Table Of Contents
Managing Certificates
Wizards
Launching Certificate Wizards
Configuring a Certificate Trustpoint Using the Wizard
Setting up a Proxy Service Trustpoint
Setting up a CA Trustpoint
Configuring a Trustpoint and RSA Key Pair
Configuring SSL Certificate Attributes
Configuring Enrollment Parameters
Configuring a CA Certificate
Configuring Trustpoint Tasks
Viewing Wizard Summary
Delivering Configuration to an SSL Module
Viewing Trustpoint Configuration Status
Viewing Certificate Signing Request (CSR)
Importing and Exporting Certificates
Importing Certificates from an External PKI System
Importing PEM File
Exporting Certificates Using the Wizard
Viewing Certificate Export Wizard Summary
Viewing the Certificate Export Status
Viewing Certificate Trustpoints
Certificate Trustpoint Grouper
Certificate Trustpoint Details
Authenticating Trustpoints
Enrolling Trustpoints
Authenticating and Enrolling Trustpoints
Importing SSL Certificate Trustpoints
Renewing Trustpoints
Exporting Trustpoints
Editing Trustpoint Configuration
Selecting Available ACLs
Selecting Available Key Pairs
Deleting Certificates
Challenge Password
How Do I...
How Do I Configure a Certificate and Enroll with Certificate Authority?
How Do I Import a CA Certificate to SSLSM?
How Do I Import Certificates and Keys to SSLSM?
How Do I Import a Certificate Chain to SSLSM?
How Do I Export Certificates from SSLSM?
How Do I Renew a Certificate?
Managing Certificates
A Trustpoint is an association of a CA Certificate, an RSA Key pair, and the corresponding SSL Client and Server Certificate.
The following topics are described in this section:
•
Wizards
• Viewing Certificate Trustpoints
• Certificate Trustpoint Details
• Editing Trustpoint Configuration
• Deleting Certificates
Wizards
Wizards helps you to configure keys, certificates, and proxy services. You can access Certificate Wizards and Proxy Service Wizards from this page.
Figure 3-1 Wizards
The following topics are included in this section:
Certificate Wizards
The Certificate Wizards helps you to configure keys and certificates. You can either create certificates and enroll them to the CA or import the certificates and the associated keys from an external PKI system.
• Configuring a Certificate Trustpoint Using the Wizard
• Importing Certificates from an External PKI System
• Exporting Certificates Using the Wizard
Proxy Service Wizards
The Certificate Wizards helps you to configure Proxy Services.
• Basic Proxy Service Wizard
• Advanced Proxy Service Wizard
Launching Certificate Wizards
To launch certificate wizards, do one of the following:
Step 1 Click Setup in the task bar. The Setup page appears.
Step 2 Click Wizard in the left-most pane. The Wizards information page appears.
Step 3 Click the Certificate Wizards tab to create a CertificateTrustpoint.
You can select either of the following tasks:
–Configure a certificate trustpoint
–Import certificates from external PKI system.
Step 4 Select one of the tasks, then click Launch the Selected Task. The Trustpoint Setup wizard appears with information on the steps to follow.
Or
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector.
Step 2 Click the Setup Wizard and select either of the following wizards:
–Configure a Certificate Trustpoint...
–Import Certificates from External PKI system.
Related Topics
• Configuring a Certificate Trustpoint Using the Wizard
• Importing Certificates from an External PKI System
Configuring a Certificate Trustpoint Using the Wizard
You can use the wizard to configure a certificate Trustpoint, authenticate, and enroll with a CA using the wizard.
To configure a certificate Trustpoint:
Step 1 Click Setup in the task bar. The Setup page appears.
Step 2 Click Wizard in the left-most pane. The Wizards information page appears.
Step 3 Click the Certificate Wizards. The Certificate Wizards page appears.
Step 4 Select Configure a Certificate Trustpoint, then click Launch the Selected Task. The Trustpoint Configuration dialog box appears. The dialog box provides information on the steps to be followed to configure a Trustpoint.
You can use the wizard to configure either of the following Trustpoints:
•Proxy Service Trustpoint.
•CA Trustpoint.
Step 5 Click Next to continue.
Related Topics
• Setting up a Proxy Service Trustpoint
• Setting up a CA Trustpoint
Setting up a Proxy Service Trustpoint
You can use any one of the following options to set up a proxy service trustpoint:
•Create a new proxy service Trustpoint.
•Configure a proxy service Trustpoint using the copy-and-paste method.
To create a new Proxy Service Trustpoint:
Step 1 Click Setup in the task bar. The Setup page appears.
Step 2 Click Wizard in the left-most pane. The Wizards information page appears.
Step 3 Click the Proxy Service Wizards tab to create a proxy service Trustpoint.
Step 4 Configure Trustpoint name and RSA key pair.
Step 5 (Optional) Configure SSL certificate attributes, then click Next.
Step 6 Configure enrollment parameters, then click Next.
Step 7 Select Trustpoint setup tasks, then click Next. The summary dialog box appears.
Step 8 Click Finish. The Deliver Configuration to SSLSM dialog box appears with the details on the CLI commands to be delivered to the module.
Step 9 Click Deliver to deliver the CLI commands. The Trustpoint Configuration Status dialog box appears.
To configure a Proxy Service Trustpoint using the copy-and-paste method:
Step 1 Configure Trustpoint name and RSA key pair.
