CISCO-PKI-PARTICIPATION-MIB
A networking device may provide several security services and protocols like SSL, SSH, IPSec/IKE etc. which need identities in the form of X509 certificates. The device uses these certificates (called identity certificates) to authenticate itself to various clients communicating with the device using these protocols and also to provide other protection for the communication like confidentiality, integrity and non-repudiation. In addition, the device may need to authenticate the clients which involves, among other things, verifying the certificates presented by the clients (peer certificates) during the protocol exchanges. The certificate verification, in turn, involves the certificate revocation status checking and the certificate signature verification. This MIB applies to the public key infrastructure (PKI) participation feature which enables a networking device to participate in one or more PKI services (also called Certificate Authorities) enabling it to obtain one or more X509 identity certificates for its own use as well as to verify peer certificates. This MIB organizes the various certificates, key-pairs and Certificate Authority related information into the tables: the trustpoint table for certificate and CA information and a key-pair table for the key-pair information for each type of key-pair such as RSA, DSA etc. An entry in the trustpoint table corresponds to a trusted CA for obtaining an identity certificate from and also for verifying the peer certificates issued by that CA. The entry contains information about the CA certificate, the identity certificate - if obtained - from the CA, the corresponding key-pair from a key-pair table (for which the identity certificate was obtained) and the information needed for revocation checking of certitifates issued by the CA. For each type (RSA, DSA etc.) of key-pair supported by the device, a key-pair table is present and contains an entry for each key-pair of that type present in the device. This allows future expansion of the MIB to support additional key-pair types (currently only RSA key-pair is supported). As seen above, a key-pair entry from a key-pair table can be associated to an entry in the trustpoint table. A key- pair entry can be associated to multiple trustpoint table entries but not vice versa. This MIB supports the certificate work-flow operations, generally used for generating the key-pairs and obtaining the certificates for them from various CAs. The following are the steps in one typical work-flow: 1. create a trustpoint (an entry in trustpoint table) in the device. 2. Authenticate a CA (this involves manually verifying the CA certificate/chain fingerprints and then inputing the CA certificate/chain into the trustpoint). 3. Generate a key-pair (an entry in key-pair table). 4. Associate the key-pair to the trustpoint. 5. Generate a pkcs#10 Certificate Signing Request (CSR) in the trustpoint. 7. Submit CSR to the CA and get the identity certificate. 9. Input the identity certificate into the trustpoint. In another typical certificate work-flow, the key-pair and the corresponding identity certificate are allowed to be generated/obtained outside the device by whatever means and then input to the device in the pkcs#12 form. This MIB does not support the configuration of individual security services like SSL, SSH, IPsec/IKE etc. to use particular trustpoints or certificates and key-pairs in them. Instead the security services certificate usage configuration is supported in the respective feature MIBs. Glossary of the terms used in this MIB: -------------------------------------- key-pair - A pair of public-key cryptographic keys in which one is public and the other private. RSA key-pair - A key-pair belonging to the RSA public-key cryptography algorithm. Certificate Authority (CA) - A service which issues X509 certificates to certify the identity (name) and public-key of end entities. X509 - A standard for certificates and CRLs. Reference: RFC 2459. CA certificate - The self-signed certificate of a CA certifying its own identity and public-key. CA certificate chain - If a CA is certified by another CA which, in turn, was certified by a third CA and so on, ending in a CA which is self-certified, the original CA is said to be a subordinate CA and its CA certificate is a chain which is the set of CA certificates of all CAs involved. Identity certificate - The certificate of a device issued by a CA in which the device identity and public-key are certified. Trustpoint - The various information about a CA (including its CA certificate/chain), which the device wants to trust so that it can use it to enroll with the CA to g et an identity certificate and/or use it to verify the peer certificates issed by the CA. Certificate fingerptint - The digest of a certificate computed using MD5 or SHA hash algorithm. CA authentication - The process of configuring the CA certificate/chain for a trustpoint. The process involves calculating the fingerprints of the CA certificates and verifying them against the same already published by the CAs. Enrollment - The process of creating a Certificate Signing Request in a trustpoint, submitting it to corresponding CA, getting back the identity certificate and inputing it into the trustpoint. Certificate verification - The process of verifying the signature on a certificate to see if it was really signed by the CA who issued it. This verification process uses the CA certificate/chain. The certificate verification also involves verifying the validity of certificate with respect to current time by checking against the validity interval given in the certificate and the revocation status of the certificate as maintained by the CA. Certificate Signing Request (CSR) - A request to a CA for signing a certificate of an entity. The request contains the public key, the name and other attributes of the entity. pkcs#10 - A standard syntax for the CSR, Reference: RFC 2986. pkcs#12 - A standard for exporting and importing a certificate along with associated key-pair and CA certificate/chain. Reference: PKCS #12 v1.0: Personal Information Exchange Syntax Standard, RSA Laboratories, June 24, 1999 CRL - Certificate Revocation List, a list of certificates that are revoked, as maintained by a CA. OCSP - Online Certificate Staus Protocol, a protocol for online checking of the revocation status of certificates. PEM format - A printable text encoding format for certificates, key-pairs and CRLs, as employed by the Privacy Enhanced Mail standard. Reference: RFCs 1421-1424.