Rules (DER) binary format enveloped within a public-key cryptographic message syntax standard 7 (pkcs7), which is used to sign and encrypt messages under a PKI. An X.509 certificate is a PKI and Privilege Management Infrastructure (PMI) standard that specifies, among other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
  • A file containing concatenated X.509 certificates in Privacy Enhanced Mail (PEM) format with PEM headers.

PKI Trustpool Updating

The PKI trustpool is treated as a single entity that needs to be updated when the following conditions occur:

  • A certificate in the PKI trustpool is due to expire or has been reissued.
  • The published CA certificate bundle contains additional trusted certificates that are needed by a given application.
  • The configuration has been corrupted.

Note


A built-in certificate in the PKI trustpool cannot be physically replaced. However, a built-in certificate is rendered inactive after an update if its X.509 subject-name attribute matches the certificate in the CA certificate bundle.


The PKI trustpool can be updated automatically or manually. The PKI trustpool may be used by certficate validation depending upon the application using it. See the "Manually Updating Certificates in the PKI Trustpool" and "Configuring Optional PKI Trustpool Policy Parameters" sections for more information.

The PKI trustpool timer matches the CA certificate with the earliest expiration time. If the timer is running and a bundle location is not configured and not explicitly disabled, syslog warnings are issued to alert the administrator that the PKI trustpool policy option is not set.

Automatic PKI trustpool updates use the configured URL.

When the PKI trustpool expires, the policy is read, the bundle is loaded, and the PKI trustpool is replaced. If the automatic PKI trustpool update encounters problems when initiating, then the following schedule is used to initiate the update until the download is successful: 20 days, 15 days, 10 days, 5 days, 4 days, 3 days, 2 days, 1 day, and then once every hour.

CA Handling in Both the PKI Trustpool and a Trustpoint

There may be circumstances where a CA resides in both the PKI trustpool and a trustpoint; for example, a trustpoint is using a CA and a CA bundle is downloaded later with this same CA inside. In this scenario, the CA in the trustpoint and the policy of this trustpoint is considered before the CA in the PKI trustpool or PKI trustpool policy to ensure that any current behavior is not altered when the PKI Trustpool Management feature is implemented on the router.

How to Configure PKI Trustpool Management

Manually Updating Certificates in the PKI Trustpool

The PKI Trustpool Management feature is enabled by default and uses the built-in CA certificate bundle in the PKI trustpool, which receives automatic updates from Cisco. Perform this task to manually update certificates in the PKI trustpool if they are not current, are corrupt, or if certain certificates need to be updated.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    crypto pki trustpool import clean [terminal | url url]

    4.    crypto pki trustpool import {terminal | url url}

    5.    exit

    6.    show crypto pki trustpool


DETAILED STEPS
      Command or Action Purpose
    Step 1 enable


    Example:
    Router> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Router# configure terminal
     

    Enters global configuration mode.

     
    Step 3 crypto pki trustpool import clean [terminal | url url]


    Example:
    Router(config)# crypto pki trustpool import clean
    
     
    (Optional) Manually removes all downloaded PKI CA certificates.
    • The clean keyword specifies the removal of the downloaded PKI trustpool certificates before the new new certificates are downloaded. Use the optional terminal keyword to remove the existing CA certificate bundle terminal setting or the url keyword and url argument to remove the existing URL file system setting.
     
    Step 4 crypto pki trustpool import {terminal | url url}


    Example:
    Router(config)# crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b
    
     
    Manually imports (downloads) the CA certificate bundle into the PKI trustpool to update or replace the existing CA certificate bundle.
    • The terminal keyword specifies the importation of a CA certificate bundle through the terminal (cut-and-paste) in PEM format.
    • The url keyword with the url argument specifies the importation of a CA certificate bundle through a URL. This URL can be through a variety of URL file systems such as HTTP. See the "PKI Trustpool Updating" section for more information.
     
    Step 5 exit


    Example:
    Router(config)# exit
    
     

    Exits global configuration mode.

     
    Step 6 show crypto pki trustpool


    Example:
    Router(config)# show crypto pki trustpool
    
     

    Displays the PKI trustpool certificates of the router in a verbose format.

