Certificates

An X.509 certificate is a digital document that securely associates cryptographic key pairs with identities such as individuals, organizations, machines or services. It is used by public key infrastructures (PKI) to verify that a public key belongs to the identity contained within the certificate.

An X.509 certificate contains information about the identity to which a certificate is issued and the identity that issued it. Common issuance fields included in X.509 certificate are:

  • Version: X.509 version applies to the certificate.

  • Serial Number: a serial number that distinguishes a certificate from other certificates.

  • Algorithm information: the algorithm used by the issuer to sign the certificate.

  • Issuer Distinguished Name: the name of the entity issuing the certificate.

  • Validity: period in which the certificate can be trusted (start/end date).

  • Subject Distinguished Name: the name of the identity the certificate is issued to.

  • Subject Public Key Information: the public key associated with the identity.

  • Extensions (optional): other useful fields such Subject Alternative Name(s) and Key Usage.

The following sections describes various supported operations used to manage the Virtual Service Router’s local database of certificates (a.k.a. global certificate store) via nc-cli commands.

Import a Certificate and/or private key

Use the cmd certificate import name <cert-name> url <remote-url> command to import a CA or user certificate to the local database. As an example we use this command to import two CAs named rootca and 6WIND:

vsr> cmd certificate import name rootca url http://10.16.0.190:8999/rootca.pem
OK.
vsr> cmd certificate import name 6WIND url http://10.16.0.190:8999/6WIND.pem
OK.

We can also use this command to import a user certificate user01 with its private key in one command:

vsr> cmd certificate import name user01 url scp://10.16.0.190/user01_cert.pem private-key-url http://10.16.0.190:8999/user01_key.pem user scpuser password scppassword
OK.

or in two steps:

vsr> cmd certificate import name user02 url scp://10.16.0.190/user02_cert.pem user scpuser password scppassword
OK.
vsr> cmd certificate import name user02 private-key-url http://10.16.0.190/user02_key.pem user scpuser password scppassword
OK.

Use the show certificate list command to show the imported certificates:

vsr> show certificate list
6WIND
rootca
user01
user02

If the private key is password-encrypted, you must provide its password in the import command with the private-key-password keyword:

vsr> cmd certificate import name user01 private-key-url http://10.16.0.190:8999/user01_key.pem private-key-password "kEE#p@$$wd!" user scpuser password scppassword
OK.

See also

The Import certificate command reference for details.

Export a certificate

Use the cmd certificate export name <cert-name> url <remote-url> command to export a certificate stored in the local database to a remote location:

vsr> cmd certificate export name rootca url http://remote-server:8999/
OK.

See also

The Export certificate command reference for details.

Add a certificate

Use the cmd certificate add <cert-name> data <pem-format-input> command to manually add a certificate as a string encoded in PEM format:

vsr> cmd certificate add name user03 data "-----BEGIN CERTIFICATE-----
... MIIDazCCAlOgAwIBAgIUOittEYmcZTGUGioankW6HvDYTMcwDQYJKoZIhvcNAQEL
... BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
... GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTA4MjcxNTEwNTFaFw0yMjA4
... MjcxNTEwNTFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
... HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
... AQUAA4IBDwAwggEKAoIBAQCwebLs/zQB0RyVi1VJW7sT/ZUgkTg2kf/1ab312+Fh
... 1nCnMz7q5loNVm7ZJ/8+kwdGIEkCxwbZr++asN8EjKOvSNZphk7kOJbam6ui1j5C
... ollm77CF4n6urj9/mA73OJJkwkTbzzBwTcfSXephAa5lAw0z83C04WaVleBlH5c8
... RhEcwx+8dlMmBkpwuaaxFBDfXHHeu4W554PpJEY0/W1m3uaX44QvXbRZV+f6/CpM
... RpdBKsMqPvj776VDeYylHewb0MlwOadXw8YMXs7pkkRoP2AvuP0hFev8+LTj6kkG
... 4c89VX5s6DPuu/P1cLowLCnt5DppAt69nTK8Zbk4wjVJAgMBAAGjUzBRMB0GA1Ud
... DgQWBBR3c9b3DavflgTCoUEWQY6OyqXhmzAfBgNVHSMEGDAWgBR3c9b3DavflgTC
... oUEWQY6OyqXhmzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAm
... vleOmDHBChJ7at+yEQM8hmAqmupVWX3aUXaoKkGMpD8vg46uYhxxcInzBPaySblQ
... QyGLom2raUW0a27hhAucQe1ZRqpfIAvJ5/hUkztkOsUOC2nptMn9lZQvbnmGFoSR
... AQP3me3QffYVU4ozL2UeqUQV1yd91cIQOGu9DZFQOQkeVj7J5O4iAw3Xp0xxNuAJ
... GgncUQMya16UW4wbAjXpq0ZVKIWQtkZw+0ZffVfIyYUFsq3j6pFVcETa6VDrES0h
... r6phc+0OVpwUU0AQg7SJucApPNOf0KbnGyLli/e8yUtsrDouifSr29QipRiHhrOr
... eS4EeexMXu6W4TsFjpkP
... -----END CERTIFICATE-----"
OK.

We can also use this command to import a user certificate user01 with its private key in one command:

vsr> cmd certificate add name user01 data "-----BEGIN CERTIFICATE-----
... MIIDGDCCAgCgAwIBAgIIGg4FzJUi290wDQYJKoZIhvcNAQELBQAwLjELMAkGA1UE
... BhMCRlIxDjAMBgNVBAoTBTZXSU5EMQ8wDQYDVQQDEwZyb290Y2EwHhcNMjMwOTA4
... MTI0NDM3WhcNMjYwOTA3MTI0NDM3WjArMQswCQYDVQQGEwJGUjEOMAwGA1UEChMF
... NldJTkQxDDAKBgNVBAMTA2R1dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
... ggEBAKdrtpa7ZDOeckixzaOlFTyG/XYUOY2wIqEdUvorx0CSVioYU/gVUpLoQeZ/
... xSS2HbpnoqMPU2i+iY2r4J6aU6rVmpQR4ttAf0zlliyrbq3nUYjKmoQZqqb2uRmN
... uqqkGOXMF+cIen1Tun6uqdyAw0KHTokslgG9JgDAaG8utFTSs81cQRLaPAmUXiVv
... Ciq3xuh7mf9rnPtCk21JL6OGWXJhSVcVpoImu7X4brQEqTIaQnpprK6569sxxm3t
... F45kNAGWlZiOCupACbIkVWM/nwoF0vxo4traur9jADUDJZtaGRfBwlwZZNAO7XK+
... WsdCT3wiRy1oBp2CQCO7EEkdgbcCAwEAAaM9MDswHwYDVR0jBBgwFoAU3b0cdvBm
... 7pqrGL/87K8AgYAN05AwGAYDVR0RBBEwD4INZHV0LjZ3aW5kLmNvbTANBgkqhkiG
... 9w0BAQsFAAOCAQEAyA05wtha7ewEt2BEKHLMhxeKOH/QEB7P0NpuuJWYpOL9qopp
... G0a1PUG1uQwvUM/c4Z2WgpQ/HsP/2Wc9q8B7dLBCYApmEssRVDJHQdBO6cxSlOm6
... pNyHO2ch1LPV2DFpY/04tqBZXrljEeATn53rhswESndiNIP6SuGRZGDTijy0L+og
... rc/w3uy3Yu9CiDgUbthvnunSshGnTsEYhHjmjvWiVclE/nagPHAZc2kuHDb8+t8M
... q5Wdzkub+ADaP8Npiz/qsxPWvgRfSFNRECk2pgn8+KNKo+yOTpgJVeLBUR6LqoA0
... 00oLbVEqiaS9FnbeBTspX+ftzEB+7Bt/dk5qFQ==
... -----END CERTIFICATE-----" private-key "-----BEGIN RSA PRIVATE KEY-----
... MIIEoQIBAAKCAQEA693UGafI9a1Kp2kJTTpLKA2jWRspar3stPRC+6Jn9UWp9/n6
... DCVZWHzYqNGtnCbMk8s4Do/HhDv9dOwRuHxprxhkHHr6y6k/AB4Gut+rXqGo3tPd
... +0kQzdxiEYdIaTljSESDD6WPEUL2Q5L/LioUaSHm5UOGlKtMx46EAuB/BYSowOtc
... RsRolrTvorHxwldnp0BBaGAXEQUO+9jlXWKJO5p9Hpl0FqWq4SgsNMI0Rsg0HYNF
... biZ4O+9lQAjGx1sBfS6m4Lc5K7xa9t3SyH9K/vbV2RO1Nn97gDcQK5ymUk9EV3x9
... L3sJn2TfP2qmogNrlCn65mhEScy5hUru0uHI4wIDAQABAoH/VPQTaLTA3SqC3Xc8
... 194Hd/0vxJdb+SDiOasz6CM+rE3WBV/+Nwh3gDLJou9tTouV2JnzU+sOH3MGlrmc
... /z5PPneu8tAwxogISxHJqEOJjChENmn13YsWzrDxKdInnQeJzIqoVXgLiKUMSMlR
... MGNtEGdtNIkHdOBjp3gO29vhmSnKC81djHa0OKjTIQqWN2HcSmlobDfy4D2Gn5s+
... D2bDrrW87yzTMc+E+XftR3k40AqUGow6bH9QjQOiqlFlFNQCM9YIJKMMHe4DWU8p
... AdUPshTXV4U+xJTFMYAB2UASEr9UK0eAGAbG0grop/qzk1fv6ZCsmoTBJoh8RiJq
... fF5VAoGBAP+ec58r8GmA+r9XrZ/gFTwDEo+qBEtuRaXPK1Rpy7OsLa6DGJZrUfWE
... cNWgzHuC/XJBtfgBF2E8s09jpmxZbY9zC5/lLdEMh+5IWJWThDULOi66LzT5sADl
... TTolUHKdIahycy3vxWEpmQbmLPSozGVFx8tTm+0y0ITM4JIFUKptAoGBAOw31sns
... Xx63UI7yJlYPEnc7PqRO+lEZHEJW6Vz/qHas/gLHrsV9Swbx7D+nZA+D7ivwY4cs
... Dcp8xjjBRaVDf0LiKGNV/QcFU2s7tHaeq3NQ/HVSFExXYBaoUzOrhBgKBOxMPTvZ
... FlzxMou9O9yZr+OhNccuiuDDqMqySbP9Hy6PAoGBAIP4H0NfIPinQU2GC7qNqwjX
... oT6QjTUQUl7fTUSAdk1lqBP/1LLb5211GfgA03E02HqjmDnY/mQSPZTQIryvktPL
... loXPgU77RDZuHWXjyg7EpB45u2ODQS3FNJC/cQArRZQ8umBN+L5IBpw8O5t4hkYG
... t7aujMLySBs31v0sR1AlAoGAMsgaU9SN6mOMXP6vwSaCWMGSyO31oEOesKBQkN6h
... T8oG3YAiEXDLFVYi7NhGiZNaO3X1X5TX7iT+1Cqwl0O4cx99gUV2HPFHKrFuLWYV
... A7hwXaRkmrjZ/mT3Zg9EWYql3krRizEzPo3XyPTIjrc3ed8pWYWm84T8n37Om3Qa
... JP8CgYAbaF0PLMeb6P9HvHB7QIALuHJhTksRhBe58P3+UdZv32XSwg7Dw/JriUYa
... y+3tCbZg8TQleF7wARDOXKK1wHbQx+174fF4MmJGJR7+BjJwnKStt+iZ5VFgaXiL
... oVHArQyT28hcsOa/cY7wD6939J0NSE/iLpZFJ4pFUK5p0EbyCQ==
... -----END RSA PRIVATE KEY-----"
OK.

or in two steps:

vsr> cmd certificate add name user01 data "-----BEGIN CERTIFICATE-----
... (...)
... -----END CERTIFICATE-----"
OK.
vsr> cmd certificate add name user01 private-key "-----BEGIN RSA PRIVATE KEY-----
... (...)
... -----END RSA PRIVATE KEY-----"
OK.

If the private key is password-encrypted, you must provide its password in the add command with the private-key-password keyword:

vsr> cmd certificate add name user01 private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
... MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIpx1zr7fEn2UCAggA
... MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBD4RjV7qLJnQVJVwhycLdfjBIIE
... 0AHY3K4OpmhnBZdQSQkQuJrKSeCmVUS5CxZSlSQpBGCENyb1VK5UN3eRXKEeAOmi
... LqOR48gYF+KhgAAudCuVmYIC11zA2r4QATuuJb/irhQiZeAFU+p9b1HGINKozIk5
... Sc7xfEPmdEDNySrDOwqs4tyIH9U10aYN/Rvxs0NLUV7VnjWWAO67jnqY39thgkFj
... XruEKxRIqNFqdr68xr3syDUYkb8dFFQuN5QcjwTgDV6x0zWIkxT165ye5OKUi99n
... 6AOFFjrUuzmcSqXhrCcjAHnXYbVn7QKtmE1M/nZKrr+NGCUhhS5R4nWSwQaL1iD4
... JcdGvl45/DPQheMT2LMkSaB3PEX+vhYqjFpSYWffStAhedEIL5prKIItlXPqnDbv
... v/f20hN6QWSS8c/oqXqerPLy1vtGmm644vNYnccyTpsEKUIQH5Jpol2LP3Iep+7L
... qOVz5k592Sqy0HX39O9Su3ZLvv8Eaj3eFGVBwPAnyWJAY0eO7nNtTz0SjEn/+nAC
... 2PP9LEwdieyNw0IhbLQ+o5eO5I1uSKVGQmfmMSzRCS3uDFFDf5hysx7slMBOvZXo
... SCVXN5ZaOpBnb85a2qm1V7hXUKF0jLDtBy/v44Q/F2Qd4lL6VYBQCWmzdMZnfWLU
... f7Z2aJZXf81ddRrWTZhdKmIRrM490H1NdxHcS2G3RWHc6prmsmCsb6ZsQWd9x4qg
... RXcRUOyp3ZgHPs0XwGCSunOiDbfZLXketigUsuWzDYaKxw9QcHFB/xXFJwq8RYnL
... fAZGMHBYM2X0vsuLwfb6hqrfBGZItyo2cYonke2djV/07yEVnFwLFeuqX2pMGd7B
... PIA2cRJjznkIlZSyXRgSEy4Iesp0UsOIHYlGSYUr5YPzic+3MCWE+YLQbOjNB0yb
... aw2G2HrpkfZW+yjFT+P/UDIc4cMuMAxyUhAIQqFRdUlZp+stjQxwjM7nBYGo5ooL
... SIsfycrf44DfD6f9UheQGhTWKRZn9T3zXS6YhCruBJXA9FHqWYQ32S3ceUhLEx44
... /2PCIMZ8PEcJULFxAnVzL81AFdxup39YDLtI6nhVy16V6GBnT/mgSooQWqS5JAqb
... 3CrEgafdh/Pczc4f9B7qTZz9/isHAjy6hb449h1p764Oiycwdjhenpj9m58oMvEx
... KedVX5MOPbvtUJHxc7N9jry3uhhLDURgdUDCAb3CuIKLhhL3LoKIIIA7STZ9/E0z
... 4ifqUU3JN/Ox051cokoXKsh6nAsMTUMTQG+CRFjsZ17NbrhVSmly9+72pFgj9hLV
... bz4yRND/3yo2BHLNKHpbw/XaS/ZasIqwgzhlXOUF5ZsQNNBQ/cwzdA9e8t4JfeyH
... 0tAMixIJYfVkYRnPwXrk38mJSSEOKit2oEH1ZQMzH/uzNqrJPGZBu15SY/C4dJCi
... 2PFgiIpKd6FDoTR8YWdbLiL6tl4LorlAtyvNpXr62i/KYJjTlPVyR+NVpgQWVIMj
... BfjbDrumTpjDk7STXxrfDXzIRLNyKKa1+dDQjnFc86rWFggyp+YfWD2D7qXwhqmH
... su99XnJ01H3U2wdOBH5iS8jA73PlAAqjHkjS1ZABp13einK5ZDUqywv8yjE3olTS
... m+7jir9EoI9sDGQGMpcOPT6AodBOSg1YN7ewPQIfKwmY
... -----END ENCRYPTED PRIVATE KEY-----" private-key-password "kEE#p@$$wd!"
OK.

See also

The Add certificate command reference for details.

Delete a certificate

Use the cmd certificate delete name <cert-name> command to delete a certificate from the local database. In this example we delete the certificate user01 stored before:

vsr> cmd certificate delete name user01
OK.

See also

The Delete certificate command reference for details.

Show certificate list

Use the show certificate list command to list certificates stored in the local database, these certificates might be imported using the cmd certificate import command or by another service:

vsr> show certificate list
6WIND
rootca
user02
user03
..

See also

The Show certificate list command reference for details.

Show certificate content

Use show certificate name <cert-name> to show the content of a certificate.

The output format may additionally be specified:

  • details: display the details of the certificate in human-redable form (this is the default).

  • pem: display the certificate in the PEM format.

vsr> show certificate name 6WIND
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:54:ca:5f:55:97:1c:09:67:1b:d6:ab:ad:50:f7:9d:6e:96:72:79
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=6WIND"
        Validity:
            Not Before: Thu Aug 12 12:49:41 2021
            Not After : Fri Aug 12 12:49:40 2022
        Subject: "CN=6WIND"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    d7:22:f8:56:fb:06:8c:2d:28:2a:44:9c:28:40:79:96:
                    (....)
                    55:93:79:05:74:f9:63:88:96:66:d1:30:00:4f:d0:d0:
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with no maximum path length.
            Name: Certificate Authority Key Identifier
            Key ID:
                c9:4f:b9:85:92:d0:de:2a:28:76:e6:2c:2c:7f:c0:20:
                73:a4:71:b1
            Name: Certificate Subject Key ID
            Data:
                c9:4f:b9:85:92:d0:de:2a:28:76:e6:2c:2c:7f:c0:20:
                73:a4:71:b1
            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Certificate Signing
                    CRL Signing
    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        a5:6c:26:6a:ef:6d:f1:75:7d:f9:a5:57:69:c0:19:97:
        (...)
        fa:2a:88:11:26:f7:c1:f4:cf:8f:4d:31:c5:42:ce:26:
    Fingerprint (SHA-256):
        E2:E2:D8:0D:B0:...:2D:05:56:96:F6:21:5D:EA:62:B9
    Fingerprint (SHA1):
        6C:EB:86:6A:C5:...:0A:9A:43:6E:2A:14:0C:F8:B9:4F
..

Include pem option to print the PEM format of the certificate, show certificate name <cert-name> pem:

vsr> show certificate name 6WIND pem
-----BEGIN CERTIFICATE-----
MIIDETCCAfmgAwIBAgIUBFTKX1WXHAlnG9arrVD3nW6WcnkwDQYJKoZIhvcNAQEL
BQAwEDEOMAwGA1UEAwwFNldJTkQwHhcNMjEwODEyMTI0OTQxWhcNMjIwODEyMTI0
OTQwWjAQMQ4wDAYDVQQDDAU2V0lORDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANci+Fb7BowtKCpEnChAeZYLfO6THUIXZv7RKNOCkEiq5MvWt5uxO980
w7IM+LZRHq2YNfmtLXrpEe6j/ptdMj8haXqXBCJHKTAiFPWXASeQJ40ufyy29ACS
YM4/ukutCFWTeQV0+WOIlmbRMABP0NCMt7IwQa+cGtGufsb+PnLdqOEGLITwZnDY
K9mDtgLCYU+WM+PMU0xWgUoa/GyZ5jy+6pCwYBCJDVGHiSVjk2mBme+UE4Y/rUsS
SIdbbdcEXhh6gX4LsLO0VwT0X7z+5N2JyEnYHR+oZ8UEjK66k9HtfDu+txeMUnwC
C9plh6MUCn9mh6Qp6iaY2MQqQHIM+A0CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB
/zAfBgNVHSMEGDAWgBTJT7mFktDeKih25iwsf8Agc6RxsTAdBgNVHQ4EFgQUyU+5
hZLQ3iooduYsLH/AIHOkcbEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUA
A4IBAQClbCZq723xdX35pVdpwBmXIHTuGxFvt7aUischhg5WssjR+evB5R0OSMEl
ZVULiJ/6KogRJvfB9M+PTTHFQs4mgQSpQuiWzYvl6jdz6pma2SNxOC+kNOFLsLPR
yFL8qmjnYF659Vi2NklHCxDYshw7kZ5oCnGIwcxXQdXEYRHoY8k43kYoutTlRpeV
PJfE7HZbltJXKemDtSpmPoKnKmsudL7wphf73u1ynZeL0Kvv/lqh3y5kiLh+X43P
SMQtQWvniW2LoPYMdVPY3/n8g6Gg4vtHwbZEOrjOVt6nmuEa0FYZEiFoKfKZuaGH
tIil3m9hg05tJ0838yO5v0c0cB4s
-----END CERTIFICATE-----

See also

The Show certificate detail command reference for details.

Show certificate private key

Use show certificate key name <cert-name> to show the private key of the given certificate.