Step 2 (Optional) Configure SSL certificate attributes, then click Next.
Step 3 Configure enrollment parameters, then click Next.
Step 4 Specify CA certificate, then click Next.
Step 5 Select Trustpoint setup tasks, then click Next. Summary dialog box appears.
Step 6 Click Finish.
Setting up a CA Trustpoint
You can use either of the following options to configure a CA Trustpoint:
•Configure a CA Trustpoint
•Configure a CA Trustpoint using copy-and-paste method.
To configure a CA Trustpoint:
Step 1 Configure Trustpoint Name.
Step 2 Specify CA Certificate source.
To configure a CA Trustpoint using the copy-and-paste method:
Step 1 Configure Trustpoint Name.
Step 2 Specify CA Certificate source.
Step 3 Specify CA Certificate.
Configuring a Trustpoint and RSA Key Pair
The Configure Trustpoint and RSA Key Pair page helps you set up a proxy service Trustpoint or a CA Trustpoint. You can either use an existing key pair for the Trustpoint or generate a new key pair.
Note If you are creating the Trustpoint for the first time, generate a new key pair. You will not be able to use an existing key pair.
The following fields appears on the page:
Field
|
Action/Description
|
Trustpoint
|
Trustpoint Name
|
The Trustpoint the module should use.
|
Proxy Service Trustpoint
|
Select this option to create a proxy service Trustpoint.
|
CA Trustpoint
|
Select this option to create a CA Trustpoint.
|
RSA Key Pair
|
Generate a new Key Pair
|
Select this option to generate a new key pair.
|
Key Pair Name
|
Enter the name of the key pair.
We recommend that you use a key pair name that matches the trustpoint name.
|
Key Size
|
The size of the key.
Key size can be 512, 768, 1024, 1536, or 2048
|
Allow Private Key Export
|
Select this option to make the new key exportable.
You need to select this to export the key at a later point of time.
|
Use an Existing Key Pair
|
Select this option to use an existing key pair.
|
Configuring SSL Certificate Attributes
The SSL Certificate Attributes wizard page allows you to enter the SSL certificate attributes for the certificate Trustpoint. Even though it is not mandatory to fill any of these fields, we recommend you to fill the common name (CN) field.
The following fields appear on the SSL certificate attributes page:
Field
|
Description
|
Subject Distinguished Name (DN)
|
The fully qualified domain name in the certificate.
The subject name uses Lightweight Directory Access Protocol (LDAP) format.
|
Common Name (CN)
|
The common name to be used.
Example: server.domain.com, where
server is the name of the SSL
server that appears in the URL.
|
Organization Unit (OU)
|
Organization Unit.
Example: Cisco
|
Department (D)
|
Name of the department.
Example:Lab
|
Location (L)
|
The location of the organization.
Example, San Jose
|
State (ST)
|
The name of the state.
Example, California
|
Country (C)
|
The country name.
Example: US
|
Include SSM Serial Number
|
Select this option to include the serial number of the SSL module in the certificate.
|
Unstructured
|
Unstructured Name
|
The unstructured URL of the server.
Example: server5.domain.com
|
Subject IP Address
|
IP address to be included in the certificate.
|
Configuring Enrollment Parameters
The Configure Enrollment Parameters page of the wizard allows you to specify the enrollment parameters for your certificate authority.
The following field appears in the configure enrollment parameters page:
Field
|
Description
|
CA
|
The name of the certificate authority.
•If you are configuring enrollment parameters for a new CA, choose the field display as <NEW>.
•If you want to enroll with a CA already configured, select the CA from the list and modify the parameters.
|
Simple Certificate Enrollment Protocol (SCEP)
|
Select this to use the SCEP.
|
CA Server URL
|
URL of the CA server.
|
Challenge Password
|
Enter a Challenge Password.
|
Confirm the Password
|
Confirm the challenge password.
|
Retry Count
|
Number of retries.
|
Enable Auto-Enrollment
|
Select to enable auto-enrollment.
|
Retry Period (Minutes)
|
Time to wait for the next retry.
|
HTTP Proxy
|
URL of the HTTP proxy to be used for the enrollment.
|
Port
|
The port to be used for the enrollment.
|
TFTP
|
Select this if you are using TFTP.
|
CA Server URL
|
URL of the CA server.
Example: tftp://ipaddress/Certificates/filename
The suffix .ca is appended to the file name.
|
Copy and Paste / Local Hard Disk
|
Select this option to Copy-and-Paste the Certificate or specify Certificate from the local Hard Disk.
|
The TFTP and cut-and-paste feature allows you to generate a certificate request and accept certification authority certificates as well as router certificates. These tasks are accomplished with a TFTP server or manual cut-and-past operations.
You may want to use TFTP or manual cut-and-paste enrollment in the following situations:
•Your certificate authority does not support Simple Certificate Enrollment Protocol (SCEP).
•A network connection between the router and certificate authority is not possible. The router running Cisco IOS software obtains its certificates using a network connection between the router and the certificate authority.
Configuring a CA Certificate
The CA Certificate page of the wizard allows you to specify the CA certificate for the Trustpoints. You can either copy-and-paste the certificate to the text area, or select the certificate file from the local hard disk.
Field
|
Action/Description
|
CA Certificate File
|
Browse the local hard disk and select the file.
|
Configuring Trustpoint Tasks
The Trustpoint Setup Tasks wizard page allows you to select a Trustpoint configuration task that you want to perform on the certificate Trustpoint.