     

    Configuring Optional PKI Trustpool Policy Parameters

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    crypto pki trustpool policy

      4.    cabundle url {url | none}

      5.    chain-validation

      6.    crl {cache {delete-after {minutes | none} | query url}

      7.    default command-name

      8.    match certificate certificate-map-name [allow expired-certificate | override {cdp directory ldap-location | ocsp {number url url | trustpool name number url url} | sia number url} | skip [revocation-check | authorization-check]]

      9.    ocsp {disable-nonce | url url}

      10.    revocation-check method1 [method2 [method3]]

      11.    source interface name number

      12.    storage location

      13.    vrf vrf-name

      14.    show


    DETAILED STEPS
        Command or Action Purpose
      Step 1 enable


      Example:
      Router> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Router# configure terminal
       

      Enters global configuration mode.

       
      Step 3 crypto pki trustpool policy


      Example:
      Router(config)# crypto pki trustpool policy
      Router(ca-trustpool)#
       

      Enters ca-trustpool configuration mode where commands can be accessed to configure CA PKI trustpool policy parameters.

       
      Step 4 cabundle url {url | none}


      Example:
      Router(ca-trustpool)# cabundle url http://www.cisco.com/security/pki/crl/crca2048.crl 
       

      Specifies the URL from which the PKI trustpool certificate authority CA certificate bundle is downloaded .

      • The url argument is the URL of the CA certificate bundle.
      • The none keyword specifies that autoupdates of the PKI trustpool CA are not permitted.
       
      Step 5 chain-validation


      Example:
      Router(ca-trustpool)# chain-validation 
       

      Enables chain validation from the peer's certificate to the root CA certificate in the PKI trustpool. The default has validation stopping at the peer certificate's issuer.

       
      Step 6 crl {cache {delete-after {minutes | none} | query url}


      Example:
      Router(ca-trustpool)# crl query http://www.cisco.com/security/pki/crl/crca2048.crl 
      
       
      Specifies the certificate revocation list (CRL) query and CRL cache options for the PKI trustpool.
      • The cache keyword specifies CRL cache options.
      • The delete-after keyword removes the CRL from the cache after a timeout.
      • The minutes argument is the number of minutes from 1 to 43,200 to wait before deleting the CRL from the cache.
      • The none keyword specifies that CRLs are not cached.
      • The query keyword with the url argument specifies the URL published by the CA server to query the CRL.
       
      Step 7 default command-name


      Example:
      Router(ca-trustpool)# default crl query http://www.cisco.com/security/pki/crl/crca2048.crl
        
      
       
      Resets the value of a ca-trustpool configuration subcommand to its default .
      • The command-name argument is the ca-trustpool configuration mode command with its applicable keywords.
       
      Step 8 match certificate certificate-map-name [allow expired-certificate | override {cdp directory ldap-location | ocsp {number url url | trustpool name number url url} | sia number url} | skip [revocation-check | authorization-check]]


      Example:
      match certificate mycert override ocsp 1 url http://ocspts.identrust.com
      
       
      Enables the use of certificate maps for the PKI trustpool.
      • The certifcate-map-name argument matches the certificate map name.
      • The optional allow expired-certificate keyword ignores expired certificates.
        Note   

        If this keyword is not configured, the router does not ignore expired certificates.

      • The override keyword overrides the online certificate status protocol (OCSP) or SubjectInfoAccess (SIA) attribute fields in a certificate that is in the PKI trustpool.
      • The cdp keyword overrides the certificate distribution point (CDP) in a certificate.
      • The directory keyword and ldap-location specifies the CDP in either the http: or ldap: URL, or LDAP directory to override in the certificate.
      • The ocsp keyword and number argument and url keyword and url argument specifies the OCSP sequence number from 0 to 10000 and URL to override in the certificate.
      • The trustpool keyword and name and number arguments with the url keyword and url argument override the PKI trustpool for verifying the OCSP certificate by specifying the PKI trustpool name, sequence number, and URL.
      • The sia keyword and number and url arguments override the SIA URL in a certificate by specifying the SIA sequence number and URL.
      • The optional skip revocation-check keyword combination allows the PKI trustpool to enforce certificate revocation lists (CRLs) except for specific certificates.
        Note   

        If this keyword combination is not configured, then the PKI trustpool enforces CRLs for all certificates.

      • The optional skip authorization-check keyword combination skips the authentication, authorization, and accounting (AAA) check of a certificate when public key infrastructure (PKI) integration with an AAA server is configured.
        Note   

        If this keyword combination is not configured, and PKI integration with an AAA server is configured, then the AAA checking of a certificate is done.

       
      Step 9 ocsp {disable-nonce | url url}


      Example:
      Router(ca-trustpool)# ocsp url http://ocspts.identrust.com
        
      
       
      Specifies OCSP settings for the PKI trustpool.
      • The disable-nonce keyword disables the OCSP Nonce extension.
      • The url keyword and url argument specify the OCSP server URL to override (if one exists) in the Authority Info Access (AIA) extension of the certificate. All certificates associated with a configured PKI trustpool are checked by the OCSP server at the specified HTTP URL. The URL can be a hostname, IPv4 address, or an IPv6 address.
       
