To download the
diagnostic signature (DS) file, you require the secure HTTP (HTTPS) protocol.
If you have already configured an email transport method to download files on
your device, you must change your assigned profile transport method to HTTPS to
download and use DS.
Cisco software uses a
PKI Trustpool Management feature, which is enabled by default on devices, to
create a scheme to provision, store, and manage a pool of certificates from
known certification authorities (CAs). The trustpool feature installs the CA
certificate automatically. The CA certificate is required for the
authentication of the destination HTTPS servers.
There are two types
of DS update requests to download DS files: regular and forced-download.
Regular download requests DS files that were recently updated. You can
trigger a regular download request either by using a periodic configuration or
by initiating an on-demand CLI. The regular download update happens only when
the version of the requested DS is different from the version of the DS on the
device. Periodic download is only started after there is any DS assigned to the
device from DS web portal. After the assignment happens, the response to the
periodic inventory message from the same device will include a field to notify
device to start its periodic DS download/update. In a DS update request
message, the status and revision number of the DS is included such that only a
DS with the latest revision number is downloaded.
downloads a specific DS or a set of DSes. You can trigger the forced-download
update request only by initiating an on-demand CLI. In a force-download update
request, the latest version of the DS file is downloaded irrespective of the
current DS file version on the device.
The DS file is
digitally signed, and signature verification is performed on every downloaded
DS file to make sure it is from a trusted source.