3.2.5. pki¶
Public Key Infrastructure configuration.
vsr running config# pki
ca-profile¶
List of Certificate Authority profiles.
vsr running config# pki ca-profile <ca-profile>
|
Certificate name. |
cmp¶
Certificate Management Protocol parameters.
vsr running config# pki ca-profile <ca-profile> cmp
vrf¶
The vrf in which CMP exchanges are performed.
vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# vrf VRF
|
Description |
|---|---|
|
The main vrf. |
|
The vrf name. |
- Default value
main
url (mandatory)¶
The HTTP URL of the CMP server where enrollment requests will be addressed.
vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# url URL
|
An HTTP(S) file URL. IPv6 addresses must be surrounded by square brackets [1234:bada::2]. The :/?#[]@!$&’()*+,;= characters in the user and password must be percent-encoded (e.g: ‘?’ becomes ‘%3f’). See RFC 3986 section 2.1. For convenience, you should use the separate user and password fields. |
server-certificate¶
The name of the CMP server certificate. It may be the certificate authority itself, or a registration authority. This certificate must be imported to the database before any update request.
vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# server-certificate SERVER-CERTIFICATE
|
Certificate name. |
issuer¶
The distinguished name (DN) of the issuer to use in the requested certificate, i.e. the name of the certificate authority that should issue this certificate, example: ‘/CN=CA/O=6WIND’. By default, the subject of the server-certificate, if one is specified.
vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# issuer ISSUER
|
X500 Distinguished Name. |
private-key-algorithm¶
The private key algorithm.
vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# private-key-algorithm PRIVATE-KEY-ALGORITHM
|
Description |
|---|---|
|
RSA with 512 bit key. |
|
RSA with 1024 bit key. |
|
RSA with 2048 bit key. |
|
RSA with 4096 bit key. |
|
RSA with 8192 bit key. |
|
RSA Probabilistic Signature Scheme with 512 bit key (a.k.a. RSASSA-PSS, defined in RFC3447). |
|
RSA Probabilistic Signature Scheme with 1024 bit key (a.k.a. RSASSA-PSS, defined in RFC3447). |
|
RSA Probabilistic Signature Scheme with 2048 bit key (a.k.a. RSASSA-PSS, defined in RFC3447). |
|
RSA Probabilistic Signature Scheme with 4096 bit key (a.k.a. RSASSA-PSS, defined in RFC3447). |
|
RSA Probabilistic Signature Scheme with 8192 bit key (a.k.a. RSASSA-PSS, defined in RFC3447). |
|
ECDSA with 256-bit prime field Weierstrass curve (a.k.a. NIST P-256, secp256r1, prime256v1). |
|
ECDSA with 384-bit prime field Weierstrass curve (a.k.a. NIST P-384, secp384r1, ansip384r1). |
|
ECDSA with 521-bit prime field Weierstrass curve (a.k.a. NIST P-521, secp521r1, ansip521r1). |
|
ECDSA with 256-bit prime field Brainpool curve (a.k.a. brainpoolP256r1, defined in RFC5639). |
|
ECDSA with 384-bit prime field Brainpool curve (a.k.a. brainpoolP384r1, defined in RFC5639). |
|
ECDSA with 512-bit prime field Brainpool curve (a.k.a. brainpoolP512r1, defined in RFC5639). |
|
EdDSA using SHA512 and Curve25519 (a.k.a. Ed25519, defined in RFC8032). |
|
EdDSA using SHAKE256 and Curve448 (a.k.a. Ed448, defined in RFC8032). |
- Default value
rsa-2048
source¶
The source address used to reach the CMP server.
vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# source SOURCE
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv6 address. |
install-ca-certificates¶
Whether to install and trust the CA certificates returned by the CMP server in the caPubs section.
vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# install-ca-certificates true|false
- Default value
true
automatic-update¶
CMP automatic update parameters.
vsr running config# pki ca-profile <ca-profile> cmp automatic-update
remaining-time¶
unit: days
The remaining days of validity of the certificate before the scheduled update is triggered.
vsr running config# pki ca-profile <ca-profile> cmp automatic-update
vsr running automatic-update# remaining-time <uint32>
- Default value
5
retry-delay¶
unit: seconds
The time between two update retries in case of failed update.
vsr running config# pki ca-profile <ca-profile> cmp automatic-update
vsr running automatic-update# retry-delay <uint32>
- Default value
30
revocation¶
Revocation check parameters.
vsr running config# pki ca-profile <ca-profile> revocation
crl¶
Certificate Revocation List parameters.
vsr running config# pki ca-profile <ca-profile> revocation crl
url¶
List of CRL distribution point URLs.
vsr running config# pki ca-profile <ca-profile> revocation crl
vsr running crl# url URL
|
An ASCII-encoded Uniform Resource Identifier (URI) as defined in RFC 3986. |
revocation¶
Certificate revocation global parameters.
vsr running config# pki revocation
crl¶
Certificate Revocation List global parameters.
vsr running config# pki revocation crl
vrf¶
The VRF in which CRLs are fetched.
vsr running config# pki revocation crl
vsr running crl# vrf <leafref>
source¶
The source address used to fetch the CRLs.
vsr running config# pki revocation crl
vsr running crl# source SOURCE
|
Description |
|---|---|
|
An IPv4 address. |
|
An IPv6 address. |
certificate (state only)¶
Note
requires a Product License.
List of X509 Certificates.
subject (state only) (pushed)¶
The subject of the certificate.
vsr> show state pki certificate <string> subject
issuer (state only) (pushed)¶
The issuer of the certificate.
vsr> show state pki certificate <string> issuer
validity-not-before (state only) (pushed)¶
The validity the certificate: not before this date.
vsr> show state pki certificate <string> validity-not-before
validity-not-after (state only) (pushed)¶
The validity the certificate: not after this date.
vsr> show state pki certificate <string> validity-not-after
has-private-key (state only) (pushed)¶
There is a private key associated to this certificate.
vsr> show state pki certificate <string> has-private-key