Public Key Infrastructure Configuration Guide, Cisco IOS Release 15MT
PKI Trustpool Management
Download this chapter
PKI Trustpool ManagementPKI Trustpool Management
Download the complete book
Public Key Infrastructure Configuration Guide, Cisco IOS Release 15MTPublic Key Infrastructure Configuration Guide, Cisco IOS Release 15MT (PDF - 5 MB)
 Feedback

PKI Trustpool Management

The PKI Trustpool Management feature is used to authenticate sessions, such as HTTPS, that occur between devices by using commonly recognized trusted agents called certificate authorities (CAs). The Cisco IOS software uses the PKI Trustpool Management feature, which is enabled by default, to create a scheme to provision, store, and manage a pool of certificates from known CAs in a way similar to the services a browser provides for securing sessions.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for PKI Trustpool Management

The use of certificates requires that a crypto subsystem is included in the Cisco IOS software image.

Restrictions for PKI Trustpool Management

Device certificates that use CA certificates cannot be enrolled in a PKI trustpool.

Information About PKI Trustpool Management

CA Certificate Storage in a PKI Trustpool

The router uses a built-in CA certificate bundle that is contained in a special certificate store called a PKI trustpool, which is updated automatically from Cisco. This PKI trustpool is known by Cisco and other vendors. A CA certificate bundle can be in the following formats:

  • X.509 certificates in Distinguished Encoding Rules (DER) binary format enveloped within a public-key cryptographic message syntax standard 7 (pkcs7), which is used to sign and encrypt messages under a PKI. An X.509 certificate is a PKI and Privilege Management Infrastructure (PMI) standard that specifies, among other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
  • A file containing concatenated X.509 certificates in Privacy Enhanced Mail (PEM) format with PEM headers.

PKI Trustpool Updating

The PKI trustpool is treated as a single entity that needs to be updated when the following conditions occur:

  • A certificate in the PKI trustpool is due to expire or has been reissued.
  • The published CA certificate bundle contains additional trusted certificates that are needed by a given application.
  • The configuration has been corrupted.

Note

A built-in certificate in the PKI trustpool cannot be physically replaced. However, a built-in certificate is rendered inactive after an update if its X.509 subject-name attribute matches the certificate in the CA certificate bundle.

The PKI trustpool can be updated automatically or manually. The PKI trustpool may be used by certficate validation depending upon the application using it. See the "Manually Updating Certificates in the PKI Trustpool" and "Configuring Optional PKI Trustpool Policy Parameters" sections for more information.

The PKI trustpool timer matches the CA certificate with the earliest expiration time. If the timer is running and a bundle location is not configured and not explicitly disabled, syslog warnings are issued to alert the administrator that the PKI trustpool policy option is not set.

Automatic PKI trustpool updates use the configured URL.

When the PKI trustpool expires, the policy is read, the bundle is loaded, and the PKI trustpool is replaced. If the automatic PKI trustpool update encounters problems when initiating, then the following schedule is used to initiate the update until the download is successful: 20 days, 15 days, 10 days, 5 days, 4 days, 3 days, 2 days, 1 day, and then once every hour.

CA Handling in Both the PKI Trustpool and a Trustpoint

There may be circumstances where a CA resides in both the PKI trustpool and a trustpoint; for example, a trustpoint is using a CA and a CA bundle is downloaded later with this same CA inside. In this scenario, the CA in the trustpoint and the policy of this trustpoint is considered before the CA in the PKI trustpool or PKI trustpool policy to ensure that any current behavior is not altered when the PKI Trustpool Management feature is implemented on the router.

How to Configure PKI Trustpool Management

Manually Updating Certificates in the PKI Trustpool

The PKI Trustpool Management feature is enabled by default and uses the built-in CA certificate bundle in the PKI trustpool, which receives automatic updates from Cisco. Perform this task to manually update certificates in the PKI trustpool if they are not current, are corrupt, or if certain certificates need to be updated.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    crypto pki trustpool import clean [terminal | url url]

    4.    crypto pki trustpool import {terminal | url url}

    5.    exit

    6.    show crypto pki trustpool


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Router> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Router# configure terminal
     

    Enters global configuration mode.

     
    Step 3 crypto pki trustpool import clean [terminal | url url]


    Example:
    Router(config)# crypto pki trustpool import clean
     
    (Optional) Manually removes all downloaded PKI CA certificates.
    • The clean keyword specifies the removal of the downloaded PKI trustpool certificates before the new new certificates are downloaded. Use the optional terminal keyword to remove the existing CA certificate bundle terminal setting or the url keyword and url argument to remove the existing URL file system setting.
     
    Step 4 crypto pki trustpool import {terminal | url url}


    Example:
    Router(config)# crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b
     
    Manually imports (downloads) the CA certificate bundle into the PKI trustpool to update or replace the existing CA certificate bundle.
    • The terminal keyword specifies the importation of a CA certificate bundle through the terminal (cut-and-paste) in PEM format.
    • The url keyword with the url argument specifies the importation of a CA certificate bundle through a URL. This URL can be through a variety of URL file systems such as HTTP. See the "PKI Trustpool Updating" section for more information.
     
