Need an account?

Create an account

Help

SSL Guide vA3(1.0), Cisco ACE 4700 Series Application Control Engine Appliance

Book Contents

Find Matches in This Book

Available Languages

Download Options

Book Title

SSL Guide vA3(1.0), Cisco ACE 4700 Series Application Control Engine Appliance

Chapter Title

Displaying SSL Certificate and Key Pair Information

PDF - Complete Book (2.3 MB) PDF - This Chapter (155.0 KB)
View with Adobe Reader on a variety of devices

Results

Chapter: Displaying SSL Certificate and Key Pair Information

Displaying CSR Parameter Set Configurations
Displaying the List of Certificate and Key Pair Files
Displaying Certificate Information
Displaying CRL Information
Displaying RSA Key Pair Information
Displaying Certificate Chain Group Information
Displaying Client Authentication Group Information
Displaying Cached TLS and SSL Session Entries
Displaying TLS and SSL Statistics

Displaying SSL Information and Statistics

This chapter describes how to use the available show commands to display SSL-related information, such as the certificate and key pair files loaded on the ACE. The show commands display information associated with the context from which you execute the command. Each command described in this chapter also includes an explanation of the command output.

While the show commands are Exec mode commands, you can execute a show command from any configuration mode by using the do command. The following examples show how to execute the show running-config command from either Exec mode or configuration mode.

From Exec mode, enter:

host1/Admin# show running-config

From configuration mode, enter:

host1/Admin(config)# do show running-config

This chapter contains the following major sections:

•Displaying CSR Parameter Set Configurations

•Displaying the List of Certificate and Key Pair Files

•Displaying Certificate Information

•Displaying CRL Information

•Displaying RSA Key Pair Information

•Displaying Certificate Chain Group Information

•Displaying Client Authentication Group Information

•Displaying Cached TLS and SSL Session Entries

•Displaying TLS and SSL Statistics

Displaying CSR Parameter Set Configurations

To display the CSR parameter set summary and detailed reports, use the show crypto csr-params command in Exec mode.

The syntax of this command is as follows:

show crypto csr-params {params_set | all}

The arguments and keywords are:

•params_set— argument is a specific CSR parameter set. Enter an unquoted alphanumeric string with a maximum of 64 characters. The ACE displays the detailed report for the specified CSR parameter set. The detailed report contains the distinguished name attributes of the CSR parameter set.

•To display the summary report that lists all the CSR parameter sets for the current context, enter the command without specifying a CSR parameter set.

For example, to display the CSR parameter set summary report, enter:

host1/Admin# show crypto csr-params all

The following example shows how to display the detailed report for the MYCSRCONFIG CSR parameter set:

host1/Admin# show crypto csr-params MTCSRCONFIG

Table 6-1 describes the fields in the show crypto csr-params command output.

Table 6-1 Field Descriptions for the show crypto csr-params config_name Command
Field	Description
Country-name	Country where the certificate owner resides.
State	State where the certificate owner resides.
Locality	Locality where the certificate owner resides.
Org-name	Name of the organization (certificate owner or subject).
Org-unit	Name of unit within the organization.
Common-name	Common-name (domain name or individual hostname of the SSL site).
Serial number	Serial number.
Email	E-mail address.

Displaying the List of Certificate and Key Pair Files

To display a list of all available certificate and key pair files, use the show crypto files command in Exec mode.

For example, to display the list of certificate and key pair files, enter:

host1/Admin# show crypto files

Table 6-2 describes the fields in the show crypto files command output.

Table 6-2 Field Descriptions for the show crypto files
Command
Field	Description
Filename	Name of the file that contains the certificate or key pair.
Size	Size of the file.
Type	Format of the file: PEM, DER, or PKCS12.
Exportable	Indicates whether you can export the file from the ACE using the crypto export command: •Yes—You can export the file to an FTP, SFTP, or TFP server (see the "Exporting Certificate and Key Pair Files" section in Chapter 2, "Managing Certificates and Keys"). •No—You cannot export the file as it is protected.
Key/Cert	Indicates whether the file contains a certificate (CERT), a key pair (KEY), or both (BOTH).

