3.2.5. pki¶

Public Key Infrastructure configuration.

vsr running config# pki

ca-profile¶

List of Certificate Authority profiles.

vsr running config# pki ca-profile <ca-profile>

<ca-profile>

Certificate name.

est¶

Enrollment over Secured Transport parameters (RFC7030).

vsr running config# pki ca-profile <ca-profile> est

vrf¶

The vrf in which EST exchanges are performed.

vsr running config# pki ca-profile <ca-profile> est
vsr running est# vrf VRF

`VRF` values	Description
`main`	The main vrf.
`<string>`	The vrf name.

Default value: main

l3vrf¶

The l3vrf in which EST exchanges are performed.

vsr running config# pki ca-profile <ca-profile> est
vsr running est# l3vrf L3VRF

L3VRF

The l3vrf name.

url (mandatory)¶

The HTTPs URL of the EST server where enrollment requests will be addressed.

vsr running config# pki ca-profile <ca-profile> est
vsr running est# url URL

URL

An HTTP(S) file URL. IPv6 addresses must be surrounded by square brackets [1234:bada::2]. The :/?#[]@!$&’()*+,;= characters in the user and password must be percent-encoded (e.g: ‘?’ becomes ‘%3f’). See RFC 3986 section 2.1. For convenience, you should use the separate user and password fields.

initial-certificate¶

End-entity certificate used to authenticate the local device to the EST server during the initial enrollment.

vsr running config# pki ca-profile <ca-profile> est
vsr running est# initial-certificate INITIAL-CERTIFICATE

INITIAL-CERTIFICATE

Certificate name.

private-key-algorithm¶

The private key algorithm.

vsr running config# pki ca-profile <ca-profile> est
vsr running est# private-key-algorithm PRIVATE-KEY-ALGORITHM

`PRIVATE-KEY-ALGORITHM` values	Description
`rsa-512`	RSA with 512 bit key.
`rsa-1024`	RSA with 1024 bit key.
`rsa-2048`	RSA with 2048 bit key.
`rsa-4096`	RSA with 4096 bit key.
`rsa-8192`	RSA with 8192 bit key.
`rsa-pss-512`	RSA Probabilistic Signature Scheme with 512 bit key (a.k.a. RSASSA-PSS, defined in RFC3447).
`rsa-pss-1024`	RSA Probabilistic Signature Scheme with 1024 bit key (a.k.a. RSASSA-PSS, defined in RFC3447).
`rsa-pss-2048`	RSA Probabilistic Signature Scheme with 2048 bit key (a.k.a. RSASSA-PSS, defined in RFC3447).
`rsa-pss-4096`	RSA Probabilistic Signature Scheme with 4096 bit key (a.k.a. RSASSA-PSS, defined in RFC3447).
`rsa-pss-8192`	RSA Probabilistic Signature Scheme with 8192 bit key (a.k.a. RSASSA-PSS, defined in RFC3447).
`ecdsa-nistp256`	ECDSA with 256-bit prime field Weierstrass curve (a.k.a. NIST P-256, secp256r1, prime256v1).
`ecdsa-nistp384`	ECDSA with 384-bit prime field Weierstrass curve (a.k.a. NIST P-384, secp384r1, ansip384r1).
`ecdsa-nistp521`	ECDSA with 521-bit prime field Weierstrass curve (a.k.a. NIST P-521, secp521r1, ansip521r1).
`ecdsa-brainpoolp256r1`	ECDSA with 256-bit prime field Brainpool curve (a.k.a. brainpoolP256r1, defined in RFC5639).
`ecdsa-brainpoolp384r1`	ECDSA with 384-bit prime field Brainpool curve (a.k.a. brainpoolP384r1, defined in RFC5639).
`ecdsa-brainpoolp512r1`	ECDSA with 512-bit prime field Brainpool curve (a.k.a. brainpoolP512r1, defined in RFC5639).
`ed25519`	EdDSA using SHA512 and Curve25519 (a.k.a. Ed25519, defined in RFC8032).
`ed448`	EdDSA using SHAKE256 and Curve448 (a.k.a. Ed448, defined in RFC8032).

