User Guide for CiscoView Device Manager for the Cisco Catalyst 6500 Series SSL Services Module 1.1
Managing Certificate ACLs
Download this chapter
Managing Certificate ACLsManaging Certificate ACLs
Download the complete book
User Guide for CiscoView Device Manager for the Cisco Catalyst 6500 Series SSL Services Module (CVDM-SSLSM) - Book PDFUser Guide for CiscoView Device Manager for the Cisco Catalyst 6500 Series SSL Services Module (CVDM-SSLSM) - Book PDF (PDF - 2 MB)
give_us_feedback

Table Of Contents

Managing Certificate ACLs

Viewing Certificate ACLs

Assigning Certificate ACLs to Trustpoints

Viewing Associated Trustpoints

Adding Certificate ACL

Editing Certificate ACLs

Deleting Certificate ACLs


Managing Certificate ACLs

Certificates are used to identify an entity (a user or device) and, using fields within the certificate, to associate attributes with that entity. The certificates include several fields that determine whether the entity is authorized to perform a specified action. The Certificate Security Attribute-Based Access Control feature adds a new command, crypto CA certificate ACL, and new fields to the certificate that create the certificate-based access control list (ACL).

The certificate-based ACL specifies one or more fields within the certificate and an acceptable value for each specified field. You can specify which fields within a certificate should be checked and which values those fields may or may not have. There are six logical tests for comparing the field with the value:

equal

not equal

contains

does not contain

less than

greater than or equal

If more than one field is specified within a single certificate-based ACL, the tests of all of the fields within the ACL must succeed to match the ACL.

The same field may be specified multiple times within the same ACL.

More than one ACL may be specified. Each ACL will be processed in turn until a match is found or all of the ACLs have been processed.

CVDM-SSLSM allows you to define certificates (Attribute-Based Access Control) / Certificate ACLs based on the peer certificate attributes.

These topics describe usage of certificate-based ACLs in CVDM-SSLSM:

Viewing Certificate ACLs

Adding Certificate ACL

Editing Certificate ACLs

Assigning Certificate ACLs to Trustpoints

Deleting Certificate ACLs

Viewing Certificate ACLs

You can view all certificate ACLs configured in the device.

Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints > Certificate ACLs from the object selector.

The following fields appear:

Field
Description

Name

Name or tag associated with the Certificate ACL

Number of ACL Entries

Number of ACL entries

Number of Trustpoints (Use Count)

Number of Trustpoints.


To view the details of a certificate ACL, select a certificate ACL from the table. The following details are displayed at the lower section of the content pane:

Field
Description
Certificate ACL Details: <Certificate ACL name>
Certificate ACL Entries and Criteria
 

Sequence

The sequence numbers of the Certificate ACL entries.


Select a certificate ACL entry by selecting the corresponding sequence number to view the details.

Field
Description

Certificate Field

The Certificate Field to be examined for Access Control.

The field name is one of the following case-insensitive name strings or a date:

subject-name

issuer-name

unstructured-subject-name

alt-subject-name

name

valid-start

expires-on

Match Condition

The following match conditions are supported:

Equals (eq)

Not Equals (neq)

Contains (co)

Not Contains (nc)

Less than (lt)

Greater than or Equals (ge)

Match Value

The name or date to test with the logical operator assigned by match criteria.


Select a certificate ACL from the list, then click Assign to Trustpoints to assign a certificate ACL to a trustpoint.

Click Add to add a certificate ACL.

To edit a certificate ACL, select a certificate ACL and click Edit.

To delete a certificate ACL, select a certificate ACL and click Delete.

To view Trustpoints associated with a certificate ACL, select a certificate ACL and click View Associated Trustpoints.

Assigning Certificate ACLs to Trustpoints

You can view all certificate ACLs configured in the device.

Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints > Certificate ACLs from the object selector.

Step 2 Select a Certificate ACL from the list, and click Assign to Trustpoints. The Assign to Trustpoint dialog box appears.

The following fields appear:

Field
Description

Certificate ACL Name

The ACL name of the certificate.

