3.2.5. pki¶

Public Key Infrastructure configuration.

vsr running config# pki

ca-profile¶

List of Certificate Authority profiles.

vsr running config# pki ca-profile <ca-profile>

<ca-profile>

Certificate name.

cmp¶

Certificate Management Protocol parameters.

vsr running config# pki ca-profile <ca-profile> cmp

vrf¶

The vrf in which CMP exchanges are performed.

vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# vrf VRF

`VRF` values	Description
`main`	The main vrf.
`<string>`	The vrf name.

Default value: main

url (mandatory)¶

The HTTP URL of the CMP server where enrollment requests will be addressed.

vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# url URL

URL

An HTTP(S) file URL. IPv6 addresses must be surrounded by square brackets [1234:bada::2]. The :/?#[]@!$&’()*+,;= characters in the user and password must be percent-encoded (e.g: ‘?’ becomes ‘%3f’). See RFC 3986 section 2.1. For convenience, you should use the separate user and password fields.

server-certificate¶

The name of the CMP server certificate. It may be the certificate authority itself, or a registration authority. This certificate must be imported to the database before any update request.

vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# server-certificate SERVER-CERTIFICATE

SERVER-CERTIFICATE

Certificate name.

issuer¶

The distinguished name (DN) of the issuer to use in the requested certificate, i.e. the name of the certificate authority that should issue this certificate, example: ‘/CN=CA/O=6WIND’. By default, the subject of the server-certificate, if one is specified.

vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# issuer ISSUER

ISSUER

X500 Distinguished Name.

private-key-algorithm¶

The private key algorithm.

vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# private-key-algorithm PRIVATE-KEY-ALGORITHM

`PRIVATE-KEY-ALGORITHM` values	Description
`rsa-512`	RSA with 512 bit key.
`rsa-1024`	RSA with 1024 bit key.
`rsa-2048`	RSA with 2048 bit key.
`rsa-4096`	RSA with 4096 bit key.
`rsa-8192`	RSA with 8192 bit key.

Default value: rsa-2048

source¶

The source address used to reach the CMP server.

vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# source SOURCE

`SOURCE` values	Description
`<ipv4-address>`	An IPv4 address.
`<ipv6-address>`	An IPv6 address.

install-ca-certificates¶

Whether to install and trust the CA certificates returned by the CMP server in the caPubs section.

vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# install-ca-certificates true|false

Default value: true

automatic-update¶

CMP automatic update parameters.

vsr running config# pki ca-profile <ca-profile> cmp automatic-update

remaining-time¶

unit: days

The remaining days of validity of the certificate before the scheduled update is triggered.

vsr running config# pki ca-profile <ca-profile> cmp automatic-update
vsr running automatic-update# remaining-time <uint32>

Default value: 5

retry-delay¶

unit: seconds

The time between two update retries in case of failed update.

vsr running config# pki ca-profile <ca-profile> cmp automatic-update
vsr running automatic-update# retry-delay <uint32>

Default value: 30

revocation¶

Revocation check parameters.

vsr running config# pki ca-profile <ca-profile> revocation

crl¶

Certificate Revocation List parameters.

vsr running config# pki ca-profile <ca-profile> revocation crl

url¶

List of CRL distribution point URLs.

vsr running config# pki ca-profile <ca-profile> revocation crl
vsr running crl# url URL

URL

An ASCII-encoded Uniform Resource Identifier (URI) as defined in RFC 3986.

revocation¶

Certificate revocation global parameters.

vsr running config# pki revocation

crl¶

Certificate Revocation List global parameters.

vsr running config# pki revocation crl

vrf¶

The VRF in which CRLs are fetched.

vsr running config# pki revocation crl
vsr running crl# vrf <leafref>

source¶

The source address used to fetch the CRLs.

vsr running config# pki revocation crl
vsr running crl# source SOURCE

`SOURCE` values	Description
`<ipv4-address>`	An IPv4 address.
`<ipv6-address>`	An IPv6 address.

certificate (state only)¶

Note

requires a Product License.

List of X509 Certificates.

subject (state only) (pushed)¶

The subject of the certificate.

vsr> show state pki certificate <string> subject

issuer (state only) (pushed)¶

The issuer of the certificate.

vsr> show state pki certificate <string> issuer

validity-not-before (state only) (pushed)¶

The validity the certificate: not before this date.

vsr> show state pki certificate <string> validity-not-before

validity-not-after (state only) (pushed)¶

The validity the certificate: not after this date.

vsr> show state pki certificate <string> validity-not-after

has-private-key (state only) (pushed)¶

There is a private key associated to this certificate.

vsr> show state pki certificate <string> has-private-key

certificate-request (state only)¶

Note

requires a Product License.

List of X509 certificate signing requests.

subject (state only) (pushed)¶

The subject of the certificate request.

vsr> show state pki certificate-request <string> subject