    Step 5exit


    Example:
    Router(config)# exit
     

    Exits global configuration mode.

     
    Step 6show crypto pki trustpool


    Example:
    Router(config)# show crypto pki trustpool
     

    Displays the PKI trustpool certificates of the router in a verbose format.

     

    Configuring Optional PKI Trustpool Policy Parameters

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    crypto pki trustpool policy

      4.    cabundle url {url | none}

      5.    chain-validation

      6.    crl {cache {delete-after {minutes | none} | query url}

      7.    default command-name

      8.    match certificate certificate-map-name [allow expired-certificate | override {cdp directory ldap-location | ocsp {number url url | trustpool name number url url} | sia number url} | skip [revocation-check | authorization-check]]

      9.    ocsp {disable-nonce | url url}

      10.    revocation-check method1 [method2 [method3]]

      11.    source interface name number

      12.    storage location

      13.    vrf vrf-name

      14.    show


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Router> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Router# configure terminal
       

      Enters global configuration mode.

       
      Step 3 crypto pki trustpool policy


      Example:
      Router(config)# crypto pki trustpool policy
Router(ca-trustpool)#
       

      Enters ca-trustpool configuration mode where commands can be accessed to configure CA PKI trustpool policy parameters.

       
      Step 4 cabundle url {url | none}


      Example:
      Router(ca-trustpool)# cabundle url http://www.cisco.com/security/pki/crl/crca2048.crl
       

      Specifies the URL from which the PKI trustpool certificate authority CA certificate bundle is downloaded .

      • The url argument is the URL of the CA certificate bundle.
      • The none keyword specifies that autoupdates of the PKI trustpool CA are not permitted.
       
      Step 5chain-validation


      Example:
      Router(ca-trustpool)# chain-validation
       

      Enables chain validation from the peer's certificate to the root CA certificate in the PKI trustpool. The default has validation stopping at the peer certificate's issuer.

       
      Step 6crl {cache {delete-after {minutes | none} | query url}


      Example:
      Router(ca-trustpool)# crl query http://www.cisco.com/security/pki/crl/crca2048.crl
       
      Specifies the certificate revocation list (CRL) query and CRL cache options for the PKI trustpool.
      • The cache keyword specifies CRL cache options.
      • The delete-after keyword removes the CRL from the cache after a timeout.
      • The minutes argument is the number of minutes from 1 to 43,200 to wait before deleting the CRL from the cache.
      • The none keyword specifies that CRLs are not cached.
      • The query keyword with the url argument specifies the URL published by the CA server to query the CRL.
       
      Step 7default command-name


      Example:
      Router(ca-trustpool)# default crl query http://www.cisco.com/security/pki/crl/crca2048.crl
       
      Resets the value of a ca-trustpool configuration subcommand to its default .
      • The command-name argument is the ca-trustpool configuration mode command with its applicable keywords.
       
      Step 8match certificate certificate-map-name [allow expired-certificate | override {cdp directory ldap-location | ocsp {number url url | trustpool name number url url} | sia number url} | skip [revocation-check | authorization-check]]


      Example:
      match certificate mycert override ocsp 1 url http://ocspts.identrust.com
       
      Enables the use of certificate maps for the PKI trustpool.
      • The certifcate-map-name argument matches the certificate map name.
      • The optional allow expired-certificate keyword ignores expired certificates.
        Note   

        If this keyword is not configured, the router does not ignore expired certificates.

      • The override keyword overrides the online certificate status protocol (OCSP) or SubjectInfoAccess (SIA) attribute fields in a certificate that is in the PKI trustpool.
      • The cdp keyword overrides the certificate distribution point (CDP) in a certificate.
      • The directory keyword and ldap-location specifies the CDP in either the http: or ldap: URL, or LDAP directory to override in the certificate.
      • The ocsp keyword and number argument and url keyword and url argument specifies the OCSP sequence number from 0 to 10000 and URL to override in the certificate.
      • The trustpool keyword and name and number arguments with the url keyword and url argument override the PKI trustpool for verifying the OCSP certificate by specifying the PKI trustpool name, sequence number, and URL.
      • The sia keyword and number and url arguments override the SIA URL in a certificate by specifying the SIA sequence number and URL.
      • The optional skip revocation-check keyword combination allows the PKI trustpool to enforce certificate revocation lists (CRLs) except for specific certificates.
        Note   

        If this keyword combination is not configured, then the PKI trustpool enforces CRLs for all certificates.

      • The optional skip authorization-check keyword combination skips the authentication, authorization, and accounting (AAA) check of a certificate when public key infrastructure (PKI) integration with an AAA server is configured.
        Note   

        If this keyword combination is not configured, and PKI integration with an AAA server is configured, then the AAA checking of a certificate is done.

