3.2.5. pki

Public Key Infrastructure configuration.

vsr running config# pki

ca-profile

List of Certificate Authority profiles.

vsr running config# pki ca-profile <ca-profile>

<ca-profile>

Certificate name.

cmp

Certificate Management Protocol parameters.

vsr running config# pki ca-profile <ca-profile> cmp

vrf

The vrf in which CMP exchanges are performed.

vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# vrf VRF

VRF values

Description

main

The main vrf.

<string>

The vrf name.

Default value
main

url (mandatory)

The HTTP URL of the CMP server where enrollment requests will be addressed.

vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# url URL

URL

An HTTP(S) file URL. IPv6 addresses must be surrounded by square brackets [1234:bada::2]. The :/?#[]@!$&’()*+,;= characters in the user and password must be percent-encoded (e.g: ‘?’ becomes ‘%3f’). See RFC 3986 section 2.1. For convenience, you should use the separate user and password fields.

server-certificate

The name of the CMP server certificate. It may be the certificate authority itself, or a registration authority. This certificate must be imported to the database before any update request.

vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# server-certificate SERVER-CERTIFICATE

SERVER-CERTIFICATE

Certificate name.

issuer

The distinguished name (DN) of the issuer to use in the requested certificate, i.e. the name of the certificate authority that should issue this certificate, example: ‘/CN=CA/O=6WIND’. By default, the subject of the server-certificate, if one is specified.

vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# issuer ISSUER

ISSUER

X500 Distinguished Name.

private-key-algorithm

The private key algorithm.

vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# private-key-algorithm PRIVATE-KEY-ALGORITHM

PRIVATE-KEY-ALGORITHM values

Description

rsa-512

RSA with 512 bit key.

rsa-1024

RSA with 1024 bit key.

rsa-2048

RSA with 2048 bit key.

rsa-4096

RSA with 4096 bit key.

rsa-8192

RSA with 8192 bit key.

rsa-pss-512

RSA Probabilistic Signature Scheme with 512 bit key (a.k.a. RSASSA-PSS, defined in RFC3447).

rsa-pss-1024

RSA Probabilistic Signature Scheme with 1024 bit key (a.k.a. RSASSA-PSS, defined in RFC3447).

rsa-pss-2048

RSA Probabilistic Signature Scheme with 2048 bit key (a.k.a. RSASSA-PSS, defined in RFC3447).

rsa-pss-4096

RSA Probabilistic Signature Scheme with 4096 bit key (a.k.a. RSASSA-PSS, defined in RFC3447).

rsa-pss-8192

RSA Probabilistic Signature Scheme with 8192 bit key (a.k.a. RSASSA-PSS, defined in RFC3447).

ecdsa-nistp256

ECDSA with 256-bit prime field Weierstrass curve (a.k.a. NIST P-256, secp256r1, prime256v1).

ecdsa-nistp384

ECDSA with 384-bit prime field Weierstrass curve (a.k.a. NIST P-384, secp384r1, ansip384r1).

ecdsa-nistp521

ECDSA with 521-bit prime field Weierstrass curve (a.k.a. NIST P-521, secp521r1, ansip521r1).

ecdsa-brainpoolp256r1

ECDSA with 256-bit prime field Brainpool curve (a.k.a. brainpoolP256r1, defined in RFC5639).

ecdsa-brainpoolp384r1

ECDSA with 384-bit prime field Brainpool curve (a.k.a. brainpoolP384r1, defined in RFC5639).

ecdsa-brainpoolp512r1

ECDSA with 512-bit prime field Brainpool curve (a.k.a. brainpoolP512r1, defined in RFC5639).

ed25519

EdDSA using SHA512 and Curve25519 (a.k.a. Ed25519, defined in RFC8032).

ed448

EdDSA using SHAKE256 and Curve448 (a.k.a. Ed448, defined in RFC8032).

Default value
rsa-2048

source

The source address used to reach the CMP server.

vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# source SOURCE

SOURCE values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

install-ca-certificates

Whether to install and trust the CA certificates returned by the CMP server in the caPubs section.

vsr running config# pki ca-profile <ca-profile> cmp
vsr running cmp# install-ca-certificates true|false
Default value
true

automatic-update

CMP automatic update parameters.

vsr running config# pki ca-profile <ca-profile> cmp automatic-update
remaining-time

unit: days

The remaining days of validity of the certificate before the scheduled update is triggered.

vsr running config# pki ca-profile <ca-profile> cmp automatic-update
vsr running automatic-update# remaining-time <uint32>
Default value
5
retry-delay

unit: seconds

The time between two update retries in case of failed update.

vsr running config# pki ca-profile <ca-profile> cmp automatic-update
vsr running automatic-update# retry-delay <uint32>
Default value
30

revocation

Revocation check parameters.

vsr running config# pki ca-profile <ca-profile> revocation

crl

Certificate Revocation List parameters.

vsr running config# pki ca-profile <ca-profile> revocation crl
url

List of CRL distribution point URLs.

vsr running config# pki ca-profile <ca-profile> revocation crl
vsr running crl# url URL

URL

An ASCII-encoded Uniform Resource Identifier (URI) as defined in RFC 3986.

revocation

Certificate revocation global parameters.

vsr running config# pki revocation

crl

Certificate Revocation List global parameters.

vsr running config# pki revocation crl

vrf

The VRF in which CRLs are fetched.

vsr running config# pki revocation crl
vsr running crl# vrf <leafref>

source

The source address used to fetch the CRLs.

vsr running config# pki revocation crl
vsr running crl# source SOURCE

SOURCE values

Description

<ipv4-address>

An IPv4 address.

<ipv6-address>

An IPv6 address.

certificate (state only)

Note

requires a Product License.

List of X509 Certificates.

subject (state only) (pushed)

The subject of the certificate.

vsr> show state pki certificate <string> subject

issuer (state only) (pushed)

The issuer of the certificate.

vsr> show state pki certificate <string> issuer

validity-not-before (state only) (pushed)

The validity the certificate: not before this date.

vsr> show state pki certificate <string> validity-not-before

validity-not-after (state only) (pushed)

The validity the certificate: not after this date.

vsr> show state pki certificate <string> validity-not-after

has-private-key (state only) (pushed)

There is a private key associated to this certificate.

vsr> show state pki certificate <string> has-private-key

certificate-request (state only)

Note

requires a Product License.

List of X509 certificate signing requests.

subject (state only) (pushed)

The subject of the certificate request.

vsr> show state pki certificate-request <string> subject