Certificate specific
This command has two forms of output, summary
and detailed. The CLI displays certificate details if a name is given.
If argument summary
or no argument
is
entered, a brief about all certificates is printed.
Syntax
(Switch_Name#)show crypto pki local-certificate
summary|<cert-name>
Show local certificate information.
Example
Sample summary output: Name Usage Expiration Parent / Profile -------------------- ---------- -------------- -------------------- SSL_Certificate Web CSR Customer Secondary PKI Openflow_Cert Openflow 2030/06/11 Intermediate01 Intermediate01 Inter 2014/01/01 Customer Primary PKI Default_cert All 2030/06/11 Intermediate02 Intermediate02 Inter 2014/01/01 Intermediate01Summary mode lists all certificates below a TA profile, including both local certificates and installed intermediates. The names of intermediate certificates are transitory and can change after local certificates are added or removed. In detailed mode the “certificate name” can be provided as an argument and details specific to the certificate are displayed. If the “expiration” displays CSR, then detailed mode re-displays the CSR as described with the
crypto pki create-csr local-certificate
commands.All installed certificates are shown in the same way, provided that the fields exist in the certificate. For example, a CA signed certificate has an “Issuer:” field with a different value from the “Subject” field. In a self-signed certificate, these fields are set to the same value. Since the fields are present in either type of certificate, they are always shown. Similarly, a Root certificate is a self-signed certificate. A trust anchor certificate can be either a Root certificate or an Intermediate certificate. The same fields are present in the certificate—just set to different values.
When working in the summary mode:
An installed certificate can or can not have a subject key identifier.
An installed certificate can or can not contain an authority key identifier.
An installed certificate can or can not contain key usage constraints, which can or can not be marked critical.
When an extension is critical, the keyword “critical” is displayed; when the extension is not critical, no additional wording is displayed (see screen display below.)
While address ranges can be encoded in a certificate, this usage is not consistent with identifying a switch (or switch interface), so CIDR format is not expected. However, if present it must be displayed for diagnostic purposes. (CIDR format display can be eliminated by adding tests to reject certificates with a range at the time of certificate installation.) IP addresses are listed in lexicographical order, except that all IPv4 addresses are shown as a group before IPv6 addresses are displayed. IPv6 addresses are shown in full, without the “zeroes removed” notation.
NOTE: Per RFC-5280: “Certificate users MUST be able to handle serial Number values up to 20 octets.” Thus, the serial number can take 40 hex characters to print. The serial number is printed in hex to limit string length and to allow easier manual decoding of UUID type serial numbers.
Certificate Detail: Serial Number: 75A5A501ABCDEF12345675A5A501ABCDEF123456 Sig. Algorithm: SHA1 with RSA encryption Issuer: CN=HP Networking Platform Certificate Authority 01, OU=HP Networking, O=Hewlett-Packard Company, L=Roseville, ST=California, C=US Validity From: Mar 11 23:56:35 2010 GMT Validity To: Mar 8 23:56:38 2030 GMT Subject: CN=Model J1234A/serialNumber=SW123456780A, BaseMAC 010203-040506, OU=HP Networking EVPG, O=Hewlett-Packard Company X509v3 Subject Key Identifier: 02:62:50:03:D1:7B:E3:68:F9:D7:67:5A:7D:FD:99:BC:AA:D8:07:B7 X509v3 Authority Key Identifier: C7:92:78:C5:19:66:46:DD:7C:47:C1:8D:47:5F:05:1A:C6:30:30:05 X509v3 Key Usage: Critical Digital signature, Key encipherment, Key agreement
The detail form of the certificate specific show
command
is available from the web UI. The web UI allows display of those configured
certificates related to the web server only. This includes the SSL
server certificate, trust anchor certificate and any other certificates
configured as part of the certificate chain. All the certificates
in the trust chain are also displayed.