You can select one of the following tasks:
Field
|
Action/Description
|
Authenticate and Enroll the Trustpoint
|
Select this option to apply the trustpoint configuration, authenticate, and enroll.
|
Only Authenticate the Trustpoint
|
Select this option to apply the trustpoint configuration and authenticate.
|
Only apply the Trustpoint Configuration
|
Select this option to apply the trustpoint configuration.
|
Viewing Wizard Summary
When you use a wizard to perform a configuration, the wizard's Summary page displays the values that you have configured. You can examine those values and click the wizard's Back button to return to a screen on which you need to make a change. When you have made the changes, click the Finish button to save your changes and leave the wizard.
Delivering Configuration to an SSL Module
This page provides information on the CLI commands you have configured.
Click Deliver to deliver the commands to the module
Click Save to File to save the commands to a file.
Click Deliver Later to deliver the commands at a later point of time.
For more information on delivering CLI commands, see Delivering CLI Commands to the Device, page 1-18
Viewing Trustpoint Configuration Status
The Trustpoint Configuration Status dialog box provides the status details of the Trustpoint configuration tasks. The details displayed vary according to the task you selected. The dialog box displays the status against each task. The configuration performed on the module is displayed in the content area. If any task fails, you can review the task details and take necessary action.
Click OK to view the Certificate Signing Request (CSR). For more information on Certificate Signing Request (CSR), see Viewing Certificate Signing Request (CSR)
For authentication, after displaying the status the finger print information appears. Verify the finger print displayed andaccept the certificate to complete the authentication.
Viewing Certificate Signing Request (CSR)
The Certificate Request dialog box provides information on the certificate requested.
Click Save to File to save the certificate request. The file is saved with the default extension .csr.
Click Cancel to close the dialog box.
Importing and Exporting Certificates
You can use wizards to import and export certificates. This section contains the following information:
• Importing Certificates from an External PKI System
• Exporting Certificates Using the Wizard
Importing Certificates from an External PKI System
The Certificate Wizard allows you to import Certificates and Private Keys from an external PKI in PKCS12 or privacy-enhanced mail (PEM) format.
To import certificates using Trustpoint Wizard:
Step 1 Click Setup in the CVDM-SSLSM task bar.The Setup page appears
Step 2 Click Wizards in the left-most pane. The Setup Wizards information appears in the content area.
Step 3 Select Import from External PKI System, then click Launch the Selected Task. The Key Pair Import wizard appears.
You can import files in either of the following formats:
•PEM file, See Importing PEM File.
•PKCS12 file, See Importing PKCS12 File.
Importing PKCS12 File
You can use an external PKI system to generate a PKCS12 file and then import this file to the module.
When creating a PKCS12 file, include the entire certificate chain, from server certificate to root certificate, and public and private keys. You can also generate a PKCS12 file from the module and export it.
Note Imported key pairs cannot be exported.
If you are using SSH, we recommend using SCP when importing or exporting a PKCS12 file. SCP authenticates the host and encrypts the transfer session.
To import a PKCS12 File:
Step 1 Enter certificate format and source, then click Next. The Summary dialog box appears.
Step 2 Click Finish to complete importing the certificate.
Importing PEM File
To import a PEM File:
Step 1 Enter the format and source.
Step 2 Specify the certificate and key Files.
Step 3 Specify the private key.
Step 4 Specify SSL certificate.
Step 5 Click Next. The summary dialog box appears.
Step 6 Click Finish to complete importing the file.
You can copy and paste the CA Certificate in PEM format.
To import a PEM File using the copy-and-paste method:
Step 1 Enter the format and source
Step 2 Copy-and-paste the CA Certificate in PEM format.
Step 3 Click Next. The summary dialog box appears.
Step 4 Click Finish to complete importing the file.
Configuring Certificate Source and Format
The Certificate Source and Format page of the wizard allows you to enter the Trustpoint name, format and source.
You can enter the details for both PKCS12 and PEM.
PEM
Step 1 Select PEM format, the following options will appear:
•Local Hard Disk—to import certificates from the client workstation.
•Copy-and-paste—to import certificates and key using copy-and-paste method.
•Remote system—to import certificates from a remote system using TFTP, FTP, RCP, or SCP.
Step 2 Select one of the option, then click Next.
PKCS12
Step 1 Select PKCS12, the following fields will be displayed:
Field
|
Description
|
Format
|
Key Pair file format.
|
Protocol
|
Select any of the following protocols to be used for importing the file:
•TFTP
•FTP
•RCP
•SCP
|
IP Address
|
IP address of the certificate source.
|
User Name
|
User name for the remote system.
|
Password
|
Password to be used for the remote system.
|
PKCS12 File
|
File name with the absolute path and the file name.
Example:
d:/tftpboot/certs/cert.p12
|
Pass Phrase
|
Passphrase to be used to decrypt the key.
|
Create Trustpoints for CA's higher in the hierarchy
|
Select this is to create Trustpoints for certificates higher in the hierarchy.
|
A passphrase protects a PEM file that contains a private key. The PEM file is encrypted by DES or 3DES. The encryption key is derived from the pass phrase. A PEM file containing a certificate is not encrypted and is not protected by the pass phrase.
Step 2 Enter the details, then click Next.
Configuring Certificates and Key Files (PEM - Local Hard Disk)
The Certificates and Key Files dialog box allows you to specify the location of the certificates and key files.
