Certificate manager

Certificate Manager enables Public Key Infrastructure (PKI) capability on the switch providing authentication of network entities. This feature enables configuration and management of digital certificates on Networking switches, a key component of establishing digital identity in PKI.

Each entity in the PKI has their identity validated by a CA/RA. The CA issues a digital certificate as part of enrolling each entity into the PKI. This digital certificate is used by replying parties (e.g., network connection peers) to set up secure communication. Based on the information present in the certificate of the sender, the receiving entity can validate the authenticity of the sender and subsequently establish a secure communication channel.

Configuration support

The certificate manager CLI provides configuration support for integrating the switch into a customer’s PKI.

Trust anchor profile

The profile defines required Anchor Trust for several certificate-specific operations, such as certificate enrollment and certificate validations. A trust anchor may be a Root CA certificate or an Intermediate CA certificate. The following command creates a trust anchor profile.

Syntax

(config) # [no] crypto pki ta-profile <profile-name> ssh-username <ssh-username>

Definitions

profile-name

A name (maximum 100 characters) with a unique identifier for the Trust Anchor Profile. Ten TA profiles are supported: one for each allowed trust anchor (Root CA certificate.)

Profile number 2 is always reserved for self-signed certificate. For example, you can only create 9 TA profiles (Root CA certificates) per switch.

ssh-username,

Set the username whose certificate will be validated with the TA profile for two-factor authentication.

Validation rules

Validation

Error/Warning/Prompt

If the maximum number of <username : TA profile> associations is reached for a given TA profile, a message displays.

Maximum number of username associations with a TA profile is 10.

Web User’s Interface

When permitted by the existing configuration, the Web UI creates a “default” Trust Anchor profile (the profile name is “default”) when a TA certificate is installed. The Web UI may only manage the TA certificate installed against the “default” profile—no other certificates are visible or installed via Web UI. An administrator may create this same “default” TA profile. Restrictions on the “default” profile are described in Local Certificate Installation.

The Web UI manages a TA profile implicitly and only under the following conditions:

  • If a TA profile with the name “default” exists.

  • If a TA profile with the name “default” does not exist but one of the TA profiles is not configured.

In these cases the Web UI may configure the “default” TA profile.

When a default profile does not exist and both TA profiles have been configured by the CLI (i.e., they both have a name that is not ‘default’), the Web UI may not alter either TA profile and the usage web certificate to be installed must fit within a certificate chain belonging to an existing TA profile.