Table 56 Supported PKI Features
Release
|
Feature Name
|
Feature Description
|
Where Documented
|
Cisco IOS Releases 12.2T, 12.3, and 12.3T
|
12.3(14)T
|
Administrative Secure Device Provisioning Introducer
|
This feature allows you to act as an administrative introducer to introduce a device into a PKI network and then provide a username as the device name for the record locator in the AAA database.
|
"Setting Up Secure Device Provisioning (SDP) for Enrollment in a PKI"
|
12.3(14)T
|
Persistent Self-Signed Certificates
|
This feature allows users the HTTPS server to generate and save a self-signed certificate in the router's startup configuration. Thus, future SSL handshakes between the client and the HTTPS server can use the same self-signed certificate without user intervention.
|
"Configuring Certificate Enrollment for a PKI"
|
12.3(14)T
|
Secure Device Provisioning Certificate-Based Authorization
|
This feature allows certificates issued by other authority (CA) servers to be used for SDP introductions.
|
"Setting Up Secure Device Provisioning (SDP) for Enrollment in a PKI"
|
12.3(14)T
|
Subordinate Certificate Server
|
This enhancement allows you to configure a subordinate certificate server to grant all or certain SCEP or manual certificate requests.
|
"Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment"
|
12.3(14)T
|
USB Storage
|
This feature explains how to store RSA keys on a device external to the router via a USB eToken. The SmartCard technology (which is owned by Aladdin Knowledge Systems) in a USB key form factor (also referred to as a USB eToken) provides secure configuration distribution and allows users to store PKI credentials, such as RSA keys, for deployment.
|
"Storing PKI Credentials External to the Router"
|
12.3(11)T
|
The Certificate Server Auto Archive enhancement
|
This enhancement enables the CA certificate and CA key to be backed up automatically just once after they are generated by the certificate server. As a result, it is not necessary to generate an exportable CA key if CA backup is desirable.
|
"Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment"
|
12.3(11)T
|
PKI AAA Authorization Using the Entire Subject Name
|
This feature provides users with the ability to query the AAA server using the entire subject name from the certificate as a unique AAA username.
|
"Configuring Revocation and Authorization of Certificates in a PKI"
|
12.3(11)T
|
PKI Status
|
This enhancement added the status keyword to the show crypto pki trustpoints command, which allows you to view the current status of the trustpoint. Prior to this enhancement, you had to issue the show crypto pki certificates and the show crypto pki timers commands for the current status.
|
"Configuring Certificate Enrollment for a PKI" and "Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment"
|
12.3(11)T
|
Reenroll Using Existing Certificates
|
This feature allows users to reenroll a router with a Cisco IOS CA via existing certificates from a third-party vendor CA.
|
"Configuring Certificate Enrollment for a PKI"
|
12.3(8)T
|
Easy Secure Device Deployment
|
This feature introduces support for SDP (formerly called EzSDD), which offers a web-based enrollment interface that enables network administrators to deploy new devices in large networks.
|
"Setting Up Secure Device Provisioning (SDP) for Enrollment in a PKI"
|
12.3(8)T
|
Easy Secure Device Deployment AAA Integration
|
This feature integrates an external AAA database, allowing the introducer to be authenticated against a AAA database instead of having to use the enable password of the local Cisco certificate server.
|
"Setting Up Secure Device Provisioning (SDP) for Enrollment in a PKI"
|
12.3(7)T
|
The Certificate Server Registration Authority (RA) Mode enhancement
|
A certificate server can be configured to run in RA mode.
|
"Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment"
|
12.3(7)T
|
The "crypto pki" commands should be a synonym for "crypto ca" commands
|
This enhancement changes all commands that begin as "crypto ca" to "crypto pki." Although the router will still accept crypto ca, all output will be read back as crypto pki.
|
All modules that contain crypto ca commands.
|
12.3(7)T
|
Key Rollover for Certificate Renewal
|
This feature allows the certificate renewal request to be made before the certificate expires and retains the old key and certificate until the new certificate is available.
|
"Configuring Certificate Enrollment for a PKI"
|
12.3(7)T
|
PKI: Query Multiple Servers During Certificate Revocation Check
|
This feature introduces the ability for Cisco IOS software to make multiple attempts to retrieve the CRL, allowing operations to continue when a particular server is not available. In addition, the ability to override the CDPs in a certificate with a manually configured CDP has been introduced. Manually overriding the CDPs in a certificate can be advantageous when a particular server is unavailable for an extended period of time. The certificate's CDPs can be replaced with a URL or directory specification without reissuing all of the certificates that contain the original CDP.
|
"Configuring Revocation and Authorization of Certificates in a PKI"
|
12.3(7)T
|
Protected Private Key Storage
|
This feature allows a user to encrypt and lock the RSA private keys that are used on a Cisco IOS router, thereby, preventing unauthorized use of the private keys.