The output format may additionally be specified:

  • pem: display the certificate in the PEM format (this is the default).

  • details: display the details of the private-key in human-redable form.

vsr> show certificate key name user01
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCwebLs/zQB0RyV
i1VJW7sT/ZUgkTg2kf/1ab312+Fh1nCnMz7q5loNVm7ZJ/8+kwdGIEkCxwbZr++a
sN8EjKOvSNZphk7kOJbam6ui1j5Collm77CF4n6urj9/mA73OJJkwkTbzzBwTcfS
XephAa5lAw0z83C04WaVleBlH5c8RhEcwx+8dlMmBkpwuaaxFBDfXHHeu4W554Pp
JEY0/W1m3uaX44QvXbRZV+f6/CpMRpdBKsMqPvj776VDeYylHewb0MlwOadXw8YM
Xs7pkkRoP2AvuP0hFev8+LTj6kkG4c89VX5s6DPuu/P1cLowLCnt5DppAt69nTK8
Zbk4wjVJAgMBAAECggEAeznfaIGjDQm5Term+Lxm20SclwsQF3rHIdReYojQzgJw
0y+DZX7HrryF1niJUGZWE++DS78x11t0ka2jbIfP3BueLD0uZUnmfGtq4995xgmb
J7eCqVpIXy0pBa1l9da40kac0mfQSPrm5svRVz9XSQ1icL4yGvuxKA5pi/MNJXYW
mC+NbUx0vrpvk9CPBSu3H3gc3x/YhVOk4cs5y96TQKiRl6L7zmJOUwPT4GN8IHHZ
lQihgefJTO0nC4YPmV2mM5wbYYjtVcoB9cD6TQgDnCYiOlo5hW2Pj7ER0WMKMCBr
6J/hCIMjOiwX1W2pkfGFgPmgk/MmwBWiYs7VWQXyCQKBgQDaP0w1Nu5bW+kjRGZ8
d4S7NJCPiylMIvY2AMK99K41uOZpIIc63GQ6rlTJDI1/IGsVKvUJKUxhuk5MUXDC
yJE0uvoqNZI3BToZkePaHKPJlnrK//dW4BjHxI0CC5l3VsishDwgztbj6wKcwOiG
DyDEJH6oSw/hUwONxElNzAnlgwKBgQDPAJsw2L1E018HNOqvCCAzCzub2CM6Q/ry
juhJY5tE+cALKkrHofPGxUJXTuET2YLz0oIVdxmqN3JEY4LkPy3O5nhPYUv7BSEk
hO+mb/0IPSekXcs6MvEB/98TSSgEhWZvgK10zCbANwPa1qdVzASy6o14iBsBsdKo
T+Bnk6MMQwKBgQCmV/5exOpxiaEtdzHiBjqNcSgJsFiepjsgt/22SKsLWU2MrPVF
QLvIGh2XS1EBpxTXAnHXNLn59sU82Ano/HPoS+bmiwRRmVNKL+8JzDBuMpqO5P+B
ILbidAXBnFOxKN002Gj33I7fEr1f+ox/uUIRHXvIC8YjyGD6CbSRbkXQvwKBgAhg
YedMHfyXARVtksGadpMaNUNNL7+/2HvQRJ4TpcjYwmixQW1qpE661MBrtLf06VOs
hQ8RTryQmdMio71QwS3KLbwol8aEop6zsm7twTOAJgaEtSCZxx7pl8FUCIaGT2rb
rik3yamlkEZewU67fsUusKLb/xvGclvVP6NxWfu5AoGAfwtptH0mXIVx9ZL9X9T1
uzbfHqFNriOoQ5KyvC3B0vmYSz3DqPX5/l/PSP+l6I8syjK4U1HzYz0vYTpPYK9q
vtNRD9VXfwvCRSwVaIAE9c8aSagnDf0Y7FRo/wa4kxkNlTgSVR5JxfRgJkmeVJmd
S262RQu3Hkpu+4iML8zjHGo=
-----END PRIVATE KEY-----

Include details option to print the details of the private key, show certificate key name <cert-name> details:

vsr> show certificate key name user01 details
Private-Key: (2048 bit, 2 primes)
modulus:
    00:b0:79:b2:ec:ff:34:01:d1:1c:95:8b:55:49:5b:
    bb:13:fd:95:20:91:38:36:91:ff:f5:69:bd:f5:db:
    e1:61:d6:70:a7:33:3e:ea:e6:5a:0d:56:6e:d9:27:
    ff:3e:93:07:46:20:49:02:c7:06:d9:af:ef:9a:b0:
    df:04:8c:a3:af:48:d6:69:86:4e:e4:38:96:da:9b:
    ab:a2:d6:3e:42:a2:59:66:ef:b0:85:e2:7e:ae:ae:
    3f:7f:98:0e:f7:38:92:64:c2:44:db:cf:30:70:4d:
    c7:d2:5d:ea:61:01:ae:65:03:0d:33:f3:70:b4:e1:
    66:95:95:e0:65:1f:97:3c:46:11:1c:c3:1f:bc:76:
    53:26:06:4a:70:b9:a6:b1:14:10:df:5c:71:de:bb:
    85:b9:e7:83:e9:24:46:34:fd:6d:66:de:e6:97:e3:
    84:2f:5d:b4:59:57:e7:fa:fc:2a:4c:46:97:41:2a:
    c3:2a:3e:f8:fb:ef:a5:43:79:8c:a5:1d:ec:1b:d0:
    c9:70:39:a7:57:c3:c6:0c:5e:ce:e9:92:44:68:3f:
    60:2f:b8:fd:21:15:eb:fc:f8:b4:e3:ea:49:06:e1:
    cf:3d:55:7e:6c:e8:33:ee:bb:f3:f5:70:ba:30:2c:
    29:ed:e4:3a:69:02:de:bd:9d:32:bc:65:b9:38:c2:
    35:49
publicExponent: 65537 (0x10001)
privateExponent:
    7b:39:df:68:81:a3:0d:09:b9:4d:ea:e6:f8:bc:66:
    db:44:9c:97:0b:10:17:7a:c7:21:d4:5e:62:88:d0:
    ce:02:70:d3:2f:83:65:7e:c7:ae:bc:85:d6:78:89:
    50:66:56:13:ef:83:4b:bf:31:d7:5b:74:91:ad:a3:
    6c:87:cf:dc:1b:9e:2c:3d:2e:65:49:e6:7c:6b:6a:
    e3:df:79:c6:09:9b:27:b7:82:a9:5a:48:5f:2d:29:
    05:ad:65:f5:d6:b8:d2:46:9c:d2:67:d0:48:fa:e6:
    e6:cb:d1:57:3f:57:49:0d:62:70:be:32:1a:fb:b1:
    28:0e:69:8b:f3:0d:25:76:16:98:2f:8d:6d:4c:74:
    be:ba:6f:93:d0:8f:05:2b:b7:1f:78:1c:df:1f:d8:
    85:53:a4:e1:cb:39:cb:de:93:40:a8:91:97:a2:fb:
    ce:62:4e:53:03:d3:e0:63:7c:20:71:d9:95:08:a1:
    81:e7:c9:4c:ed:27:0b:86:0f:99:5d:a6:33:9c:1b:
    61:88:ed:55:ca:01:f5:c0:fa:4d:08:03:9c:26:22:
    3a:5a:39:85:6d:8f:8f:b1:11:d1:63:0a:30:20:6b:
    e8:9f:e1:08:83:23:3a:2c:17:d5:6d:a9:91:f1:85:
    80:f9:a0:93:f3:26:c0:15:a2:62:ce:d5:59:05:f2:
    09
prime1:
    00:da:3f:4c:35:36:ee:5b:5b:e9:23:44:66:7c:77:
    84:bb:34:90:8f:8b:29:4c:22:f6:36:00:c2:bd:f4:
    ae:35:b8:e6:69:20:87:3a:dc:64:3a:ae:54:c9:0c:
    8d:7f:20:6b:15:2a:f5:09:29:4c:61:ba:4e:4c:51:
    70:c2:c8:91:34:ba:fa:2a:35:92:37:05:3a:19:91:
    e3:da:1c:a3:c9:96:7a:ca:ff:f7:56:e0:18:c7:c4:
    8d:02:0b:99:77:56:c8:ac:84:3c:20:ce:d6:e3:eb:
    02:9c:c0:e8:86:0f:20:c4:24:7e:a8:4b:0f:e1:53:
    03:8d:c4:49:4d:cc:09:e5:83
prime2:
    00:cf:00:9b:30:d8:bd:44:d3:5f:07:34:ea:af:08:
    20:33:0b:3b:9b:d8:23:3a:43:fa:f2:8e:e8:49:63:
    9b:44:f9:c0:0b:2a:4a:c7:a1:f3:c6:c5:42:57:4e:
    e1:13:d9:82:f3:d2:82:15:77:19:aa:37:72:44:63:
    82:e4:3f:2d:ce:e6:78:4f:61:4b:fb:05:21:24:84:
    ef:a6:6f:fd:08:3d:27:a4:5d:cb:3a:32:f1:01:ff:
    df:13:49:28:04:85:66:6f:80:ad:74:cc:26:c0:37:
    03:da:d6:a7:55:cc:04:b2:ea:8d:78:88:1b:01:b1:
    d2:a8:4f:e0:67:93:a3:0c:43
exponent2:
    08:60:61:e7:4c:1d:fc:97:01:15:6d:92:c1:9a:76:
    93:1a:35:43:4d:2f:bf:bf:d8:7b:d0:44:9e:13:a5:
    c8:d8:c2:68:b1:41:6d:6a:a4:4e:ba:d4:c0:6b:b4:
    b7:f4:e9:53:ac:85:0f:11:4e:bc:90:99:d3:22:a3:
    bd:50:c1:2d:ca:2d:bc:28:97:c6:84:a2:9e:b3:b2:
    6e:ed:c1:33:80:26:06:84:b5:20:99:c7:1e:e9:97:
    c1:54:08:86:86:4f:6a:db:ae:29:37:c9:a9:a5:90:
    46:5e:c1:4e:bb:7e:c5:2e:b0:a2:db:ff:1b:c6:72:
    5b:d5:3f:a3:71:59:fb:b9
coefficient:
    7f:0b:69:b4:7d:26:5c:85:71:f5:92:fd:5f:d4:f5:
    bb:36:df:1e:a1:4d:ae:23:a8:43:92:b2:bc:2d:c1:
    d2:f9:98:4b:3d:c3:a8:f5:f9:fe:5f:cf:48:ff:a5:
    e8:8f:2c:ca:32:b8:53:51:f3:63:3d:2f:61:3a:4f:
    60:af:6a:be:d3:51:0f:d5:57:7f:0b:c2:45:2c:15:
    68:80:04:f5:cf:1a:49:a8:27:0d:fd:18:ec:54:68:
    ff:06:b8:93:19:0d:95:38:12:55:1e:49:c5:f4:60:
    26:49:9e:54:99:9d:4b:6e:b6:45:0b:b7:1e:4a:6e:
    fb:88:8c:2f:cc:e3:1c:6a

See also

The Show certificate key command reference for details.

Manual enrollment and update via Certificate Signing Requests

The standard method to manually request a certificate from a CA while keeping the private key local and secret is to generate a key pair and a CSR, provide the CSR to the CA (for example by copy/pasting the CSR in a web interface), then add or import the certificate generated and signed by the CA.

The CSR contains in particular the user identity information that is expected to be present in the certificate (a Subject Name and optional Subject Alternative Names), and the public key extracted from the key pair.

The Virtual Service Router supports the PKCS #10 syntax for CSRs, described in RFC 2986.

Generate a certificate request

To generate a key pair and a CSR, use the cmd certificate-request generate command.

This command generates a key pair and a CSR.

In addition to the certificate Subject Name, a list of optional Subject Alternative Names may be specified with the san argument:

vsr> cmd certificate-request generate name host1 subject "/O=6WIND/CN=host1" san ip:10.125.0.1 san dns:host1.6wind.com
OK.

SANs can be of the following types:

  • dns: domain name

  • email: e-mail address

  • uri: URI

  • ip: IPv4 or IPv6 address

It is mandatory to prepend a prefix to the SAN value, to specify its type (e.g. dns:host1.6wind.com).

Use the private-key-algorithm option to specify the desired key algorithm and size. The default is rsa-2048.

Display a certificate request

The pending certificate requests may be listed as follows:

vsr> show certificate-request list
host1

A certificate request may be displayed in the PEM format:

vsr> show certificate-request name host1
-----BEGIN CERTIFICATE REQUEST-----
MIICmDCCAYACAQAwIDEOMAwGA1UECgwFNldJTkQxDjAMBgNVBAMMBWhvc3QxMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9FXsXcjcnI1ft1b9+5ORtAGu
gab9cRPlPkbwZRc9t7z0RnZtu6FCmA/C9htNNYf7EulX8GyasmqWb234WdU7blZm
tFo10d/LBNlZj695y/0E9skFeNjYaC9Vwcl2EdCbYJOCB5N5O4KPACbMF7D7qU70
nzXJ1//FemDToiMQAUlM2bUAXKpoHbNkAd/etVGDxhyicngO+XfIfzch4vMpA22I
8LpIDUuwncmC6I5oUXWfX5B63Ygc7Cofusfq2eOdScePQUONkpQyrCLkO1huhBD6
SXBfTA5MqXSFMiuZpC2x3Jxlmzoa1SVcOcmBqzAfoTy9uYBAOpPsyAmllH7rHQID
AQABoDMwMQYJKoZIhvcNAQkOMSQwIjAgBgNVHREEGTAXhwQKfQABgg9ob3N0MS42
d2luZC5jb20wDQYJKoZIhvcNAQELBQADggEBAM8jqohALwdhJnvEI/MM1Lhu7oTY
tZ4p8fdiHR9J3YYU6t/FS8SpBdiCCoV3r06Ix+xNgfDAo3k0AazlKzIfoBUhVvIb
mh61aQzLb1FJO75C5xBnqjANp+ju75EPcBjcfS3UN/c2ur7xxdGLukTBk2oA5PeF
MAMdS095pSQTnvHkwbaRNGwMu28wpowvMU/JZal/xTpIOmNOv4APt9gykxNtGcgd
m5AYpMal44zZClYuBLoiDSTvaydZOFWZwraXLPSKF8YYCK4PJsRT/IQmdVfs8/sy
JYL4fJc4yvWsqs9tLWqnn1Yn0GEFMNZD0N/d5LVNpXvAJG0FyDjDNTzXqGs=
-----END CERTIFICATE REQUEST-----

This output will typically be copy/pasted to the web interface of a CA, to generate a signed certificate.