The following fields are displayed:
Field
|
Description
|
CA Certificate File
|
The CA certificate file name with the absolute path. You can browse and select the file from the local hard disk.
|
Private Key File
|
The private key file name with the absolute path. You can browse and select the file from the local hard disk.
|
Passphrase
|
The passphrase to decrypt the key.
|
SSL Certificate File
|
The SSL certificate file name with the absolute path. You can browse and select the file from the local hard disk.
|
Note A passphrase protects a PEM file that contains a private key. The PEM file is encrypted by DES or 3DES. The encryption key is derived from the pass phrase. A PEM file containing a certificate is not encrypted and is not protected by the pass phrase.
Configuring Certificates and Key Files (PEM - Remote System)
The Certificates and Key Files dialog box allows you to specify the location of the certificates and key files.
The following fields appear:
Field
|
Description
|
Protocol
|
Select the protocol to be used for importing the file. You can select any of the following protocols:
•TFTP
•FTP
•RCP
•SCP
|
IP Address
|
IP address of the remote system.
|
Username
|
User name for the remote system.
|
Password
|
Password for the remote system.
|
CA Certificate File
|
The CA certificate file name with the absolute path.
Enter the absolute path and the file name.
Example: /Certs/cert.pem
|
Private Key File
|
The Private Key file name with the absolute path.
Enter the absolute path and the file name.
Example: /Certs/cert.pem
|
Passphrase
|
The passphrase to decrypt the key.
|
SSL Certificate File
|
The SSL certificate file name with the absolute path.
Example:
/user/local/Certs/cert.pem
|
Note A passphrase protects a PEM file that contains a private key. The PEM file is encrypted by DES or 3DES. The encryption key is derived from the pass phrase. A PEM file containing a certificate is not encrypted and is not protected by the pass phrase.
Configuring a CA Certificate (PEM - Copy-and-paste)
This page of the wizard allows you to copy-and-paste the CA certificate in PEM format.
Viewing the Configuration Summary
When you use a wizard to perform a configuration, the wizard's Summary screen displays the summary of the certificate you are about to import. You can examine the values and click the wizard's Back button to return to a screen on which you need to make a change. When you have made the changes, click the Finish button to import the certificate and leave the wizard.
Delivering Configuration to SSL Module
This page provides information on the CLI commands you have configured.
Click Deliver to deliver the commands to the module
Click Save to File to save the commands to a file.
Click Deliver Later to deliver the commands at a later point of time.
For more information on delivering CLI commands, see Delivering CLI Commands to the Device, page 1-18
Viewing the Certificate Import Status
The certificate import status dialog box dialog box provides the status details of the Trustpoint configuration tasks. The details displayed vary according to the task you selected. The dialog box displays the status against each task.
The configuration performed on the module is displayed in the content area. If any task fails, you can review the task details and take necessary action.
Exporting Certificates Using the Wizard
You can export certificates using either PKCS12 file format or privacy-enhanced mail (PEM) file format.
To export certificates:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint node from the logical group. You can group the Trustpoints using Trustpoint Grouper.
Step 3 Select a Trustpoint from the list.
Step 4 Click Operations, then select Export from the popup menu.
Step 5 The Trustpoint Export Wizard appears.
You can export Trustpoints in using PKCS12 or PEM format.
For more information on exporting Trustpoints in PKCS12 file format, see Exporting PEM Files.
For more information on exporting Trustpoints in PKCS12 file format, see Exporting PKCS12 Files.
Exporting PKCS12 Files
To export a PKCS12 File:
Step 1 Enter Certificate Format and Destination, the click Next. The summary page appears.
Step 2 Click Finish to compete exporting the file.
Exporting PEM Files
To export a PEM File:
Step 1 Enter certificate format and destination, the click Next.
You can select any of the following:
•Local Hard Disk—to export certificates and keys to the client workstation.
•Copy-and-Paste—to export certificates and keys using copy-and-paste method.
•Remote System—to export certificates and keys using TFTP, FTP, RCP or SCP.
Step 2 Specify Certificate and Key files. The fields change depending on the source you have selected.
Step 3 Click Finish to complete exporting the files.
Certificate Format and Destination
The Certificate Format and Destination page of the wizard allows you to specify the Trustpoint name and then select the format and destination.
The dialog box displays following fields:
Field
|
Description
|
Trustpoint Name
|
The name of the Trustpoint.
|
Pass phrase
|
The pass phrase to be used for decrypting the key.
|
Encryption
|
The encryption to be used for the key pairs.
|
Format
|
The file format. Options are PEM and PKCS12.
|
If you select PEM, the following fields appear:
Field
|
Description
|
Local Hard Disk
|
Select to export certificates and keys to the client workstation
|
Copy and Paste
|
Select to export certificates and keys through copy-and-paste.
|
Remote System
|
Select to export certificates and keys using TFTP, FTP, RCP or SCP.
|
If you select PKCS12, the following fields appear:
Field
|
Description
|
Protocol
|
The protocol used for the transferring the keys.
|
IP Address
|
The IP address of the destination system.
|
User Name
|
The user name for the destination system.
|
Password
|
The password to be used for the destination system.
|
PKCS12 Certificate File
|
Specify the PKCS12 file format.
|
Certificate and Key Pair Files (PEM - Local Hard Disk)
The Certificate and Key Pair Files (PEM Local Hard Disk) page of the wizard allows you to export PEM files from your local hard disk.
