Table Of Contents
Displaying SSL Certificate and Key Pair Information
Displaying CSR Parameter Set Configurations
Displaying the List of Certificate and Key Pair Files
Displaying Certificate Information
Displaying RSA Key Pair Information
Displaying Certificate Chain Group Information
Displaying SSL Certificate and Key Pair Information
This chapter describes the show commands available for displaying SSL-related information, such as the certificate and key pair files loaded on the ACE. The show commands display information associated with the context from which you execute the command. Each command described in this chapter also includes an explanation of the command output.
While the show commands are Exec mode commands, you can execute a show command from any configuration mode by using the do command. The following examples illustrate how to execute the show running-config command from either Exec mode or configuration mode.
From Exec mode, enter:
host1/Admin# show running-config
From configuration mode, enter:
host1/Admin(config)# do show running-config
This chapter contains the following major sections:
•
Displaying CSR Parameter Set Configurations
•Displaying the List of Certificate and Key Pair Files
•Displaying Certificate Information
•Displaying RSA Key Pair Information
•Displaying Certificate Chain Group Information
Displaying CSR Parameter Set Configurations
To display the CSR parameter set summary and detailed reports, use the show crypto csr-params command in Exec mode.
The syntax of this command is:
show crypto csr-params [params_set]
The optional params_set argument represents a specific CSR parameter set. Enter an unquoted alphanumeric string with a maximum of 64 characters. The ACE displays the detailed report for the specified CSR parameter set. The detailed report contains the distinguished name attributes of the CSR parameter set.
To display the summary report that lists all the CSR parameter sets for the current context, enter the command without specifying a CSR parameter set.
For example, to display the CSR parameter set summary report, enter:
host1/Admin# show crypto csr-params
The following example shows illustrates how to display the detailed report for the MYCSRCONFIG CSR parameter set:
host1/Admin# show crypto csr-params MTCSRCONFIG
Table 6-1 describes the fields in the show crypto csr-params output.
Table 6-1 Field Descriptions for the show crypto csr-params config_name Command
Field
|
Description
|
Country-name
|
Country where the certificate owner resides
|
State
|
State where the certificate owner resides
|
Locality
|
Locality where the certificate owner resides
|
Org-name
|
Name of the organization (certificate owner or subject)
|
Org-unit
|
Name of unit within the organization
|
Common-name
|
Common-name (domain name or individual host name of the SSL site)
|
Serial number
|
Serial number
|
Email
|
Email address
|
Displaying the List of Certificate and Key Pair Files
To display a list of all available certificate and key pair files, use the show crypto files command in Exec mode.
For example, to display the list of certificate and key pair files, enter:
host1/Admin# show crypto files
Table 6-2 describes the fields in the show crypto files output.
Table 6-2 Field Descriptions for the show crypto files Command
Field
|
Description
|
Filename
|
Name of the file containing the certificate or key pair
|
Size
|
Size of the file
|
Type
|
Format of the file: PEM, DER, or PKCS12
|
Exportable
|
Indicates if you can export the file from the ACE using the crypto export command:
•Yes—You can export the file to an FTP, SFTP, or TFP server (see the "Exporting Certificate and Key Pair Files" section in Chapter 2, Managing Certificates and Keys)
•No—You cannot export the file as it is protected
|
Key/Cert
|
Indicates whether the file contains a certificate (CERT), a key pair (KEY), or both (BOTH)
|
Displaying Certificate Information
To display the certificate summary and detailed reports, use the show crypto certificate command in Exec mode.
The syntax of this command is:
show crypto certificate {filename | all}
The keywords and arguments are:
•filename—Name of a specific certificate file. Enter an unquoted alphanumeric string with a maximum of 40 characters. The ACE displays the certificate detailed report for the specified file. If the certificate file contains a chain, the ACE displays only the bottom level certificate (the signers are not displayed).
•all—Displays the certificate summary report that lists all the certificate files for the current context.
For example, to display the certificate summary report, enter:
host1/Admin# show crypto certificate all
Table 6-3 describes the fields in the show crypto certificate all output.
Table 6-3 Field Descriptions for the show crypto certificate all Command
Field
|
Description
|
Certificate file
|
Name of the certificate file
|
Subject
|
Distinguished name of the organization that owns the certificate and possesses the private key
|
Issuer
|
Distinguished name of the Certificate Association (CA) that issued the certificate
|
Not Before
|
Starting time period, before which the certificate is not considered valid
|
Not After
|
Ending time period, after which the certificate is not considered valid
|
CA Cert
|
Certificate of the CA that signed the certificate
|
The following example illustrates how to display the detailed report for the MYCERT.PEM certificate file:
host1/Admin# show crypto certificate MYCERT.PEM
Table 6-4 describes the fields in the show crypto certificate filename output.