       
      Step 9ocsp {disable-nonce | url url}


      Example:
      Router(ca-trustpool)# ocsp url http://ocspts.identrust.com
       
      Specifies OCSP settings for the PKI trustpool.
      • The disable-nonce keyword disables the OCSP Nonce extension.
      • The url keyword and url argument specify the OCSP server URL to override (if one exists) in the Authority Info Access (AIA) extension of the certificate. All certificates associated with a configured PKI trustpool are checked by the OCSP server at the specified HTTP URL. The URL can be a hostname, IPv4 address, or an IPv6 address.
       
      Step 10revocation-check method1 [method2 [method3]]


      Example:
      Router(ca-trustpool)# revocation-check ocsp crl none
       
      Disables revocation checking when the PKI trustpool policy is being used. The method argument is used by the router to check the revocation status of the certificate. Available keywords are as follows:
      • crl--Certificate checking is performed by a certificate revocation list (CRL). This is the default behavior.
      • none--Certificate checking is not required.
      • ocsp--Certificate checking is performed by an online certificate status protocol (OCSP) server.

      If a second and third method are specified, each method is used only if the previous method returns an error, such as a server being down.

       
      Step 11source interface name number


      Example:
      Router(ca-trustpool)# source interface tunnel 1
       
      Specifies the source interface to be used for CRL retrieval, OCSP status, or the downloading of a CA certificate bundle for the PKI trustpool .
      • The name and numberarguments are for the interface type and number used as the source address for the PKI trustpool.
       
      Step 12storage location


      Example:
      Router(ca-trustpool)# storage storage disk0:crca2048.crl
       
      Specifies a file system location where PKI trustpool certificates are stored on the router.
      • The location is the file system location where the PKI trustpool certificates are stored. The types of file system locations are disk0:, disk1:, nvram:, unix:, or a named file system.
       
      Step 13vrf vrf-name


      Example:
      Router(ca-trustpool)# vrf myvrf
       

      Specifies the VPN routing and forwarding (VRF) instance to be used for enrolment, CRL retrieval, and OCSP status.

       
      Step 14show


      Example:
      Router(ca-trustpool)# show

Chain validation will stop at the first CA certificate in the pool
   Trustpool CA certificates will expire 12:58:31 PST Apr 5 2012
   Trustpool policy revocation order:      crl 
   Certficate matching is disabled
   Policy Overrides:
       

      Displays the PKI trustpool policy of the router.

       

      Configuration Example for PKI Trustpool Management

      The following show crypto pki trustpool command output displays the certificates in PKI trustpool:


      Note

      The command output in this example is abridged because it is verbose. 

      Router# show crypto pki trustpool

CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 00D01E474000000111C38A964400000002
  Certificate Usage: Signature
  Issuer: 
    cn=DST Root CA X3
    o=Digital Signature Trust Co.
  Subject: 
    cn=Cisco SSCA
    o=Cisco Systems
  CRL Distribution Points: 
    http://crl.identrust.com/DSTROOTCAX3.crl
  Validity Date: 
    start date: 12:58:31 PST Apr 5 2007
    end   date: 12:58:31 PST Apr 5 2012

CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 6A6967B3000000000003
  Certificate Usage: Signature
  Issuer: 
    cn=Cisco Root CA 2048
    o=Cisco Systems
  Subject: 
    cn=Cisco Manufacturing CA
    o=Cisco Systems
  CRL Distribution Points: 
    http://www.cisco.com/security/pki/crl/crca2048.crl
  Validity Date: 
    start date: 14:16:01 PST Jun 10 2005
    end   date: 12:25:42 PST May 14 2029

      Additional References

      Related Documents

      Related Topic

      Document Title

      Cisco IOS commands

      Cisco IOS Master Commands List, All Releases

      Security commands

      Technical Assistance

      Description

      Link

      The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

      Feature Information for PKI Trustpool Management

      The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

      Table 1 Feature Information for PKI Trustpool Management

      Feature Name

      Releases

      Feature Information

      PKI Trustpool Management

      15.2(2)T

      15.1(1)SY

      This feature is used to authenticate sessions, such as HTTPS, that occur between devices by using commonly recognized trusted agents called certificate authorities (CAs). The Cisco IOS software uses the PKI Trustpool Management feature, which is enabled by default, to create a scheme to provision, store, and manage a pool of certificates from known CAs in a way similar to the services a browser provides for securing sessions.

      The following commands were introduced or modified: cabundle url, chain-validation (ca-trustpool), crypto pki trustpool import, crypto pki trustpool policy, crl, default (ca-trustpool), match certificate (ca-trustpool), ocsp, revocation-check (ca-trustpool), show (ca-trustpool), show crypto pki trustpool, source interface (ca-trustpool), storage, vrf (ca-trustpool).