Trustpoint Name

The trustpoint associated with the Certificate ACL.

CA Name

The CA name of the associated trustpoint

Subject Name

The subject name of the certificate.

Selected Trustpoints

Trustpoint associated with the certificates.


Step 3 Select the Trustpoints from the list, and click Add>> to assign the certificate ACL. Click << Remove to remove the trustpoint from the selected list.

Viewing Associated Trustpoints

To view the Trustpoints associated with a Certificate ACL:

Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints > Certificate ACLs from the object selector.

Step 2 Select a Certificate Map from the table. The Certificate ACL details appear at the lower section of the content window.

Step 3 Select a sequence from the sequence list, then click View Associated Trustpoints.

The following details appear for the associated Trustpoints:

Field
Description

Trustpoint Name

The trustpoint associated with the Certificate ACL.

CA Name

The CA name of the associated trustpoint.

Subject Name

The subject of the associated trustpoint.


Adding Certificate ACL

Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints > Certificate ACLs from the object selector. The Certificate ACLs page appears.

Step 2 Click Add. The Add Certificate ACL dialog box appears.

Using this dialog box you can:

Add a new ACL entry

Remove an existing ACL entry

Add new criteria to an existing ACL entry

Remove criteria from an existing ACL entry.

The dialog box displays following fields:

Field
Action/Description

Certificate ACL Name

Name or Tag associated with the Certificate Map.

Certificate ACL Entries and Criteria

Certificate ACL Entry

To add a new ACL Entry, enter the ACL sequence number in the New ACL Entry field, then click >> Add.

To remove an ACL Entry, select the ACL entry from the sequence list, then click << Remove.

Sequence

The sequence number of the ACL entry.

Valid range is from 1 to 65535.

Certificate Field

Select one of the following certificate field to be examined for Access Control:

Subject Name

Alternate Subject Name

Any subject name field

Unstructured subject name

Issuer name

Valid start date

Expiry date

Match Condition

The following match conditions are supported:

Equals (eq)

Not Equals (neq)

Contains (co)

Not Contains (nco)

Less than (lt)

Greater than or Equals (ge)

Match Value

Certificate Field value


To add new criteria to the ACL entry, select a certificate field and match condition, then enter the match value and click Add. The values you entered appears in the table. To remove a criteria from the ACL entry, select a row in the table, then click Remove.

Step 3 Click OK to complete the task.

Editing Certificate ACLs

Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints > Certificate ACLs from the object selector. The Certificate ACLs page appears.

Step 2 Select a Certificate ACL from the list, then click Edit. The Edit Certificate Map dialog box appears.

Using this dialog box you can:

Add a new ACL entry

Remove an existing ACL entry

Add new criteria to an existing ACL entry

Remove criteria from an existing ACL entry.

The page displays following fields:

Field
Description

Certificate ACL Name

Name associated to the Certificate ACL

Certificate ACL Entries and Criteria

Certificate ACL Entry

To add a new ACL Entry, enter the ACL sequence number in the New ACL Entry field, then click ADD.

To remove an ACL Entry, select the ACL entry from the sequence list, then click Remove.

Sequence

The sequence number of the ACL entry.

Valid range is from 1 to 65535.

Certificate Field

Select one of the following certificate field to be examined for Access Control:

Subject Name

Alternate Subject Name

Any subject name field

Unstructured subject name

Issuer name

Valid start date

Expiry date

Match Condition

The following match conditions are supported:

Equals (eq)

Not Equals (neq)

Contains (co)

Not Contains (nco)

Less than (lt)

Greater than or Equals (ge)

Match Value

Certificate Field value


To add new criteria to the ACL entry, select a certificate field and match condition, then enter the match value and click Add. The values you entered appears in the table. To remove a criteria from the ACL entry, select a row in the table, then click Remove.

Step 3 Click OK to add the certificate ACL.

Deleting Certificate ACLs

Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints > Certificate ACLs from the object selector. The Certificate ACLs page appears.

Step 2 Select a certificate ACL, then click Delete.