To display it in a human readable form, add the details keyword:

vsr> show certificate-request name host1 details
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O = 6WIND, CN = host1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f4:55:ec:5d:c8:dc:9c:8d:5f:b7:56:fd:fb:93:
                    (...)
                Exponent: 65537 (0x10001)
        Attributes:
            Requested Extensions:
                X509v3 Subject Alternative Name:
                    IP Address:10.125.0.1, DNS:host1.6wind.com
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        cf:23:aa:88:40:2f:07:61:26:7b:c4:23:f3:0c:d4:b8:6e:ee:
        (...)

The private key associated to the certificate-request may be displayed in the PEM format:

vsr> show certificate-request key name host1
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD0VexdyNycjV+3
Vv37k5G0Aa6Bpv1xE+U+RvBlFz23vPRGdm27oUKYD8L2G001h/sS6VfwbJqyapZv
bfhZ1TtuVma0WjXR38sE2VmPr3nL/QT2yQV42NhoL1XByXYR0Jtgk4IHk3k7go8A
JswXsPupTvSfNcnX/8V6YNOiIxABSUzZtQBcqmgds2QB3961UYPGHKJyeA75d8h/
NyHi8ykDbYjwukgNS7CdyYLojmhRdZ9fkHrdiBzsKh+6x+rZ451Jx49BQ42SlDKs
IuQ7WG6EEPpJcF9MDkypdIUyK5mkLbHcnGWbOhrVJVw5yYGrMB+hPL25gEA6k+zI
CaWUfusdAgMBAAECggEAbTZYzATDo1BHx83hAcnQtyqHQ1mOcDRJ4//WZQEx64ZQ
k4xM+TCX8RsedF34sWRCFA5r6cHJldUxv8XiW9kFUwjYqGWoJ9LFzrmOIDz5jnXe
eaaZxQ38EPmTdeakWUsqoEzesp828aQmYhV1ZWOM4X0yt1VWDq+7J7vO7OqKNWAc
GK3i6HgCTO7SFJNSDFfFB4yOEmo6AczlmrhLIaOD2obSTynvCmWfnENbDUQS9JSY
0tY7yzAZDJUxtck+wrGSZh759baPMbEdEE6LFw57rcc3zWJpSQbfb0bLn1hHXzdF
pebYNIboehvlcSj1oBHcX2izAena+k9Jv6AWGuIbawKBgQD9sOjHS3NjWxgQ7+rF
m0s91ed+hha3vlvqgh+3gF63syE0qyJ84OA+WgzY0dSw8ZMxeMqppZzOwNiRS8/7
HIXeLCkq3V6x0iSRlihy8f9e4eTzJoL9g47I+9GnejDU+w9+xwlB5LxM3fkeY08t
WIItQW9wxq/MNLwxTLYOfzrc3wKBgQD2jzdcEZrCqqSYuxHC5/Wl6cMAcVW8YKGV
5x9F+nk7vyptWDWlnliYkJtTglD3j+sw7dZ7TfyHMwLiUzRjmpBkt2KN9wsfoFxY
Fqi0zMQ1qNl+purBHnfPp7EKtxxiwqygerRDp9FCSaZJnh/WZEaeu+K5rg0yEA5y
lcAxnhe7gwKBgC1kD+JIv7aRP/cX1jvRE19W/HqI51us9ak56w7cKxZXOKPB0wPh
AH5nglDxCks2jg2V/TzpYusjWhx1Ihtd+R3NbPg8b4sFfIGICmi2n+iMJnjS9TEC
7vNLCzIaDM6utREL774YfRCLztz/C9WjNnd+c8AL7Lxu2xU/Env5i8ClAoGBAMZu
LJekc3EH9MAWjgzWshR9Nbs9e0rIWkNSZxDirH8xMuwdec94yMTAXMGwt4kGArq2
L0+9S+djXobXf+pJkrv7+w1WLVWesbMTSWN5CNBGvAP6QiR6aOJui0WcaPPyyQu+
tSVeAkPfEj1dTTI2Mb++ZpIZSfVohrghXTSRj3gRAoGBAODmeGklvdCdgxGDc8bz
EPjLnv9M9dPguTQmggYTXB/wanozsAiGIQMaszhk9BbS3W7q9K9psgxpeyfFTcsV
2RZJ2OT3XcupY5dhKNBVFzcNup//ugXs9FclTwjS7miMu9gYWsgMZwYg1vXFvVbu
x+wbgRg2L5etvzSHm/S0FS6b
-----END PRIVATE KEY-----

To display it in a human readable form, add the details keyword:

vsr> show certificate-request key name host1 details
Private-Key: (2048 bit, 2 primes)
modulus:
    00:f4:55:ec:5d:c8:dc:9c:8d:5f:b7:56:fd:fb:93:
    (...)
publicExponent: 65537 (0x10001)
privateExponent:
    6d:36:58:cc:04:c3:a3:50:47:c7:cd:e1:01:c9:d0:
    (...)
prime1:
    00:fd:b0:e8:c7:4b:73:63:5b:18:10:ef:ea:c5:9b:
    (...)
prime2:
    00:f6:8f:37:5c:11:9a:c2:aa:a4:98:bb:11:c2:e7:
    (...)
exponent1:
    2d:64:0f:e2:48:bf:b6:91:3f:f7:17:d6:3b:d1:13:
    (...)
exponent2:
    00:c6:6e:2c:97:a4:73:71:07:f4:c0:16:8e:0c:d6:
    (...)
coefficient:
    00:e0:e6:78:69:25:bd:d0:9d:83:11:83:73:c6:f3:
    (...)

Export a certificate request

As an alternative to copy/pasting the CSR to the web interface of a CA, the CSR may be exported to a file server, via the cmd certificate-request export command:

vsr> cmd certificate-request export name host1 url http://remote-server/host1.req
OK.

Import or copy/paste the signed certificate

Once generated and signed by the CA, the certificate may be installed, either via a cmd certificate add command in which the certificate is copy/pasted in the PEM format, or via a cmd certificate import command.

If the certificate name matches a certificate request name, then the Virtual Service Router verifies that the CSR key pair matches the certificate key. If they match, then the certificate is installed with the CSR private key, and the certificate request is deleted.

