Implementing and Managing PKI Features Roadmap


First Published: June 14, 2010
Last Updated: June 14, 2010

This roadmap lists the public key infrastructure (PKI) features that are documented in the Cisco IOS XE Security Configuration Guide: Secure Connectivity and maps them to the modules in which they appear. For any feature, click the link in the "Where Documented" column to view the module that contains information about the feature.

Feature and Release Support

Table 1 lists PKI feature support for Cisco IOS XE software.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.


Note Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release also support that feature.


Table 1 Supported PKI Features 

Release
Feature Name
Feature Description
Where Documented

2.1

Persistent Self-Signed Certificates

This feature allows users of the HTTPS server to generate and save self-signed certificates in the router's startup configuration. Thus, future SSL handshakes between the client and the HTTPS server can use the same self-signed certificate without user intervention.

"Configuring Certificate Enrollment for a PKI" module

2.1

PKI AAA Authorization Using the Entire Subject Name

This feature lets users query the AAA server using the entire subject name from the certificate as a unique AAA username.

"Configuring Authorization and Revocation of Certificates in a PKI" module

2.1

PKI Status

This feature adds the status keyword to the show crypto pki trustpoints command, which lets you view the current status of the trustpoint. Before this feature, you had to issue the show crypto pki certificates and the show crypto pki timers commands for the current status.

"Configuring Certificate Enrollment for a PKI" module

2.1

Re-Enroll Using Existing Certificates

This feature lets users re-enroll a router with a Cisco IOS XE CA via existing certificates from a third-party vendor CA.

"Configuring Certificate Enrollment for a PKI" module

2.1

Key Rollover for Certificate Renewal

This feature allows the certificate renewal request to be made before a certificate expires. The old key and certificate is retained until the new certificate is available.

"Configuring Certificate Enrollment for a PKI" module

2.1

PKI: Query Multiple Servers During Certificate Revocation Check

This feature lets Cisco IOS XE software make multiple attempts to retrieve the CRL, which allows operations to continue when a particular server is not available. Also, this feature lets you override the CDPs in a certificate with a manually configured CDP.

Manually overriding the CDPs in a certificate can be advantageous when a particular server is unavailable for a long period of time. The certificate's CDPs can be replaced with a URL or directory specification without reissuing all of the certificates that contain the original CDP.

"Configuring Authorization and Revocation of Certificates in a PKI" module

2.1

Protected Private Key Storage

This feature lets a user encrypt and lock the RSA private keys that are used on a Cisco IOS XE router, which prevents unauthorized use of the private keys.

"Deploying RSA Keys Within a PKI" module

2.1

Import of RSA Key Pair and Certificates in PEM Format

This feature lets users use PEM-formatted files to import or export RSA key pairs. PEM-formatted files let customers directly use existing RSA key pairs on their Cisco IOS XE routers instead of generating new keys. Also, users can issue certificate requests and receive issued certificates in PEM-formatted files.

"Deploying RSA Keys Within a PKI" module and "Configuring  Certificate Enrollment for a PKI" module

2.1

Using Certificate ACLs to Ignore Revocation Check and Expired Certificates

This feature allows a certificate that meets specified criteria to be accepted regardless of the validity period of the certificate, or if the certificate meets the specified criteria, revocation checking does not have to be performed.

Certificate ACLs are used to specify the criteria that the certificate must meet to be accepted or to avoid revocation checking. In addition, if AAA communication is protected by a certificate, this feature allows the AAA checking of the certificate to be ignored.

"Configuring Authorization and Revocation of Certificates in a PKI" module

2.1

Direct HTTP Enrollment with CA Servers

This feature lets users configure an enrollment profile if their CA server does not support SCEP and they do not want to use an RA as a proxy. The enrollment profile lets users send HTTP requests directly to the CA server instead of the RA proxy.

"Configuring Certificate Enrollment for a PKI" module

2.1

Online Certificate Status Protocol (OCSP)

This feature lets users enable OCSP instead of CRLs to check certificate status. Unlike CRLs, which provide only periodic certificate status, OCSP can provide timely information regarding the status of a certificate.

"Configuring Authorization and Revocation of Certificates in a PKI" module

2.1

PKI Integration with AAA Server

This feature provides additional scalability for authorization by generating a AAA username from the certificate presented by the peer. A AAA server is queried to determine whether the certificate is authorized for use by the internal component. The authorization is indicated by a component-specified label that must be present in the AV pair for the user.

"Configuring Authorization and Revocation of Certificates in a PKI" module

2.1

Certificate Security Attribute-Based Access Control

Under the IPsec protocol, CA interoperability permits a Cisco IOS XE device and a CA to communicate so that the device can obtain and use digital certificates from the CA.

Certificates contain several fields that are used to determine whether a device or user is authorized to perform a specified action. This feature adds fields to the certificate that allow specifying an ACL in order to create a certificate-based ACL.

"Configuring Authorization and Revocation of Certificates in a PKI" module

2.1

Exporting and Importing RSA Keys

This feature lets you transfer security credentials between devices by exporting and importing RSA keys. The key pair that is shared between two devices allows one device to immediately and transparently take over the functionality of the other router.

"Deploying RSA Keys Within a PKI" module

2.1

Manual Certificate Enrollment (TFTP Cut-and-Paste)

This feature lets users generate a certificate request and accept CA certificates as well as the router's certificates via a TFTP server or manual cut-and-paste operations.

"Configuring Certificate Enrollment for a PKI" module

2.1

Certificate Autoenrollment

This feature introduces certificate autoenrollment, which lets the router automatically request a certificate from the CA that is using the parameters in the configuration.

"Configuring Certificate Enrollment for a PKI" module

2.1

Certificate Enrollment Enhancements

This feature introduces five new crypto pki trustpoint subcommands that provide new options for certificate requests and let users specify fields in the configuration instead of going through prompts.

"Configuring Certificate Enrollment for a PKI" module

2.1

Multiple RSA Key Pair Support

This feature lets users configure a router to have multiple RSA key pairs. Thus, the Cisco IOS XE software can maintain a different key pair for each identity certificate.

"Deploying RSA Keys Within a PKI" module

2.1

Trustpoint CLI

This feature introduces the crypto pki trustpoint command, which adds support for trustpoint CAs.

"Configuring Certificate Enrollment for a PKI" module