The following fields appear:
Field
|
Description
|
CA Certificate File
|
Enter the CA Certificate file name with the absolute path. Alternatively, you can browse and select the file from the local hard disk.
|
Private Key File
|
Enter the Private Key File name with the absolute path. Alternatively you can browse and select the file from the local hard disk.
|
SSL Certificate File
|
Enter the SSL Certificate File name with the absolute path. Alternatively you can browse and select the file from the local hard disk.
|
Certificate and Key Pair Files (PEM - Remote File System)
The Certificate and Key Pair File (PEM Remote File System) page of the wizard allows you to export a PEM file from a remote file system.
This page allows you to protocol, certificate and private key file destination details.
The following fields appear:
Field
|
Description
|
Protocol
|
Protocol to be used for exporting the file.
|
IP Address
|
IP address of the remote system.
|
User Name
|
User name for the remote system.
|
Password
|
Password for the remote system.
|
CA Certificate File
|
The absolute path to the CA Certificate file.
Example:/certs/cert.pem
|
Private Key File
|
The absolute path to the Private Key file.
Example:/certs/cert.pem
|
SSL Certificate File
|
The absolute path to the SSL Certificate file.
Example:/certs/cert.pem
|
Viewing Certificate Export Wizard Summary
When you use a wizard to perform a configuration, the wizard's Summary page displays the values that you have configured. You can examine those values and click the wizard's Back button to return to a screen on which you need to make a change. When you have made the changes, click the Finish button to save your changes and leave the wizard.
Viewing the Certificate Export Status
The certificate export status dialog box dialog box provides the status details of the certificate export tasks. If the task fails, you can review the task details and take necessary action.
Viewing Certificate Trustpoints
The Certificate Trustpoint page shows all certificate Trustpoints configured on the SSL Services Module.
Figure 3-2 Public Key Infrastructure Page
To view all Trustpoints:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector.
The following information is displayed for Trustpoints:
Field
|
Description
|
Trustpoints
|
Trustpoint Name
|
The name of the trustpoint associated with the key pair.
|
CA Name
|
Certificate Authority associated with the Trustpoint.
|
Subject Name
|
Subject name in the SSL certificate associated with the Trustpoint
|
Expiry Date
|
The expiry date of SSL certificate or CA certificate which ever expires earlier
|
Status
|
Status of the associated CA certificate.
A  icon indicates that the certificate is valid.
A  icon indicates that the certificate invalid.
A  icon indicates that the certificate is valid only for less than 10 days.
A  icon indicates that the certificate is valid only for less than 20 days.
A  icon indicates that the certificate is valid only for less than 30 days.
Status will be displayed only for Trustpoints with Certificates.
|
Select a Trustpoint name from the table to view the following Trustpoint status details.
Field
|
Description
|
Trustpoint
|
The trust point name. Click on the link to view details on the trustpoint.
|
CA Certificate
|
Status
|
Status of the CA certificate.
A icon indicates that the certificate is valid.
A icon indicates that the certificate invalid.
A icon indicates that the certificate is valid only for less than 10 days.
A icon indicates that the certificate is valid only for less than 20 days.
A icon indicates that the certificate is valid only for less than 30 days.
|
CA Name
|
Subject of the CA Certificate.
|
SSL Certificate
|
Status
|
Status of the SSL certificate.
|
Subject Name
|
Subject of the SSL certificate.
|
Keypair Name
|
Key pair to which the trustpoint is associated.
|
Certificate Chain
|
Status
|
Status of the certificate chain.
|
Chain Length
|
Number of certificates in a chain.
|
You can launch wizards to configure a Trustpoint. To launch the wizard, click Setup Wizard, then select one of the following options:
•Configure a Certificate Trustpoint...
•Import Certificates from External PKI...
Select a Trustpoint, then click Delete to delete a trustpoint.
Related Topics
• Certificate Trustpoint Grouper
• Configuring a Certificate Trustpoint Using the Wizard
• Importing Certificates from an External PKI System
Certificate Trustpoint Grouper
You can group Trustpoints based on different common parameters.
To group the Trustpoints:
Step 1 Select one of the options:
•Group by Enrollment Status—to group Trustpoints based on the enrollment status. The Trustpoints are displayed under the following groups.
–SSL Certificates—all Trustpoints that have an SSL Certificate.
–Enrollment Pending—all Trustpoints that have a CA certificate and key pair configured but do not have an SSL certificate.
–CA Certificates—all Trustpoints that have a CA certificate configured but the key pair is not configured. All the CA Trustpoints will be grouped under this group.
–No Certificates—all Trustpoints that do not have any certificate associated with it.
•Group by Expiry—to group Trustpoints based on the expiry date. The Trustpoints are displayed under groups starting with the Trustpoints expiring this month, then next month and so on.
•Group by CA—to group Trustpoints by CA.
•No Grouping—to list all Trustpoints without any group.
Based on your selection, Trustpoints are grouped under the Trustpoints node in the object Selector.
Certificate Trustpoint Details
You can view the configuration and certificate details of a selected Trustpoint.
Figure 3-3 Public Key Infrastructure Details
To view the details:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the Truspoints using Trustpoint Grouper. For more on Certificate Trustpoint Grouper, see Certificate Trustpoint Grouper.
Step 3 Click Configuration Tab.