Table 6-4 Field Descriptions for the show crypto certificate filename Command
Field
|
Description
|
Certificate
|
Name of the certificate file.
|
Data
|
Version
|
Version of the X.509 standard. The certificate complies with this version of the standard.
|
Serial Number
|
Serial number associated with the certificate.
|
Signature Algorithm
|
Digital signature algorithm used for the encryption of information with a public/private key pair.
|
Issuer
|
Distinguished name of the CA that issued the certificate.
|
Validity
|
Not Before
|
Starting time period, before which the certificate is not considered valid.
|
Not After
|
Ending time period, after which the certificate is not considered valid.
|
Subject
|
Distinguished name of the organization that owns the certificate and possesses the private key.
|
Subject Public Key Info
|
Public Key Algorithm
|
Name of the key exchange algorithm used to generate the public key (for example, RSA).
|
RSA Public Key
|
Number of bits in the key to define the size of the RSA key pair used to secure Web transactions.
|
Modulus
|
Actual public key on which the certificate was built.
|
Exponent
|
One of the base numbers used to generate the key.
|
X509v3 Extensions
|
Array of X509v3 extensions added to the certificate.
|
X509v3 Basic Constraints
|
Indicates if the subject may act as a CA, with the certified public key being used to verify certificate signatures. If so, a certification path length constraint may also be specified.
|
Netscape Comment
|
Comment that may be displayed when the certificate is viewed.
|
X509v3 Subject Key Identifier
|
Identifies the public key being certified. It enables distinct keys used by the same subject to be differentiated (for example, as key updating occurs).
|
X509v3 Authority Key Identifier
|
Identifies the public key to be used to verify the signature on this certificate or CRL. It enables distinct keys used by the same CA to be distinguished (for example, as key updating occurs).
|
Signature Algorithm
|
Name of the algorithm used for digital signatures (but not for key exchanges).
|
Hex Numbers
|
Actual signature of the certificate. The client can regenerate this signature using the specified algorithm to make sure that the certificate data has not been changed.
|
Displaying RSA Key Pair Information
To display the key pair file summary and detailed reports, use the show crypto key command in Exec mode.
The syntax of this command is:
show crypto key {filename | all}
The keywords and arguments are:
•filename—Name of a specific key pair file. Enter an unquoted alphanumeric string with a maximum of 40 characters. The ACE displays the key pair detailed report for the specified file.
•all—Displays the key pair summary report that lists all of the available key pair files.
For example, to display the key pair summary report, enter:
host1/Admin# show crypto all
Table 6-5 describes the fields in the show crypto key output.
Table 6-5 Field Descriptions for the show crypto key Command
Field
|
Description
|
Filename
|
Name of the key pair file containing the RSA key pair
|
Bit Size
|
Size of the file
|
Type
|
Type of key exchange algorithm, such as RSA.
|
The following example illustrates how to display the detailed report for the public and private keys contained in the MYKEYS.PEM key pair file:
host1/Admin# show crypto key MYKEYS.PEM
Table 6-6 describes the fields in the show crypto key filename output.
Table 6-6 Field Descriptions for the show crypto key filename Command
Field
|
Description
|
Key Size
|
Size (in bits) of the RSA key pair.
|
Modulus
|
Hex value of the public key. The private key modulus is not shown for security purposes.
|
Displaying Certificate Chain Group Information
To display the chain group file summary and detailed reports, use the show crypto chaingroup command in Exec mode.
The syntax of this command is:
show crypto chaingroup {filename | all}
The keywords and arguments are:
•filename—Name of a specific chain group file. Enter an unquoted alphanumeric string with a maximum of 64 characters. The ACE displays the chain group detailed report for the specified file. The detailed report contains a list of the certificates configured for the chain group.
•all—Displays the chain group summary report that lists each of the available chain group files. The summary report also lists the certificates configured for each chain group.
For example, to display the chain group summary report, enter:
host1/Admin# show crypto chaingroup all
The following example illustrates how to display the detailed report of the certificates configured for the MYCERTGROUP chain group:
host1/Admin# show crypto chaingroup MYCERTGROUP
Table 6-7 describes the fields in the output of the detailed chain group report.
Table 6-7 Field Descriptions for the show crypto chaingroup Command
Field
|
Description
|
Certificate
|
Certificate file name
|
Subject
|
Distinguished name of the organization that owns the certificate and possesses the private key
|
Issuer
|
Distinguished name of the CA that issued the certificate
|