Displaying Certificate Information

To display the certificate summary and detailed reports, use the show crypto certificate command in Exec mode.

The syntax of this command is as follows:

show crypto certificate {filename | all}

The keywords and arguments are as follows:

•filename—Name of a specific certificate file. Enter an unquoted alphanumeric string with a maximum of 40 characters. The ACE displays the certificate detailed report for the specified file. If the certificate file contains a chain, the ACE displays only the bottom level certificate (the signers are not displayed).

•all—Displays the certificate summary report that lists all the certificate files for the current context.

For example, to display the certificate summary report, enter:

host1/Admin# show crypto certificate all

Table 6-3 describes the fields in the show crypto certificate all command output.

Table 6-3 Field Descriptions for the show crypto certificate all Command
Field	Description
Certificate file	Name of the certificate file.
Subject	Distinguished name of the organization that owns the certificate and possesses the private key.
Issuer	Distinguished name of the Certificate Association (CA) that issued the certificate.
Not Before	Starting time period, before which the certificate is not considered valid.
Not After	Ending time period, after which the certificate is not considered valid.
CA Cert	Certificate of the CA that signed the certificate.

The following example shows how to display the detailed report for the MYCERT.PEM certificate file:

host1/Admin# show crypto certificate MYCERT.PEM

Table 6-4 describes the fields in the show crypto certificate filename command output.

Table 6-4 Field Descriptions for the show crypto certificate filename Command
Field	Description
Certificate	Name of the certificate file.
Data
Version	Version of the X.509 standard. The certificate complies with this version of the standard.
Serial Number	Serial number associated with the certificate.
Signature Algorithm	Digital signature algorithm used for the encryption of information with a public/private key pair.
Issuer	Distinguished name of the CA that issued the certificate.
Validity
Not Before	Starting time period, before which the certificate is not considered valid.
Not After	Ending time period, after which the certificate is not considered valid.
Subject	Distinguished name of the organization that owns the certificate and possesses the private key.
Subject Public Key Info
Public Key Algorithm	Name of the key exchange algorithm used to generate the public key (for example, RSA).
RSA Public Key	Number of bits in the key to define the size of the RSA key pair used to secure web transactions.
Modulus	Actual public key on which the certificate was built.
Exponent	One of the base numbers used to generate the key.
X509v3 Extensions	Array of X509v3 extensions added to the certificate.
X509v3 Basic Constraints	Indicates whether the subject may act as a CA, with the certified public key being used to verify certificate signatures. If so, a certification path length constraint may also be specified.
Netscape Comment	Comment that may be displayed when the certificate is viewed.
X509v3 Subject Key Identifier	Public key to be certified. It enables distinct keys used by the same subject to be differentiated (for example, as key updating occurs).
X509v3 Authority Key Identifier	Public key to be used to verify the signature on this certificate or CRL. It enables distinct keys used by the same CA to be distinguished (for example, as key updating occurs).
Signature Algorithm	Name of the algorithm used for digital signatures (but not for key exchanges).
Hex Numbers	Actual signature of the certificate. The client can regenerate this signature using the specified algorithm to make sure that the certificate data has not been changed.

Displaying CRL Information

To display a list of certificate revocation lists (CRLs) or definitions for a specified CRL in a context, use the show crypto crl command in Exec mode. The syntax of this command is as follows:

show crypto crl {crl_name | all}

The keywords and arguments are as follows:

•crl_name—Name of a specific CRL configured in the context. Enter an unquoted alphanumeric string. The ACE displays the definitions for the specified CRL.

•all—Displays a lists of all CRLs configured in the context.

For example, to display a list of all CRLs, enter:

host1/Admin# show crypto crl all

To display the definitions for a specific CRL, for example CRL1, enter:

host1/Admin# show crypto crl CRL1

Table 6-5 describes the fields in the show crypto crl crl_name command output.