The following fields are displayed:
Field
|
Description
|
Trustpoint Name
|
The name of the Trustpoint.
|
Key Pair Name
|
The key pair associated with the trustpoint.
|
Certificate
|
Subject
|
The subject of the certificate.
|
IP Address
|
The IP address of the module.
|
Certificate Purpose
|
The purpose of the certificate.
|
Include SSV Serial Number in Subject Name
|
Select this option to include the SSL serial number in the subject name.
|
Enrollment
|
Enrollment Method
|
The enrollment method for the certificate.
Example: copy-and-paste.
|
CA Server URL
|
The URL of the CA server.
|
Retry Count
|
Specifies how many time CVDM should try to enroll the certificate with the module.
|
Retry Period (min)
|
Duration between retries, in minutes.
|
Enable Auto-enrollment
|
Indicates whether auto-enrollment is enabled for the certificate.
|
Regenerate keys on auto enrollment
|
Indicates whether the certificate regenerates keys on autoenrollment.
|
CRL
|
x 500 CDP Information
|
x500 CDP information for the certificate trustpoint.
|
CRL Validation
|
Effectiveness with which the CRL has to be validated.
Values are:
•Default—If the trustpoint has been selected to validate a certificate. If the CRL is not in the database or has expired, the SSL module dowloads a CRL and saves it to the database for later use. If the CRL download fails, the SSL module rejects the certificate being validated.
•Optional— If the SSL module finds a CRL in the database and has not expired, then the SSL module performs a CRL lookup. If the SSL module does not find CRL, the SSL module accepts the certificate. The SSL module makes no attempt to download a CRL.
•Best-effort—If the SSL module finds a CRL in the database and has not expired, then the SSL module performs a CRL lookup. If the SSL module does not find CRL, the SSL module attempts to download a CRL. However, if the CRL download fails, the SSL module accepts the certificate.
|
Certificate ACL
|
Certificate ACL
|
The name of the Certificate ACL associated with the Trustpoint.
|
To view SSL certificate details, click SSL Certificate Tab.
To view CA Certificate details, click CA Certificate Tab.
To view Certificate chain details, click Certificate Chain Tab. The certificate chain is displayed in tree format. Each node displays the subject of the certificate.
You can view the details of each certificate on the chain. The following fields are displayed:
Field
|
Description
|
Status
|
Indicates the status of the selected certificate chain.
A  icon indicates that the certificate chain is complete.
A  icon indicates that the certificate chain is incomplete.
Example: Certificate chain
is complete - CA certificate
is the Root.
|
Certificate Details
|
Certificate
|
Shows the details of the certificate including the details on how long the certificate is valid.
Other details include:
•Version and serial number
•Issuer
•Subject
•Subject Public Key Information
|
Associated Trustpoint
|
Click on the link to view the Trustpoint details.
|
Trustpoint name
|
The name of the trustpoint associated with the certificate.
|
Click Operations... and select any one of the following Trustpoint operations:
Trustpoint Operation
|
Description
|
Authenticate
|
Select this option to authenticate a CA certificate.You must configure the enrollment method for the Trustpoint to perform this operation.
For more information on authenticating a Trustpoint, see Authenticating Trustpoints
|
Enroll
|
Select this option to create a certificate request. You must configure the enrollment method and key pair to perform this operation.
For manual enrollment methods (Copy and Paste/TFTP) a certificate request will be created. For SCEP enrollment, the certificate request will be sent to the CA server.
For SCEP enrollment, you must configure a Challenge Password. If password is not configured, a challenge password dialog box will appear.
For more information on authenticating a Trustpoint, see Enrolling Trustpoints
|
Authenticate and Enroll
|
Select this option to authenticate a CA certificate and create a certificate request. For manual enrollment (Copy and Paste/TFTP) a certificate request will be created. For SCEP enrollment, the certificate request will be sent to the CA server.
You must configure enrollment method and key pair for the Trustpoint to perform this operation.
For SCEP enrollment, you must configure a Challenge Password. If password is not configured, a challenge password dialog box will appear.
For more information on authenticating a Trustpoint, see Authenticating and Enrolling Trustpoints
|
Import SSL Certificate
|
Select this option to import an SSL certificate issued by the CA for manual enrollment (Copy and Paste/TFTP).
For more information on authenticating a Trustpoint, see Importing SSL Certificate Trustpoints
|
Renew
|
Select this option to create a new certificate request. You can optionally regenerate the keys when creating the certificate request.
For manual enrollment methods, a certificate request will be created. For SCEP enrollment, the certificate request will be sent to the CA server.
This option is enabled only for Trustpoints with SSL certificate.
For more information on authenticating a Trustpoint, see Renewing Trustpoints
|
Export
|
Select this option to export the certificate and private key associated with the Trustpoint. You can export the certificate only if the private key is exportable.
For more information on authenticating a Trustpoint, see Exporting Trustpoints
|
To edit the Trustpoint configuration, click Edit. For more information on editing Trustpoints, see Editing Trustpoint Configuration
Related Topics
• Certificate Trustpoint Grouper
• Configuring a Certificate Trustpoint Using the Wizard
• Importing Certificates from an External PKI System
Authenticating Trustpoints
The Trustpoint Authentication dialog box provides the authentication details and the status.
To authenticate a truspoint, do the following:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the Truspoints using Trustpoint Grouper. The Truspoint details dialog box appears with the configuration information.
Step 3 Click Operations, then select Authenticate. The Authentication dialog box appears.
