-
Public Key Infrastructure Configuration Guide, Cisco IOS Release 15MT
-
Cisco IOS PKI Overview Understanding and Planning a PKI
-
Deploying RSA Keys Within a PKI
-
Configuring Authorization and Revocation of Certificates in a PKI
-
Configuring Certificate Enrollment for a PKI
-
Setting Up Secure Device Provisioning for Enrollment in a PKI
-
Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment
-
Storing PKI Credentials
-
Source Interface Selection for Outgoing Traffic with Certificate Authority
-
IOS PKI Performance Monitoring and Optimization
-
PKI Trustpool Management
-
Index
-
Feedback
Contents
- IOS PKI Performance Monitoring and Optimization
- Finding Feature Information
- Information About IOS PKI Performance Monitoring and Optimization
- How to Configure IOS PKI Performance Monitoring and Optimization
- Configuration Examples for IOS PKI Performance Monitoring and Optimization
- Example Displaying All PKI Benchmarking Data
- Example Displaying Only Failures in PKI Benchmarking Data
- Example Displaying a Section Filter in PKI Benchmarking Data
- Additional References
- Feature Information for IOS PKI Performance Monitoring and Optimization
IOS PKI Performance Monitoring and Optimization
The IOS Performance Monitoring and Optimization feature provides a way to identify the performance within the Public Key Infrastructure (PKI) subsystem and debug and analyze PKI performance related issues.
- Finding Feature Information
- Information About IOS PKI Performance Monitoring and Optimization
- How to Configure IOS PKI Performance Monitoring and Optimization
- Configuration Examples for IOS PKI Performance Monitoring and Optimization
- Additional References
- Feature Information for IOS PKI Performance Monitoring and Optimization
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About IOS PKI Performance Monitoring and Optimization
When PKI applications are deployed in a environment that scales, they can sometimes create challenging problems that are difficult to debug and identify. Traditional use of debug commands may be less effective in this operating environment. However, the IOS PKI Performance Monitoring and Optimization feature provides an efficient way to gather data and report PKI operations to identify performance related issues.
The IOS PKI Performance Monitoring and Optimization feature enables you to collect the following types of PKI performance data:
- Time to validate entire certificate chain.
- Time to verify each certificate.
- Time to check revocation status for each certificate.
- Time to fetch certificate revocation list (CRL) database for each fetch location.
- Time to fetch Simple Certificate Enrollment Protocol (SCEP) method capabilities to retrieve the CRL.
- Time to process each CRL.
- Time to process the Online Certificate Status Protocol (OCSP) response. OCSP is a certificate revocation mechanism.
- Time to fetch Authentication, Authorization, and Accounting (AAA).
- CRL size.
- Validation result.
- Validation Bypass (pubkey cached).
- Method used to fetch a CRL.
- PKI session identifier.
- Crypto engine used (hardware, software, etoken).
How to Configure IOS PKI Performance Monitoring and Optimization
SUMMARY STEPS
1. enable
2. crypto pki benchmark start limit [wrap]
3. crypto pki benchmark stop
4. show crypto pki benchmarks [ failures ]
5. clear crypto pki benchmarks
DETAILED STEPSConfiguration Examples for IOS PKI Performance Monitoring and Optimization
- Example Displaying All PKI Benchmarking Data
- Example Displaying Only Failures in PKI Benchmarking Data
- Example Displaying a Section Filter in PKI Benchmarking Data
Example Displaying All PKI Benchmarking Data
The following example displays show crypto pki benchmarks command output of all PKI benchmarking data:
Router# show crypto pki benchmarks Session Descriptor: 10008 Validation Start: 22:58:45.704 GMT Tue Oct 13 2009 Validation Duration: 14 ms Pubkey Bypass: no Validation Result: Success Certificates To Validate: 1 Revocation for certificate 1 Cert Index: 0 Start: 22:58:45.714 GMT Tue Oct 13 2009 Duration: 3 ms SCEP Capabilities: Skipped Session Descriptor: 10007 Validation Start: 22:54:38.969 GMT Tue Oct 13 2009 Validation Duration: 14 ms Pubkey Bypass: no Validation Result: Success Certificates To Validate: 1 Revocation for certificate 1 Cert Index: 0 Start: 22:54:38.979 GMT Tue Oct 13 2009 Duration: 3 ms SCEP Capabilities: Skipped SCEP Capabilities Duration: 0 ms Session Descriptor: 10006 Validation Start: 21:52:08.616 GMT Tue Oct 13 2009 Validation Duration: 5 ms Pubkey Bypass: yes Validation Result: Success Session Descriptor: 10005 Validation Start: 23:42:12.925 GMT Tue Oct 13 2009 Validation Duration: 5 ms Pubkey Bypass: yes Session Descriptor: 10004 Validation Start: 23:42:10.614 GMT Tue Oct 13 2009 Validation Duration: 5 ms Pubkey Bypass: yes Validation Result: Success Session Descriptor: 10003 Validation Start: 23:42:09.540 GMT Tue Oct 13 2009 Validation Duration: 5 ms Pubkey Bypass: yes Validation Result: Success Session Descriptor: 10002 Validation Start: 23:42:06.699 GMT Tue Oct 13 2009 Validation Duration: 53 ms Pubkey Bypass: no Validation Result: Success Certificates To Validate: 1 Revocation for certificate 1 Cert Index: 0 Start: 23:42:06.707 GMT Tue Oct 13 2009 Duration: 44 ms CRL Fetch - HTTP Start: 23:42:06.707 GMT Tue Oct 13 2009 CRL Fetch - HTTP Duration: 31 ms CRL Insert Start: 23:42:06.740 GMT Tue Oct 13 2009 CRL Insert Duration: 8 ms CRL Size: 3892 SCEP Capabilities Start: 23:42:06.709 GMT Tue Oct 13 2009 SCEP Capabilities Duration: 7 ms Session Descriptor: 10001 Validation Start: 20:47:14.860 GMT Thu Sep 24 2009 Validation Duration: 57 ms Pubkey Bypass: no Validation Result: Failed Certificates To Validate: 1 Revocation for certificate 1 Cert Index: 0 Start: 20:47:14.868 GMT Thu Sep 24 2009 Duration: 49 ms CRL Fetch - HTTP Start: 20:47:14.868 GMT Thu Sep 24 2009 CRL Fetch - HTTP Duration: 37 ms SCEP Capabilities Start: 20:47:14.870 GMT Thu Sep 24 2009 SCEP Capabilities Duration: 11 msExample Displaying Only Failures in PKI Benchmarking Data
The following example displays show crypto pki benchmark failurescommand output of failure in PKI benchmarking data:
Router# show crypto pki benchmark failures Session Descriptor: 10001 Validation Start: 20:47:14.860 GMT Thu Sep 24 2009 Validation Duration: 57 ms Pubkey Bypass: no Validation Result: Failed Certificates To Validate: 1 Revocation for certificate 1 Cert Index: 0 Start: 20:47:14.868 GMT Thu Sep 24 2009 Duration: 49 ms CRL Fetch - HTTP Start: 20:47:14.868 GMT Thu Sep 24 2009 CRL Fetch - HTTP Duration: 37 ms SCEP Capabilities Start: 20:47:14.870 GMT Thu Sep 24 2009 SCEP Capabilities Duration: 11 msExample Displaying a Section Filter in PKI Benchmarking Data
The following example displays show crypto pki benchmark command output of a section filter in PKI benchmarking data: Router# show crypto pki benchmark | section Revocation Revocation Check for Certificate 1 of 1 Start: 20:47:29.063 GMT Wed Oct 27 2010 Duration: 714 ms Revocation Check for Certificate 1 of 1 Start: 20:49:15.076 GMT Wed Oct 27 2010 Duration: 6 msAdditional References
Related Documents
MIBs
Technical Assistance
Description
Link
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
Feature Information for IOS PKI Performance Monitoring and Optimization
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 Feature Information for IOS PKI Performance Monitoring and Optimization Feature Name
Releases
Feature Information
IOS PKI Performance Monitoring and Optimization
15.1(3)T
The IOS Performance Monitoring and Optimization feature provides a way to characterize the performance within the Public Key Infrastructure (PKI) subsystem and debug and analyze PKI performance related issues.
This feature was introduced in Cisco IOS Release 15.1(3)T.
The following commands were introduced or modified: crypto pki benchmark, show crypto pki benchmarks, clear crypto pki benchmarks.