Default value: rsa-2048

source¶

The source address used to reach the EST server.

vsr running config# pki ca-profile <ca-profile> est
vsr running est# source SOURCE

`SOURCE` values	Description
`<ipv4-address>`	An IPv4 address.
`<ipv6-address>`	An IPv6 address.

ca-certificate-store¶

CA certificate store used as a Explicit Trust Anchor for authenticating the EST server and for signing the end-entity certificates.

vsr running config# pki ca-profile <ca-profile> est
vsr running est# ca-certificate-store CA-CERTIFICATE-STORE

CA-CERTIFICATE-STORE

CA certificate store name.

use-ocsp-stapling¶

Whether to verify the status of the EST server certificate by using the Certificate Status Request TLS extension (a.k.a. OCSP stapling).

vsr running config# pki ca-profile <ca-profile> est
vsr running est# use-ocsp-stapling true|false

Default value: false

update-ca-certificates¶

Whether to update the CA certificates before every EST request.

vsr running config# pki ca-profile <ca-profile> est
vsr running est# update-ca-certificates true|false

Default value: false

automatic-update¶

EST automatic update parameters.

vsr running config# pki ca-profile <ca-profile> est automatic-update

remaining-time¶

unit: days

The remaining days of validity of the certificate before the scheduled update is triggered.

vsr running config# pki ca-profile <ca-profile> est automatic-update
vsr running automatic-update# remaining-time <uint32>

Default value: 5

retry-delay¶

unit: seconds

The time between two update retries in case of failed update.

vsr running config# pki ca-profile <ca-profile> est automatic-update
vsr running automatic-update# retry-delay <uint32>

Default value: 30

certificate-extensions¶

X509v3 extensions to request when enrolling a certificate.

vsr running config# pki ca-profile <ca-profile> certificate-extensions

subject-key-identifier¶

Subject Key Identifier.

vsr running config# pki ca-profile <ca-profile> certificate-extensions
vsr running certificate-extensions# subject-key-identifier SUBJECT-KEY-IDENTIFIER

`SUBJECT-KEY-IDENTIFIER` values	Description
`hash`	160-bit SHA-1 hash of the subjectPublicKey.
`<XX:XX:...>`	No description.
`<XXXX...>`	No description.

key-usage¶

Key Usage.

vsr running config# pki ca-profile <ca-profile> certificate-extensions key-usage

critical¶

The key-usage extension is critical.

vsr running config# pki ca-profile <ca-profile> certificate-extensions key-usage
vsr running key-usage# critical

digital-signature¶

Digital Signature.

vsr running config# pki ca-profile <ca-profile> certificate-extensions key-usage
vsr running key-usage# digital-signature

non-repudiation¶

Non repudiation.

vsr running config# pki ca-profile <ca-profile> certificate-extensions key-usage
vsr running key-usage# non-repudiation

key-encipherment¶

Key encryption.

vsr running config# pki ca-profile <ca-profile> certificate-extensions key-usage
vsr running key-usage# key-encipherment

data-encipherment¶

Data encryption with the key contained in the certificate.

vsr running config# pki ca-profile <ca-profile> certificate-extensions key-usage
vsr running key-usage# data-encipherment

key-agreement¶

Key agreement (e.g. for Diffie-Hellman exchanges).

vsr running config# pki ca-profile <ca-profile> certificate-extensions key-usage
vsr running key-usage# key-agreement

key-cert-sign¶

Signing certificates.

vsr running config# pki ca-profile <ca-profile> certificate-extensions key-usage
vsr running key-usage# key-cert-sign

crl-sign¶

Signing revocation lists.

vsr running config# pki ca-profile <ca-profile> certificate-extensions key-usage
vsr running key-usage# crl-sign

encipher-only¶

Encrypt only, in conjunction with keyAgreement.

vsr running config# pki ca-profile <ca-profile> certificate-extensions key-usage
vsr running key-usage# encipher-only

decipher-only¶

Decrypt only, in conjunction with keyAgreement.

vsr running config# pki ca-profile <ca-profile> certificate-extensions key-usage
vsr running key-usage# decipher-only

extended-key-usage¶

Extended Key Usage.

vsr running config# pki ca-profile <ca-profile> certificate-extensions extended-key-usage

critical¶

The extended-key-usage extension is critical.

vsr running config# pki ca-profile <ca-profile> certificate-extensions extended-key-usage
vsr running extended-key-usage# critical

server-auth¶

SSL/TLS Web Server Authentication.

vsr running config# pki ca-profile <ca-profile> certificate-extensions extended-key-usage
vsr running extended-key-usage# server-auth

client-auth¶

SSL/TLS Web Client Authentication.

vsr running config# pki ca-profile <ca-profile> certificate-extensions extended-key-usage
vsr running extended-key-usage# client-auth

code-signing¶

Code signing.

vsr running config# pki ca-profile <ca-profile> certificate-extensions extended-key-usage
vsr running extended-key-usage# code-signing

email-protection¶

E-mail Protection (S/MIME).

vsr running config# pki ca-profile <ca-profile> certificate-extensions extended-key-usage
vsr running extended-key-usage# email-protection

time-stamping¶

Trusted Timestamping.