Enrolling Trustpoints
To enroll a certificate truspoint, do the following:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the Certificate Truspoints using Grouper. The Truspoint details dialog box appears with the Configuration information.
Step 3 Click Operations, then select Enroll.
Authenticating and Enrolling Trustpoints
To authenticate and enroll a certificate truspoint, do the following:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the Certificate Truspoints using Grouper. The Truspoint details dialog box appears with the Configuration information.
Step 3 Click Operations, then select Authenticate and Enroll.
Importing SSL Certificate Trustpoints
To import a SSL Certificate, do the following:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the Certificate Truspoints using Grouper. The Truspoint details dialog box appears with the Configuration information.
Step 3 Click Operations, then select Import SSL Certificate.
Renewing Trustpoints
To renew a certificate trustpoint, do the following:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the Certificate Truspoints using Grouper. The Truspoint details dialog box appears with the Configuration information.
Step 3 Click Operations, then select Renew.
Exporting Trustpoints
To export a SSL Certificate, do the following:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the Certificate Truspoints using Grouper. The Truspoint details dialog box appears with the Configuration information.
Step 3 Click Operations, then select Export SSL Certificate.
Editing Trustpoint Configuration
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector.
Step 2 Select a Trustpoint from the table, then click Edit. The Trustpoint Edit dialog box appears with the following fields:
Field
|
Action/Description
|
General
|
Trustpoint Name
|
Name of the Trustpoint.
|
Key Pair Name
|
Name of the key pair associated with the Trustpoint.
Click  and select one of the following:
•Create and use a new Key Pair
•Select an existing Key Pair
•Regenerate Key Pair
•Clear the Key Pair
|
Certificate Purpose
|
Select the purpose of the certificate from the list:
•ssl-client
•ssl-server
|
Enrollment Configuration
|
Enrollment Method
|
Select one of the following certificate enrollment method:
•SCEP
•TFTP
•Copy and Paste
|
CA Server URL
|
Enter the enrollment URL of the certification authority server.
|
Retry Count
|
Enter the number of retries.
|
Retry Period
|
Enter the interval between the retries.
|
HTTP Proxy
|
Enter the IP address of the HTTP proxy.
|
Port
|
Enter the port number for the HTTP proxy.
|
Auto Renewal and Enrollment
|
Select the checkbox to enable auto reneval and enrollment.
|
Renewal Percentage (%)
|
Enter the percentage of renewal. Default is 100 %.
|
Challenge Password
|
Enter the Challenge Password.
Click  and select one of the following options:
•Configure a Challenge Password
•Clear Challenge Password
|
Regenerate Keys on Re-enrollment
|
Select this checkbox to regenerate key on re-enrollment.
|
CRL Configuration
|
x.500 CDP Information
|
Enter the X.500 CDP information.
You can enter the hostname and port if the CDP is in X.500 DN format. The query takes the information in the following form: ldap://hostname:[port]
For example, if a certficate being validated has the following:
•The X.500 DN is configured with CN=CRL,O=Cisco,C=US
•The associated trustpoint is configured with crl query ldap://10.1.1.1
then the two parts are combined to form the complete URL as follows:
ldap://10.1.1.1/CN=CRL,O=Cisco,C=US.
Note The trustpoint should be associated with the issuer certificate authority certificate of the certificate being validated. If there is no such trustpoint in the database, the complete URL cannot be formed, and CRL download cannot be performed.
|
CRL Validation
|
Select the type of CRL validation to be used for the certificate:
•Default—If the trustpoint has been selected to validate a certificate. If the CRL is not in the database or has expired, the SSL module dowloads a CRL and saves it to the database for later use. If the CRL download fails, the SSL module rejects the certificate being validated.
•Optional— If the SSL module finds a CRL in the database and has not expired, then the SSL module performs a CRL lookup. If the SSL module does not find CRL, the SSL module accepts the certificate. The SSL module makes no attempt to download a CRL.
•Best-effort—If the SSL module finds a CRL in the database and has not expired, then the SSL module performs a CRL lookup. If the SSL module does not find CRL, the SSL module attempts to download a CRL. However, if the CRL download fails, the SSL module accepts the certificate.
|
Certificate ACL
|
Certificate ACL
|
Enter the Certificate ACL information.
|
Step 3 Modify the values, then click OK.
Related Topics
• Selecting Available ACLs
• Selecting Available Key Pairs
Selecting Available ACLs
The following information appears:
Field
|
Action/Description
|
Certificate ACLs
|
The name of the certificate ACL.
|
Select ACLs from the table, then click OK.
Selecting Available Key Pairs
The following information appears:
Field
|
Action/Description
|
Key Pair Name
|
The name of the key pair.
|
Key Size
|
The size of the key pair.
|
Select key pairs from the table, then click OK.
Deleting Certificates
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints from the object Selector.
Step 2 Select a Trustpoint from the table.
Step 3 Click Delete.
Challenge Password
Challenge password is required for SCEP enrollment. If you have not configured a challenge password, challenge password dialog will be prompted.
This password is necessary in the event that you ever need to revoke your certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.
The Challenge Password dialog box has got two fields. Challenge Password and Confirm Password. Enter the password and confirm it. Click OK to continue.
How Do I...
This section describes on how to achieve a task. The following questions are answered:
• How Do I Configure a Certificate and Enroll with Certificate Authority?
• How Do I Import a CA Certificate to SSLSM?
