Operational notes

Certificate enrollment

  • You cannot use crypto pki clear certificate-name <certificate-name>, or no crypto pki ta-profile <ta-profile-name> command to delete certificates and TA profiles enrolled using EST.

  • Remove crypto pki enroll-est-certificate configuration before deleting certificates. To delete EST configurations from the switch, use the no form of EST commands. For more information, see Configuration commands.

  • Similar to the manually installed certificates, erase startup-config will not delete certificates enrolled using EST.

  • The deletion of the EST profile, or the EST mapping to a certificate will not delete the certificates enrolled using EST.

  • You cannot enroll certificate using EST:

    • if a certificate with a same name is present.

    • if a certificate, or a CSR with a same usage is present.

      Delete the certificate using command crypto pki clear certificate-name <certificate-name>, or the REST schema /rest/v6/crypto_pki/local_certificate/<certificate-name>.

  • If the certificate enrollment is already triggered, you cannot change the EST profile name, or certificate subject fields. Delete the enrollment using no crypto pki enrol-est-certificate, and then give proper values.

  • If the CA certificate is of ECDSA type, then the enrolled certificate must have ECDSA key-type. Otherwise, re-enrollment of certificate will fail.

  • Switch verifies ECDSA key and signing algorithm as per RFC-5759. Certificate key must satisfy either of the following conditions:

    • If the certificate key is on the curve P-256, then the CA certificate key must be on the curve P-256, or P-384.

    • If the certificate key is on the curve P-384, then the CA certificate key must be on the curve P-384.

Certificate re-enrollment

  • A switch checks the expiry of the enrolled certificate after every 24hrs. If the certificate validity is within the re-enrollment-prior-expiry configuration, then the certificate re-enrollment process is started.

  • If the re-enrollment of the certificate fails on a due date, the process will start next day.

  • A renewed certificate is used for TLS handshake, or /simplereenroll.

  • If the certificate is already expired, then the /simpleenroll will start enrollment of a new certificate.

  • During a system boot up, re-enrollment timer starts for the certificates installed from the EST server.

Force command

  • If a force command is executed after successful installation of the certificate, then the force command cannot initiate re-enrollment.

  • If you execute force command after the certificate expires, then certificate enrollment process follows the workflow as mentioned in section EST enrollment of application certificates using CLI. You can check certificate validity status by executing show estserver <profile-name> status command.

Zeroization

  • To delete all the certificates installed in the switch, without removing EST enrollment mapping to the certificates, execute crypto pki zeroize command.

  • You must delete existing enrollment configurations in the switch before executing zeroization command.

  • After zeroization, you cannot use force command for re-enrollment of the certificates.

  • Check RMON logs to confirm that all applications and IDEVID certificates are deleted. Reboot the switch after zeroization, and install EST CA for enrollment of certificates.

NOTE:

For more information, see Zeroization.

Scalability and Support

  • Maximum three user configurable EST server profiles are allowed.

  • Switch accepts and processes the HTTP 202 response from the EST server.

  • Certificateless TLS Authentication, HTTP-based Client Authentication, Server Key Generation, Full PKI Request Messages, Full CMC, and CSR Attribute Request are not supported.

  • Enrollment of certificates through SNMP is not supported.

  • Enrollment of application certificates is not supported when the EST server is connected to OOBM ports.

  • Enrollment of application certificate with EST server having IPv6 address is not supported.