|
"Deploying RSA Keys Within a PKI"
|
12.3(4)T
|
Import of RSA Key Pair and Certificates in PEM Format
|
This feature allows customers to use PEM-formatted files to import or export RSA key pairs. PEM-formatted files allow customers to directly use existing RSA key pairs on their Cisco IOS routers instead of generating new keys. Also, customers can issue certificate requests and receive issued certificates in PEM-formatted files.
|
"Deploying RSA Keys Within a PKI" and "Configuring Certificate Enrollment for a PKI"
|
12.3(4)T
|
Using Certificate ACLs to Ignore Revocation Check and Expired Certificates
|
This feature allows a certificate that meets specified criteria to be accepted regardless of the validity period of the certificate, or if the certificate meets the specified criteria, revocation checking does not have to be performed. Certificate ACLs are used to specify the criteria that the certificate must meet to be accepted or to avoid revocation checking. In addition, if AAA communication is protected by a certificate, this feature provides for the AAA checking of the certificate to be ignored.
|
"Configuring Revocation and Authorization of Certificates in a PKI"
|
12.3(4)T
|
Cisco IOS Certificate Server
|
This feature introduces support for the Cisco IOS CS, which offers users a CA that is directly integrated with Cisco IOS software to more easily deploy basic PKI networks.
|
"Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment"
|
12.3(4)T
|
Direct HTTP Enrollment with CA Servers
|
This feature allows users to configure an enrollment profile if their CA server does not support SCEP and they do not want to use an RA as a proxy. The enrollment profile allows users to send HTTP requests directly to the CA server instead of the RA proxy.
|
"Configuring Certificate Enrollment for a PKI"
|
12.3(2)T
|
Online Certificate Status Protocol (OCSP)
|
This feature allows users to enable OCSP instead of CRLs to check certificate status. Unlike CRLs, which provide only periodic certificate status, OCSP can provide timely information regarding the status of a certificate.
|
"Configuring Revocation and Authorization of Certificates in a PKI"
|
12.3(1)
|
PKI Integration with AAA Server
|
This feature provides additional scalability for authorization by generating a AAA username from the certificate presented by the peer. A AAA server is queried to determine whether the certificate is authorized for use by the internal component. The authorization is indicated by a component-specified label that must be present in the AV pair for the user.
|
"Configuring Revocation and Authorization of Certificates in a PKI"
|
12.2(15)T
|
Certificate Security Attribute-Based Access Control
|
Under the IPSec protocol, CA interoperability permits Cisco IOS devices and a CA to communicate so that the Cisco IOS device can obtain and use digital certificates from the CA. Certificates contain several fields that are used to determine whether a device or user is authorized to perform a specified action. This feature adds fields to the certificate that allow specifying an ACL, to create a certificate-based ACL.
|
"Configuring Revocation and Authorization of Certificates in a PKI"
|
12.2(15)T
|
Exporting and Importing RSA Keys
|
This feature allows you to transfer security credentials between devices by exporting and importing RSA keys. The key pair that is shared between two devices will allow one device to immediately and transparently take over the functionality of the other router.
|
"Deploying RSA Keys Within a PKI"
|
12.2(15)T
|
Multiple-Tier CA Hierarchy
|
This enhancement enables users to set up a PKI in a hierarchical framework to support multiple CAs. Within a hierarchical PKI, all enrolled peers can validate the certificate of one another as long as the peers share a trusted root CA certificate or a common subordinate CA.
|
"Configuring Certificate Enrollment for a PKI"
|
12.2(13)T
|
Manual Certificate Enrollment (TFTP Cut-and-Paste)
|
This feature allows users to generate a certificate request and accept CA certificates as well as the router's certificates via a TFTP server or manual cut-and-paste operations.
|
"Configuring Certificate Enrollment for a PKI"
|
12.2(8)T
|
Certificate Autoenrollment
|
This feature introduces certificate autoenrollment, which allows the router to automatically request a certificate from the CA that is using the parameters in the configuration.
|
"Configuring Certificate Enrollment for a PKI"
|
12.2(8)T
|
Certificate Enrollment Enhancements
|
This feature introduces five new crypto pki trustpoint subcommands that provide new options for certificate requests and allow users to specify fields in the configuration instead of having to go through prompts.
|
"Configuring Certificate Enrollment for a PKI"
|
12.2(8)T
|
Multiple RSA Key Pair Support
|
This feature allows a user to configure a router to have multiple RSA key pairs. Thus, the Cisco IOS software can maintain a different key pair for each identity certificate.
|
"Deploying RSA Keys Within a PKI"
|
12.2(8)T
|
Trustpoint CLI
|
This feature introduces the crypto pki trustpoint command, which adds support for trustpoint CAs.
|
"Configuring Certificate Enrollment for a PKI"
|
Cisco IOS Releases 12.2T, 12.3, and 12.3T