Manually install the certificate via a copy/paste:

vsr> cmd certificate add name host1 data "-----BEGIN CERTIFICATE-----
... MIIDFTCCAf2gAwIBAgIIPz0uQc+/2/EwDQYJKoZIhvcNAQELBQAwLjELMAkGA1UE
... BhMCRlIxDjAMBgNVBAoTBTZXSU5EMQ8wDQYDVQQDEwZyb290Y2EwHhcNMjMwNjE1
... MTIzMjQ2WhcNMjYwNjE0MTIzMjQ2WjAgMQ4wDAYDVQQKEwU2V0lORDEOMAwGA1UE
... AxMFaG9zdDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0VexdyNyc
... jV+3Vv37k5G0Aa6Bpv1xE+U+RvBlFz23vPRGdm27oUKYD8L2G001h/sS6VfwbJqy
... apZvbfhZ1TtuVma0WjXR38sE2VmPr3nL/QT2yQV42NhoL1XByXYR0Jtgk4IHk3k7
... go8AJswXsPupTvSfNcnX/8V6YNOiIxABSUzZtQBcqmgds2QB3961UYPGHKJyeA75
... d8h/NyHi8ykDbYjwukgNS7CdyYLojmhRdZ9fkHrdiBzsKh+6x+rZ451Jx49BQ42S
... lDKsIuQ7WG6EEPpJcF9MDkypdIUyK5mkLbHcnGWbOhrVJVw5yYGrMB+hPL25gEA6
... k+zICaWUfusdAgMBAAGjRTBDMB8GA1UdIwQYMBaAFOGEMLU7m4VUYIJBZatiB5eh
... gW4oMCAGA1UdEQQZMBeHBAp9AAGCD2hvc3QxLjZ3aW5kLmNvbTANBgkqhkiG9w0B
... AQsFAAOCAQEAXMjI/SnVrgHoi+IkLe9mDJGfazE7mNj036rizvE0LBwhGchc1pQa
... K9MT7TgtDa9zlS1RfVyRQW1h0vCRJRWEf8iT6Lhzm9ndKX85UdeB6CkHk153r1kK
... RoUTTjpQ3PHyHHxS5zEfmiq0wKjjnIZNYXgA695LC1uwp51AyuiwrljoIOrYnOoC
... DYTlpSXQ73FuMhbMtBQl+ru8ob0gsyNzDreh9ZK+gLdzraKsDtm6Grah6TJHtYAZ
... SatKve74B4Jef5VxoY9M17B4hISvdC98+PPVLexXvldzoIABIXw3Pgkp9vhcsJDJ
... 2HJpJRmPqhY6/kPO/qRBV243OYtiyn3EhQ==
... -----END CERTIFICATE-----"
OK.

Or manually install the certificate by an import:

vsr> cmd certificate import name host1 url http://remote-server:8999/host1.cer
OK.
vsr> show certificate name host1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4556849258162019313 (0x3f3d2e41cfbfdbf1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = FR, O = 6WIND, CN = rootca
        Validity
            Not Before: Jun 15 12:32:46 2023 GMT
            Not After : Jun 14 12:32:46 2026 GMT
        Subject: O = 6WIND, CN = host1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f4:55:ec:5d:c8:dc:9c:8d:5f:b7:56:fd:fb:93:
                    (...)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                E1:84:30:B5:3B:9B:85:54:60:82:41:65:AB:62:07:97:A1:81:6E:28
            X509v3 Subject Alternative Name:
                IP Address:10.125.0.1, DNS:host1.6wind.com
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        5c:c8:c8:fd:29:d5:ae:01:e8:8b:e2:24:2d:ef:66:0c:91:9f:
        (...)

Update a certificate

To manually update an installed certificate via a certificate request, generate a new certificate request, and have it signed by the CA, like for the initial enrollment.

Then install the new certificate with the cmd certificate add or cmd certificate import command, but add the keyword force to force the overriding of the old certificate:

vsr> cmd certificate add name host1 data "-----BEGIN CERTIFICATE-----
... MIIDFTCCAf2gAwIBAgIIPz0uQc+/2/EwDQYJKoZIhvcNAQELBQAwLjELMAkGA1UE
... (...)
... -----END CERTIFICATE-----" force
OK.

The old certificate remains installed while the request is pending. As soon as the new certificate is installed, it replaces the old one.

Certificate Authority profiles (ca-profiles)

A CA is in charge of delivering signed certificates to EEs or sub-CAs, either manually or online, after verifying their credentials, but also to renew and possibly revoke their certificates.

A ca-profile enables to define various information about a CA, such as certificate revocation URL(s), or data about certificate online enrollment.

Certificate Authority profiles are defined in the pki configuration context.

Configure CRL distribution points

A CA must in particular issue a list of revoked certificates in the form of a CRL in the PKCS #7 syntax. The CRL may usually be downloaded in the PEM format from a file server. The download URL(s) (called a CDP) may be embedded in the CA certificate in the X509v3 CRLDistributionPoints extension, however it must often be provided separately.

A CA profile enables to provide additional information about the CA that is not embedded in its certificate, such as the CDPs of the CA.

A CA profile bears the same name as the CA certificate in the global certificate store.

vsr running config# pki
vsr running pki# ca-profile rootca
vsr running ca-profile rootca# revocation
vsr running revocation# crl
vsr running crl# url http://pki1.example.com/rootca/crl
vsr running crl# url http://pki2.example.com/rootca/crl
vsr running crl# commit
vsr running pki# /
vsr running config# show config pki
pki
    ca-profile rootca
        revocation
            crl
                url http://pki1.example.com/rootca/crl
                url http://pki2.example.com/rootca/crl
                ..
            ..
        ..
    ..

The ca-profile information in the example above is used by the IKE service, in all VRFs where IKE is enabled and trusts the CA certificate rootca from the global store (it is not used if a certificate named rootca is locally defined in the IKE context).

The IKE service in all VRFs will therefore download a CRL from one of the listed CDPs to validate certificates presented by remote peers, that were signed by the CA certificate rootca.

Note

The CA profile may be defined or modified before or after the rootca certificate is installed.

Configure data for online enrollment

Several commands enable to enroll or update certificates online. The parameters regarding the CMP server and CA are retrieved from a ca-profile, stored in the configuration.

Example:

vsr> edit running
vsr running config# pki
vsr running pki# ca-profile rootca
vsr running ca-profile rootca# cmp
vsr running cmp# url http://pki-host:8080/cmp/client
vsr running cmp# server-certificate 6WIND
vsr running crl# commit
vsr running pki# /
vsr running config# show config pki
pki
    ca-profile rootca
        cmp
            vrf main
            url http://pki-host:8080/cmp/client
            server-certificate 6WIND
            install-ca-certificates true
            ..
        ..
    ..

More details are provided in the online enrollment paragraphs.

Online enrollment and update via CMP

The Certificate Management Protocol (CMP) is an Internet protocol standardized by the IETF used for obtaining X.509 digital certificates in a public key infrastructure (PKI). The CMP protocol is mainly transported over HTTP or HTTPS. The main exchanged requests are ‘Initialization Request’, ‘Key Update Request’ and ‘Revocation Request’.

The Virtual Service Router supports the version 2 of the CMP protocol, described in RFC 4210.

Certificate enrollment

To issue a new end user certificate from a given PKI, the rpc command cmd certificate cmp enroll can be used.

This command generates a private key, then sends a CMP IR message to a CMP server to request a certificate.

If a valid response message is received, the private key and certificate are installed with the specified name. If CA certificates are provided in the caPubs field of the reply, then they are also installed and trusted.