vsr running config# pki ca-profile <ca-profile> certificate-extensions extended-key-usage
vsr running extended-key-usage# time-stamping

ocsp-signing¶

OCSP Signing.

vsr running config# pki ca-profile <ca-profile> certificate-extensions extended-key-usage
vsr running extended-key-usage# ocsp-signing

ipsec-ike¶

IPsec Internet Key Exchange.

vsr running config# pki ca-profile <ca-profile> certificate-extensions extended-key-usage
vsr running extended-key-usage# ipsec-ike

ms-individual-code-signing¶

Microsoft Individual Code Signing (authenticode).

vsr running config# pki ca-profile <ca-profile> certificate-extensions extended-key-usage
vsr running extended-key-usage# ms-individual-code-signing

ms-commercial-code-signing¶

Microsoft Commercial Code Signing (authenticode).

vsr running config# pki ca-profile <ca-profile> certificate-extensions extended-key-usage
vsr running extended-key-usage# ms-commercial-code-signing

ms-cert-trust-list-signing¶

Microsoft Certificate Trust List Signing.

vsr running config# pki ca-profile <ca-profile> certificate-extensions extended-key-usage
vsr running extended-key-usage# ms-cert-trust-list-signing

ms-encrypted-file-system¶

Microsoft Encrypted File System.

vsr running config# pki ca-profile <ca-profile> certificate-extensions extended-key-usage
vsr running extended-key-usage# ms-encrypted-file-system

revocation¶

Revocation check parameters.

vsr running config# pki ca-profile <ca-profile> revocation

crl¶

Certificate Revocation List parameters.

vsr running config# pki ca-profile <ca-profile> revocation crl

url¶

List of CRL distribution point URLs.

vsr running config# pki ca-profile <ca-profile> revocation crl
vsr running crl# url URL

URL

An ASCII-encoded Uniform Resource Identifier (URI) as defined in RFC 3986.

revocation¶

Certificate revocation global parameters.

vsr running config# pki revocation

crl¶

Certificate Revocation List global parameters.

vsr running config# pki revocation crl

vrf¶

The VRF in which CRLs are fetched.

vsr running config# pki revocation crl
vsr running crl# vrf <leafref>

source¶

The source address used to fetch the CRLs.

vsr running config# pki revocation crl
vsr running crl# source SOURCE

`SOURCE` values	Description
`<ipv4-address>`	An IPv4 address.
`<ipv6-address>`	An IPv6 address.

certificate (state only)¶

Note

requires a specific license: Product.

List of X509 Certificates.

subject (state only) (pushed)¶

The subject of the certificate.

vsr> show state pki certificate <string> subject

issuer (state only) (pushed)¶

The issuer of the certificate.

vsr> show state pki certificate <string> issuer

validity-not-before (state only) (pushed)¶

The validity the certificate: not before this date.

vsr> show state pki certificate <string> validity-not-before

validity-not-after (state only) (pushed)¶

The validity the certificate: not after this date.

vsr> show state pki certificate <string> validity-not-after

has-private-key (state only) (pushed)¶

There is a private key associated to this certificate.

vsr> show state pki certificate <string> has-private-key

is-ca (state only) (pushed)¶

Whether this is a CA certificate.

vsr> show state pki certificate <string> is-ca

certificate-request (state only)¶

Note

requires a specific license: Product.

List of X509 certificate signing requests.

subject (state only) (pushed)¶

The subject of the certificate request.

vsr> show state pki certificate-request <string> subject

ca-certificate-store (state only)¶

Note

requires a specific license: Product.

List of CA certificate stores.

certificate (state only)¶

Note

requires a specific license: Product.

List of X509 Certificates.

subject (state only) (pushed)¶

The subject of the certificate.

vsr> show state pki ca-certificate-store <string> certificate <string> subject

issuer (state only) (pushed)¶

The issuer of the certificate.

vsr> show state pki ca-certificate-store <string> certificate <string> issuer

validity-not-before (state only) (pushed)¶

The validity the certificate: not before this date.

vsr> show state pki ca-certificate-store <string> certificate <string> validity-not-before

validity-not-after (state only) (pushed)¶

The validity the certificate: not after this date.

vsr> show state pki ca-certificate-store <string> certificate <string> validity-not-after

has-private-key (state only) (pushed)¶

There is a private key associated to this certificate.

vsr> show state pki ca-certificate-store <string> certificate <string> has-private-key

is-ca (state only) (pushed)¶

Whether this is a CA certificate.

vsr> show state pki ca-certificate-store <string> certificate <string> is-ca