Table Of Contents
Implementing and Managing PKI Features Roadmap
First Published: May 2, 2005Last Updated: March 31, 2011
This roadmap lists the public key infrastructure (PKI) features that are documented in the Cisco IOS Security Configuration Guide: Secure Connectivity and maps them to the modules in which they appear. For any feature, click the link in the "Where Documented" column to view the module that contains information about the feature.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for <Phrase Based on Module Title>" section on page 7.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
PKI Feature and Release Support
Table 1 lists PKI feature support for the following Cisco IOS software release trains: Cisco IOS Releases 12.2T, 12.3, and 12.3T.
Only features that were introduced or modified in Cisco IOS Release 12.2(1) or a later release appear in the table. Not all features may be supported in your Cisco IOS software release.
Table 1 Supported PKI Features
Release Feature Name Feature Description Where Documented
Administrative Secure Device Provisioning Introducer
This feature lets you act as an administrative introducer to introduce a device into a PKI network and then provide a username as the device name for the record locator in the AAA database.
Persistent Self-Signed Certificates
This feature allows users of the HTTPS server to generate and save self-signed certificates in the router's startup configuration. Thus, future SSL handshakes between the client and the HTTPS server can use the same self-signed certificate without user intervention.
Secure Device Provisioning Certificate-Based Authorization
This feature allows certificates issued by other authority (CA) servers to be used for SDP introductions.
Subordinate Certificate Server
This enhancement lets you configure a subordinate certificate server to grant all or certain SCEP or manual certificate requests.
This feature lets you store RSA keys on a device external to the router via a USB eToken. The SmartCard technology (which is owned by Aladdin Knowledge Systems) in a USB key form factor (also called a USB eToken) provides secure configuration distribution and lets users store PKI credentials, such as RSA keys, for deployment.
Certificate Server Auto Archive
This enhancement enables the CA certificate and CA key to be backed up automatically just once after they are generated by the certificate server. As a result, you do not need to generate an exportable CA key if CA backup is desirable.
PKI AAA Authorization Using the Entire Subject Name
This feature lets users query the AAA server using the entire subject name from the certificate as a unique AAA username.
This feature adds the status keyword to the show crypto pki trustpoints command, which lets you view the current status of the trustpoint. Before this feature, you had to issue the show crypto pki certificates and the show crypto pki timers commands for the current status.
Re-Enroll Using Existing Certificates
This feature lets users re-enroll a router with a Cisco IOS CA via existing certificates from a third-party vendor CA.
Easy Secure Device Deployment
This feature introduces support for SDP (formerly called EzSDD), which offers a web-based enrollment interface that lets network administrators deploy new devices in large networks.
Easy Secure Device Deployment AAA Integration
This feature integrates an external AAA database, which allows the introducer to be authenticated against a AAA database instead of using the enable password of the local Cisco certificate server.
Certificate Server Registration Authority (RA) Mode
A certificate server can be configured to run in RA mode.
The crypto pki commands should be a synonym for crypto ca commands
This enhancement changes all commands that begin as crypto ca to crypto pki. Although the router still accepts crypto ca commands, all output is read back as crypto pki commands.
All modules that contain crypto ca commands.
Key Rollover for Certificate Renewal
This feature allows the certificate renewal request to be made before a certificate expires. The old key and certificate is retained until the new certificate is available.
PKI: Query Multiple Servers During Certificate Revocation Check
This feature lets Cisco IOS software make multiple attempts to retrieve the CRL, which allows operations to continue when a particular server is not available. Also, this feature lets you override the CDPs in a certificate with a manually configured CDP.
Manually overriding the CDPs in a certificate can be advantageous when a particular server is unavailable for a long period of time. The certificate's CDPs can be replaced with a URL or directory specification without reissuing all of the certificates that contain the original CDP.
Protected Private Key Storage
This feature lets a user encrypt and lock the RSA private keys that are used on a Cisco IOS router, which prevents unauthorized use of the private keys.
"Deploying RSA Keys Within a PKI" module
Import of RSA Key Pairs and Certificates in PEM Format
This feature lets users use PEM-formatted files to import or export RSA key pairs. PEM-formatted files let customers directly use existing RSA key pairs on their Cisco IOS routers instead of generating new keys. Also, users can issue certificate requests and receive issued certificates in PEM-formatted files.
Using Certificate ACLs to Ignore Revocation Check and Expired Certificates
This feature allows a certificate that meets specified criteria to be accepted regardless of the validity period of the certificate, or if the certificate meets the specified criteria, revocation checking does not have to be performed.
Certificate ACLs are used to specify the criteria that the certificate must meet to be accepted or to avoid revocation checking. In addition, if AAA communication is protected by a certificate, this feature allows the AAA checking of the certificate to be ignored.
Cisco IOS Certificate Server
This feature introduces support for the Cisco IOS CS, which offers users a CA that is directly integrated with Cisco IOS software to deploy basic PKI networks more easily.
Direct HTTP Enrollment with CA Servers
This feature lets users configure an enrollment profile if their CA server does not support SCEP and they do not want to use an RA as a proxy. The enrollment profile lets users send HTTP requests directly to the CA server instead of the RA proxy.
Online Certificate Status Protocol (OCSP)
This feature lets users enable OCSP instead of CRLs to check certificate status. Unlike CRLs, which provide only periodic certificate status, OCSP can provide timely information regarding the status of a certificate.
PKI Integration with AAA Server
This feature provides additional scalability for authorization by generating a AAA username from the certificate presented by the peer. A AAA server is queried to determine whether the certificate is authorized for use by the internal component. The authorization is indicated by a component-specified label that must be present in the AV pair for the user.
Certificate Security Attribute-Based Access Control
Under the IPsec protocol, CA interoperability permits a Cisco IOS device and a CA to communicate so that the device can obtain and use digital certificates from the CA.
Certificates contain several fields that are used to determine whether a device or user is authorized to perform a specified action. This feature adds fields to the certificate that allow specifying an ACL in order to create a certificate-based ACL.
Exporting and Importing RSA Keys
This feature lets you transfer security credentials between devices by exporting and importing RSA keys. The key pair that is shared between two devices allows one device to immediately and transparently take over the functionality of the other router.
"Deploying RSA Keys Within a PKI" module
Multiple-Tier CA Hierarchy
This enhancement lets users set up a PKI in a hierarchical framework to support multiple CAs. Within a hierarchical PKI, all enrolled peers can validate the certificate of one another as long as the peers share a trusted root CA certificate or a common subordinate CA.
Manual Certificate Enrollment (TFTP Cut-and-Paste)
This feature lets users generate a certificate request and accept CA certificates as well as the router's certificates via a TFTP server or manual cut-and-paste operations.
This feature introduces certificate autoenrollment, which lets the router automatically request a certificate from the CA that is using the parameters in the configuration.
Certificate Enrollment Enhancements
This feature introduces five new crypto pki trustpoint subcommands that provide new options for certificate requests and let users specify fields in the configuration instead of going through prompts.
Multiple RSA Key Pair Support
This feature lets users configure a router to have multiple RSA key pairs. Thus, the Cisco IOS software can maintain a different key pair for each identity certificate.
"Deploying RSA Keys Within a PKI" module
This feature introduces the crypto pki trustpoint command, which adds support for trustpoint CAs.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2005, 2010 Cisco Systems, Inc. All rights reserved.