• How Do I Import Certificates and Keys to SSLSM?
• How Do I Import a Certificate Chain to SSLSM?
• How Do I Export Certificates from SSLSM?
• How Do I Renew a Certificate?
How Do I Configure a Certificate and Enroll with Certificate Authority?
You can use the CVDM-SSLSM to configure certificate and enroll it with a certificate authority.
To configure a certificate and enroll a certificate authority, do the following:
Step 1 Click Setup in the task bar. The Setup page appears.
Step 2 Click Wizards in the left-most pane. The Wizards page appears.
Step 3 Select Configure a Certificate Trustpoint, then click Launch the Selected Task.
Step 4 The Certificate Wizard Welcome page appears. Click Next.
Step 5 Enter a valid Trustpoint name, then select Proxy Service Trustpoint from the Trustpoint group.
Step 6 Click Next to continue with the wizard.
Related Topics
• Wizards
• Configuring a Certificate Trustpoint Using the Wizard
How Do I Import a CA Certificate to SSLSM?
You can import CA Certificate using the Certificate Wizard.
To import a CA Certificate:
Step 1 Click Setup in the task bar. The Setup page appears.
Step 2 Click Wizards in the left-most pane. The Wizards page appears.
Step 3 Select Configure a Certificate Trustpoint, then click Launch the Selected Task.
Step 4 The Certificate Wizard welcome page appears. Click Next.
Step 5 Enter a valid Trustpoint name, then select CA Trustpoint from the Trustpoint group.
Step 6 Click Next to continue importing a certificate with the wizard.
Related Topics
• Wizards
• Configuring a Certificate Trustpoint Using the Wizard
How Do I Import Certificates and Keys to SSLSM?
You can import certificates and key pairs using the Certificate Import Wizard.
Wizard allows you to import Certificates and Private Keys from an external PKI in PKCS12 or privacy-enhanced mail (PEM) format.
To import Certificates and Key pairs:
Step 1 Click Setup in the CVDM-SSLSM task bar.The Setup page appears
Step 2 Click Wizards in the left-most pane. The Setup Wizard page appears.
Step 3 Select Import from External PKI System, then click Launch the Selected Task. The Key Pair Import Wizard appears.
You can import files in any of the following formats:
•PKCS12 File.
•PEM File.
Note When creating a PKCS12 file, include the entire certificate chain, from server certificate to root certificate, and public and private keys. You can also generate a PKCS12 file from the module and export it.
Note If you are using SSH, we recommend using SCP when importing or exporting a PKCS12 file. SCP authenticates the host and encrypts the transfer session.
To import PKCS12 files:
a. Enter certificate format and source, then click Next. The Summary dialog box appears.
b. Click Finish to complete importing the certificate.
To import PEM files:
a. Enter the format and source.
b. Specify the Certificate and Key Files.
c. Specify the private key.
d. Specify SSL certificate.
e. Click Next. The summary dialog box appears.
f. Click Finish to complete importing the file.
To import a PEM File using Copy-and-Paste method:
a. Enter the Format and Source
b. Copy-and-paste the CA Certificate in PEM format.
c. Click Next. The summary dialog box appears.
d. Click Finish to complete importing the file.
Related Topics
• Importing Certificates from an External PKI System
How Do I Import a Certificate Chain to SSLSM?
You can import a certificate chain using PKCS12 or PEM file.
To import a certificate chain in PKCS12 file:
Step 1 While creating a PKCS12 file, include the entire certificate chain, from SSL certificate to root certificate, and private keys.
Step 2 Import the PKCS12 file using Certificate Import Wizard. For more information on importing Certificates, see Importing Certificates from an External PKI System
To import a certificate chain in PEM format:
Step 1 Import each of the root and subordinate certificate authority certificates one by one using the CA Truspoint option in the Certificate Trustpoint Wizard. For more information on Certificate Trustpoint Wizard, see Wizards
Step 2 Import the SSL certificate and Private Key using the Certificate Import Wizard. For more information on importing Certificates, see Importing Certificates from an External PKI System
How Do I Export Certificates from SSLSM?
You can export certificates in PKCS12 file format or privacy-enhanced mail (PEM) file format.
To export Certificates from CVDM-SSLSM:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint node from the logical group. You can group the Truspoints using Trustpoint Grouper.
Step 3 Select a Trustpoint from the list.
Step 4 Click Operations, then select Export from the popup menu. The Trustpoint Export Wizard appears.
Step 5 Select one of the following file formats:
•PKCS12
•PEM
To export a PKCS12 File:
a. Enter Certificate Format and Destination, the click Next. The summary page appears.
b. Click Finish to compete exporting the file.
To export a PEM File:
a. Enter Certificate format and Destination, the click Next. Select one of the following destination types:
•Local Hard Disk—to export certificates and keys to the client workstation.
•Copy-and-Paste—to export certificates and keys through copy-and-paste.
•Remote System—to export certificates and keys using TFTP, FTP, RCP or SCP.
b. Specify Certificate and Key files. The fields change depending on the source you have selected.
c. Click Finish to complete exporting the files.
Related Topics
• Exporting Certificates Using the Wizard
How Do I Renew a Certificate?
You can renew Certificates and Key pairs.
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint node from the logical group. You can group the Truspoints using Trustpoint Grouper.
Step 3 Select a Trustpoint from the list.
Step 4 Click Operations, then select Renew from the popup menu.