Table 6-5 Field Descriptions for the show crypto crl Command
Field	Description
URL	URL where the ACE downloads the CRL.
Last Downloaded	Last time the ACE downloaded the CRL. If the CRL is configured on an SSL-proxy service on a policy map that is not active or the service is not associated with a policy map, the field displays the "not downloaded yet" message.
Total Number of Download Attempts (for This Name of CRL)	Total number of successful download attempts for a named CRL. Note Multiple logical configured CRL names may point to the same CRL data.
Failed Download Attempts (for This Name of CRL)	Number of failed download attempts for a named CRL. Note Multiple logical configured CRL names may point to the same CRL data.
Total Number of Download Attempts for Real CRL Data	Total number of successful download attempts for the real CRL downloaded to the ACE for client authentication on an SSL proxy service.
Failed Download Attempts for Real CRL Data	Number of failed download attempts for the real CRL downloaded to the ACE for client authentication on an SSL proxy service.

Note To view whether the ACE rejects client certificates when the CRL in use is expired, use the show parameter-map command.

Displaying RSA Key Pair Information

To display the key pair file summary and detailed reports, use the show crypto key command in Exec mode.

The syntax of this command is as follows:

show crypto key {filename | all}

The keywords and arguments are as follows:

•filename—Name of a specific key pair file. Enter an unquoted alphanumeric string with a maximum of 40 characters. The ACE displays the key pair detailed report for the specified file.

•all—Displays the key pair summary report that lists all of the available key pair files.

For example, to display the key pair summary report, enter:

host1/Admin# show crypto all

Table 6-6 describes the fields in the show crypto key command output.

Table 6-6 Field Descriptions for the show crypto key Command
Field	Description
Filename	Name of the key pair file that contains the RSA key pair.
Bit Size	Size of the file.
Type	Type of key exchange algorithm, such as RSA.

The following example shows how to display the detailed report for the public and private keys contained in the MYKEYS.PEM key pair file:

host1/Admin# show crypto key MYKEYS.PEM

1024-bit RSA keypair

Table 6-7 describes the fields in the show crypto key filename command output.

Table 6-7 Field Descriptions for the show crypto key filename Command
Field	Description
Key Size	Size (in bits) of the RSA key pair.
Modulus	Hex value of the public key. The private key modulus is not shown for security purposes.

Displaying Certificate Chain Group Information

To display the chain group file summary and detailed reports, use the show crypto chaingroup command in Exec mode.

The syntax of this command is as follows:

show crypto chaingroup {filename | all}

The keywords and arguments are as follows:

•filename—Name of a specific chain group file. Enter an unquoted alphanumeric string with a maximum of 64 characters. The ACE displays the chain group detailed report for the specified file. The detailed report contains a list of the certificates configured for the chain group.

•all—Displays the chain group summary report that lists each of the available chain group files. The summary report also lists the certificates configured for each chain group.

For example, to display the chain group summary report, enter:

host1/Admin# show crypto chaingroup all

The following example shows how to display the detailed report of the certificates configured for the MYCERTGROUP chain group:

host1/Admin# show crypto chaingroup MYCERTGROUP

Table 6-8 describes the fields in the show crypto chaingroup command output.

Table 6-8 Field Descriptions for the show crypto chaingroup Command
Field	Description
Certificate	Certificate filename.
Subject	Distinguished name of the organization that owns the certificate and possesses the private key.
Issuer	Distinguished name of the CA that issued the certificate.

Displaying Client Authentication Group Information

To display a list of certificates for each authentication group or the certificates in a specified client authentication group including the Subject and Issuer information for each certificate, use the show crypto authgroup command in Exec mode.

The syntax of this command is as follows:

show crypto authgroup {group_name | all}

The keywords and arguments are as follows:

•group_name—Name of a specific authentication group file. Enter an unquoted alphanumeric string with a maximum of 64 characters.

•all—Displays the list of certificates for each authentication groups.