      Step 10 revocation-check method1 [method2 [method3]]


      Example:
      Router(ca-trustpool)# revocation-check ocsp crl none
      
       
      Disables revocation checking when the PKI trustpool policy is being used. The method argument is used by the router to check the revocation status of the certificate. Available keywords are as follows:
      • crl--Certificate checking is performed by a certificate revocation list (CRL). This is the default behavior.
      • none--Certificate checking is not required.
      • ocsp--Certificate checking is performed by an online certificate status protocol (OCSP) server.

      If a second and third method are specified, each method is used only if the previous method returns an error, such as a server being down.

       
      Step 11 source interface name number


      Example:
      Router(ca-trustpool)# source interface tunnel 1
      
       
      Specifies the source interface to be used for CRL retrieval, OCSP status, or the downloading of a CA certificate bundle for the PKI trustpool .
      • The name and numberarguments are for the interface type and number used as the source address for the PKI trustpool.
       
      Step 12 storage location


      Example:
      Router(ca-trustpool)# storage storage disk0:crca2048.crl
      
       
      Specifies a file system location where PKI trustpool certificates are stored on the router.
      • The location is the file system location where the PKI trustpool certificates are stored. The types of file system locations are disk0:, disk1:, nvram:, unix:, or a named file system.
       
      Step 13 vrf vrf-name


      Example:
      Router(ca-trustpool)# vrf myvrf
      
       

      Specifies the VPN routing and forwarding (VRF) instance to be used for enrolment, CRL retrieval, and OCSP status.

       
      Step 14 show


      Example:
      Router(ca-trustpool)# show
      
      Chain validation will stop at the first CA certificate in the pool
         Trustpool CA certificates will expire 12:58:31 PST Apr 5 2012
         Trustpool policy revocation order:      crl 
         Certficate matching is disabled
         Policy Overrides:
      
       

      Displays the PKI trustpool policy of the router.

       

      Configuration Example for PKI Trustpool Management

      The following show crypto pki trustpool command output displays the certificates in PKI trustpool:


      Note


      The command output in this example is abridged because it is verbose.


      Router# show crypto pki trustpool
      
      CA Certificate
        Status: Available
        Version: 3
        Certificate Serial Number (hex): 00D01E474000000111C38A964400000002
        Certificate Usage: Signature
        Issuer: 
          cn=DST Root CA X3
          o=Digital Signature Trust Co.
        Subject: 
          cn=Cisco SSCA
          o=Cisco Systems
        CRL Distribution Points: 
          http://crl.identrust.com/DSTROOTCAX3.crl
        Validity Date: 
          start date: 12:58:31 PST Apr 5 2007
          end   date: 12:58:31 PST Apr 5 2012
      
      CA Certificate
        Status: Available
        Version: 3
        Certificate Serial Number (hex): 6A6967B3000000000003
        Certificate Usage: Signature
        Issuer: 
          cn=Cisco Root CA 2048
          o=Cisco Systems
        Subject: 
          cn=Cisco Manufacturing CA
          o=Cisco Systems
        CRL Distribution Points: 
          http://www.cisco.com/security/pki/crl/crca2048.crl
        Validity Date: 
          start date: 14:16:01 PST Jun 10 2005
          end   date: 12:25:42 PST May 14 2029
      

      Additional References

      Technical Assistance

      Description

      Link

      The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

      Feature Information for PKI Trustpool Management

      The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

      Table 1 Feature Information for PKI Trustpool Management

      Feature Name

      Releases

      Feature Information

      PKI Trustpool Management

      15.2(2)T

      15.1(1)SY

      This feature is used to authenticate sessions, such as HTTPS, that occur between devices by using commonly recognized trusted agents called certificate authorities (CAs). The Cisco IOS software uses the PKI Trustpool Management feature, which is enabled by default, to create a scheme to provision, store, and manage a pool of certificates from known CAs in a way similar to the services a browser provides for securing sessions.

      The following commands were introduced or modified: cabundle url, chain-validation (ca-trustpool), crypto pki trustpool import, crypto pki trustpool policy, crl, default (ca-trustpool), match certificate (ca-trustpool), ocsp, revocation-check (ca-trustpool), show (ca-trustpool), show crypto pki trustpool, source interface (ca-trustpool), storage, vrf (ca-trustpool).