The parameters regarding the CMP server and CA are retrieved from a ca-profile, stored in the configuration. The parameters regarding the certificate to enroll itself are provided on the command line.

In addition to the certificate Subject Name, a list of optional Subject Alternative Names may be specified with the san argument.

Example of CA rootca, which is also the CMP server:

vsr running config# pki
vsr running pki# ca-profile rootca
vsr running ca-profile rootca# cmp
vsr running cmp-enrollment# url http://pki-host:8080/cmp/client
vsr running cmp-enrollment# server-certificate 6WIND
vsr running cmp-enrollment# commit
vsr running cmp-enrollment# exit

The server-certificate argument is the name of the CMP server certificate. It must have been imported beforehand. It may be the certificate of the CA itself, or the certificate of an RA.

vsr> cmd certificate cmp enroll ca-profile rootca name userEE secret password subject /CN=test/O=it san san dns:*test.com san ip:10.2.3.5
vsr> show certificate name userEE
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            40:5a:ae:72:ab:ef:ce:06:02:e2:d5:e2:57:07:0d:ed:
            81:8e:06:de
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=6WIND"
        Validity:
            Not Before: Wed Jul 21 15:53:13 2021
            Not After : Sun May 01 00:00:00 2022
        Subject: "O=it,CN=test"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
            (...)
        Signed Extensions:
         Name: Certificate Subject Alt Name
         DNS name: "*test.com"
         IP Address: 10.2.3.5
         Name: Certificate Basic Constraints
         Critical: True
         Data: Is not a CA.
(...)

Example of CA ca2 (with DN /CN=6WIND CA2), whose CMP server is an RA (certificate 6WINDRA), contacted via vrf private with source address 10.150.0.1. The CA DN must be specified with the issuer argument, so that the enrollment command can verify the delivered certificate:


vsr running config# pki
vsr running pki# ca-profile ca2
vsr running ca-profile ca2# cmp
vsr running cmp-enrollment# vrf private
vsr running cmp-enrollment# source 10.150.0.1
vsr running cmp-enrollment# url http://private-pki-host:8080/cmp/client
vsr running cmp-enrollment# server-certificate 6WINDRA
vsr running cmp-enrollment# issuer "/CN=6WIND CA2"
vsr running cmp-enrollment# commit
vsr running cmp-enrollment# exit

vsr> cmd certificate cmp enroll name userEE ca-profile ca2 secret password subject /CN=test/O=it san dns:*test.com san ip:10.2.3.5

By default, the CA certificates returned by the CMP server in the caPubs field are installed and trusted. The command dynamically assigns a name to each of the installed certificates:

  • if the CA certificate is the issuer of the enrolled certificate, no certificate exists by the ca-profile name, then the certificate name is set to the ca-profile name.

  • in all other cases:

    • if an identical certificate is already installed, ignore it

    • build the certificate name based on its serial number 16 last significant hexadecimal digits, and append an optional suffix (-00, -01…) in case of duplicate.

See also

The CMP enroll command reference and PKI command reference for details.

Certificate update

Updating a previously enrolled certificate can be done through the rpc command cmd certificate cmp update. Note that a new private key will be used and the old certificate is overwritten.

This command generates a new private key, then sends a CMP KUR message to a CMP server to request an update of the former certificate.

The command requests the same subject name and SANs as in the original certificate.

Like for CMP enrollment, a ca-profile must be specified.

vsr> cmd certificate cmp update name userEE ca-profile 6WIND
OK.
vsr> show certificate name testEE
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            79:80:c5:ac:71:0a:b5:39:1b:fd:df:82:ac:49:e5:95:
            0a:20:19:74
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=6WIND"
        Validity:
            Not Before: Fri Jul 23 13:51:21 2021
            Not After : Sun May 01 00:00:00 2022
        Subject: "O=it,CN=test"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
            (...)
        Signed Extensions:
            Name: Certificate Subject Alt Name
            DNS name: "*test.com"
            IP Address: 10.2.3.5
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is not a CA.
        ..
    ..

See also

The CMP update command reference and PKI command reference for details.

Certificate scheduled-update

Schedule automatic updates

It is possible to schedule automatic updates of certificates before they expire, via the cmd certificate cmp scheduled-update command.

The syntax is the same as a certificate cmp update command, but the ca-profile cmp section must include an automatic-update sub-section:

vsr running config# pki
vsr running pki# ca-profile rootca
vsr running ca-profile rootca# cmp
vsr running cmp-enrollment# url http://pki-host:8080/cmp/client
vsr running cmp-enrollment# server-certificate 6WIND
vsr running cmp-enrollment# automatic-update
vsr running automatic-update# remaining-time 1
vsr running automatic-update# retry-delay 15
vsr running automatic-update# commit
vsr running automatic-update# exit
vsr> cmd certificate cmp scheduled-update name userEE ca-profile 6WIND

Note that if the automatic-update sub-section exists at the time of the enrollment, the automatic update will be started immediately, without the need to invoke the cmd certificate cmp scheduled-update command.

Note

Any later change in the ca-profile is not be taken into account by an already scheduled update. The actual parameters are those in effect when the scheduled update was started. If parameters change, then the cmd certificate cmp scheduled-update command must be manually invoked again.

Stop automatic updates

To stop automatic updates for a certificate, use the flush certificate cmp scheduled-update command:

vsr> flush certificate cmp scheduled-update name userEE
Stopped automatic update for userEE.

If no automatic update is scheduled, the command will simply return an informational message:

vsr> flush certificate cmp scheduled-update name userEE
No scheduled automatic update for userEE.

Show scheduled automatic update status

To show sthe status of automatic updates for a certificate, use the show certificate cmp scheduled-update command:

vsr> show certificate cmp scheduled-update name userEE
Expiration of dut in 1094 days 78807 seconds
Automatic update in 1093 days 78807 seconds
Update parameters:
   ca-profile 6WIND
   vrf main
   url http://pki-host:8080/cmp/client
   server-certificate 6WIND
   private-key-algorithm rsa-2048
   automatic-update
      remaining-time 1
      retry-delay 30

If no automatic update is scheduled, the command will simply return an informational message:

vsr> show certificate cmp scheduled-update name userEE
No scheduled automatic update for userEE.

Revocation global options

Set the vrf and source address for CRL retrieval

During an IKE negotiation with certificate authentication, if one or more CRL distribution points are specified for the CA (in a ca-profile or embedded in the CA certificate), the IKE service tries to retrieve a CRL during the authentication phase.

By default the CRL retrieval exchange is performed in the same VRF as the IKE negotiation, and the source address is automatically chosen by the routing table.

In some use cases, it may be necessary to specify a different VRF and/or a specific source address. These parameters may be set in the pki revocation crl context. They apply to all CA certificates, regardless of the IKE VRF.

vsr> edit running
vsr running config# pki
vsr running pki# revocation
vsr running revocation# crl
vsr running crl# vrf private
vsr running crl# source 10.175.0.3
vsr running crl# commit
vsr running crl# /
vsr running config#
vsr> show config pki
pki
    revocation
        crl
            vrf private
            source 10.175.0.3
            ..
        ..
    ..