For example, to display the list of certificates for each authentication group, enter:

host1/Admin# show crypto authgroup all

To display each certificate for the AUTH-CERT1 group including the Subject and Issuer information for each certificate, enter:

host1/Admin# show crypto authgroup AUTH-CERT1

Table 6-9 describes the fields in the show crypto authgroup group_name command output.

Table 6-9 Field Descriptions for the show crypto authgroup group_name Command
Field	Description
Certificate	Certificate filename.
Subject	Distinguished name of the organization that owns the certificate and possesses the private key.
Issuer	Distinguished name of the CA that issued the certificate.

Displaying Cached TLS and SSL Session Entries

To display the number of cached TLS and SSL client and server session entries in the current context, use the show crypto session command in Exec mode.

The syntax of this command is as follows:

show crypto session

For example, enter:

host1/Admin# show crypto session

Displaying TLS and SSL Statistics

To display TLS and SSL client or server statistics for the current context, use the show stats crypto command in Exec mode.

The syntax of this command is as follows:

show stats crypto {client | server}

The keywords are as follows:

•client—Displays the TLS and SSL client statistics.

•server—Displays TLS and SSL server statistics.

For example, to display the client statistics, enter:

host1/Admin# show stats crypto client

To display the server statistics, enter:

host1/Admin# show stats crypto server

Table 6-10 describes the fields in the show stats crypto command output.

Table 6-10 Field Descriptions for the show stats crypto
Command
Field	Description
SSL alert... rcvd/sent	Number of times that the standard SSL alert messages are received or sent.
SSLv2/v3 client hello received	Number of ClientHello message received.
SSLv3/TLSv1 negotiated protocol	Number of the times that the version is used in the connection.
SSLv3 full handshakes	Number of handshakes completed without errors.
SSLv3 resumed handshakes	Number of handshakes resumed by using a session ID.
Cipher sslv3...	Number of times that the cipher suite is used in the connection.
TLSv1 full handshakes	Number of handshakes completed without errors.
TLSv1 resumed handshakes	Number of handshakes resumed by using a session ID.
Cipher tlsv1...	Number of times that the cipher suite is used in the connection.
Total SSL client authentications	Number of authenticated client connections. This field increments only when displaying server statistics.
Failed SSL client authentications	Number of client connections that failed authentication. This field increments only when displaying server statistics.
SSL client authentication cache hits	Number of times that an authenticated client reconnects and a cache entry is found. This field increments only when displaying server statistics.
SSL static CRL lookups	Number of lookups against a statically defined CRL.
SSL best effort CRL lookups	Number of lookups using the best effort.
SSL CRL lookup cache hits	Number of CRL lookups where the cache result was used.
SSL revoked certificates	Number of revoked certificates encountered.
SSL CRL download failed	Number of CRL downloads that failed.
Total SSL server authentications	Number of server certificate authentications that the ACE attempted to perform. This field increments only when displaying client statistics.
Failed SSL server authentications	Number of server certificate authentications that failed. This field increments only when displaying client statistics.
Handshake FlushRX/TX operations	Number of times that the SSL handshake finished.
Xscale messages rcvd/sent for ME	Number of messages passed between the SSL processors during the SSL handshake.
Xscale rcvd abort msg before hdshk	Number of times that the SSL handshake was aborted.
Finish msg split across ssl recs	Number of times that the SSL Finished message was split by the client into multiple SSL records.
Fasttx msg ring full	Debug tools for use by Cisco personnel only.
SSL_ME tx msg
N2 . . .

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

SSL Guide vA3(1.0), Cisco ACE 4700 Series Application Control Engine Appliance

Results

Chapter: Displaying SSL Certificate and Key Pair Information

Displaying SSL Information and Statistics

Displaying CSR Parameter Set Configurations

Displaying the List of Certificate and Key Pair Files

Displaying Certificate Information

Displaying CRL Information

Displaying RSA Key Pair Information

Displaying Certificate Chain Group Information

Displaying Client Authentication Group Information

Displaying Cached TLS and SSL Session Entries

Displaying TLS and SSL Statistics

Was this Document Helpful?

Contact Cisco

Related Cisco Community Discussions