Certificates¶
An X.509 certificate is a digital document that securely associates cryptographic key pairs with identities such as individuals, organizations, machines or services. It is used by public key infrastructures (PKI) to verify that a public key belongs to the identity contained within the certificate.
An X.509 certificate contains information about the identity to which a certificate is issued and the identity that issued it. Common issuance fields included in X.509 certificate are:
Version: X.509 version applies to the certificate.Serial Number: a serial number that distinguishes a certificate from other certificates.Algorithm information: the algorithm used by the issuer to sign the certificate.Issuer Distinguished Name: the name of the entity issuing the certificate.Validity: period in which the certificate can be trusted (start/end date).Subject Distinguished Name: the name of the identity the certificate is issued to.Subject Public Key Information: the public key associated with the identity.Extensions(optional): other useful fields suchSubject Alternative Name(s)andKey Usage.
The following sections describes various supported operations used to manage the Virtual Service Router’s local database of certificates (a.k.a. global certificate store) via nc-cli commands.
Import a Certificate and/or private key¶
Use the cmd certificate import name <cert-name> url <remote-url> command to
import a CA or user certificate to the local database. As an example we use
this command to import two CAs named rootca and 6WIND:
vsr> cmd certificate import name rootca url http://10.16.0.190:8999/rootca.pem
OK.
vsr> cmd certificate import name 6WIND url http://10.16.0.190:8999/6WIND.pem
OK.
We can also use this command to import a user certificate user01 with its
private key in one command:
vsr> cmd certificate import name user01 url scp://10.16.0.190/user01_cert.pem private-key-url http://10.16.0.190:8999/user01_key.pem user scpuser password scppassword
OK.
or in two steps:
vsr> cmd certificate import name user02 url scp://10.16.0.190/user02_cert.pem user scpuser password scppassword
OK.
vsr> cmd certificate import name user02 private-key-url http://10.16.0.190/user02_key.pem user scpuser password scppassword
OK.
Use the show certificate list command to show the imported certificates:
vsr> show certificate list
6WIND
rootca
user01
user02
If the private key is password-encrypted, you must provide its password in the
import command with the private-key-password keyword:
vsr> cmd certificate import name user01 private-key-url http://10.16.0.190:8999/user01_key.pem private-key-password "kEE#p@$$wd!" user scpuser password scppassword
OK.
See also
The Import certificate command reference for details.
Export a certificate¶
Use the cmd certificate export name <cert-name> url <remote-url> command
to export a certificate stored in the local database to a remote location:
vsr> cmd certificate export name rootca url http://remote-server:8999/
OK.
See also
The Export certificate command reference for details.
Add a certificate¶
Use the cmd certificate add <cert-name> data <pem-format-input> command
to manually add a certificate as a string encoded in PEM format:
vsr> cmd certificate add name user03 data "-----BEGIN CERTIFICATE-----
... MIIDazCCAlOgAwIBAgIUOittEYmcZTGUGioankW6HvDYTMcwDQYJKoZIhvcNAQEL
... BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
... GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTA4MjcxNTEwNTFaFw0yMjA4
... MjcxNTEwNTFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
... HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
... AQUAA4IBDwAwggEKAoIBAQCwebLs/zQB0RyVi1VJW7sT/ZUgkTg2kf/1ab312+Fh
... 1nCnMz7q5loNVm7ZJ/8+kwdGIEkCxwbZr++asN8EjKOvSNZphk7kOJbam6ui1j5C
... ollm77CF4n6urj9/mA73OJJkwkTbzzBwTcfSXephAa5lAw0z83C04WaVleBlH5c8
... RhEcwx+8dlMmBkpwuaaxFBDfXHHeu4W554PpJEY0/W1m3uaX44QvXbRZV+f6/CpM
... RpdBKsMqPvj776VDeYylHewb0MlwOadXw8YMXs7pkkRoP2AvuP0hFev8+LTj6kkG
... 4c89VX5s6DPuu/P1cLowLCnt5DppAt69nTK8Zbk4wjVJAgMBAAGjUzBRMB0GA1Ud
... DgQWBBR3c9b3DavflgTCoUEWQY6OyqXhmzAfBgNVHSMEGDAWgBR3c9b3DavflgTC
... oUEWQY6OyqXhmzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAm
... vleOmDHBChJ7at+yEQM8hmAqmupVWX3aUXaoKkGMpD8vg46uYhxxcInzBPaySblQ
... QyGLom2raUW0a27hhAucQe1ZRqpfIAvJ5/hUkztkOsUOC2nptMn9lZQvbnmGFoSR
... AQP3me3QffYVU4ozL2UeqUQV1yd91cIQOGu9DZFQOQkeVj7J5O4iAw3Xp0xxNuAJ
... GgncUQMya16UW4wbAjXpq0ZVKIWQtkZw+0ZffVfIyYUFsq3j6pFVcETa6VDrES0h
... r6phc+0OVpwUU0AQg7SJucApPNOf0KbnGyLli/e8yUtsrDouifSr29QipRiHhrOr
... eS4EeexMXu6W4TsFjpkP
... -----END CERTIFICATE-----"
OK.
We can also use this command to import a user certificate user01 with its
private key in one command:
vsr> cmd certificate add name user01 data "-----BEGIN CERTIFICATE-----
... MIIDGDCCAgCgAwIBAgIIGg4FzJUi290wDQYJKoZIhvcNAQELBQAwLjELMAkGA1UE
... BhMCRlIxDjAMBgNVBAoTBTZXSU5EMQ8wDQYDVQQDEwZyb290Y2EwHhcNMjMwOTA4
... MTI0NDM3WhcNMjYwOTA3MTI0NDM3WjArMQswCQYDVQQGEwJGUjEOMAwGA1UEChMF
... NldJTkQxDDAKBgNVBAMTA2R1dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
... ggEBAKdrtpa7ZDOeckixzaOlFTyG/XYUOY2wIqEdUvorx0CSVioYU/gVUpLoQeZ/
... xSS2HbpnoqMPU2i+iY2r4J6aU6rVmpQR4ttAf0zlliyrbq3nUYjKmoQZqqb2uRmN
... uqqkGOXMF+cIen1Tun6uqdyAw0KHTokslgG9JgDAaG8utFTSs81cQRLaPAmUXiVv
... Ciq3xuh7mf9rnPtCk21JL6OGWXJhSVcVpoImu7X4brQEqTIaQnpprK6569sxxm3t
... F45kNAGWlZiOCupACbIkVWM/nwoF0vxo4traur9jADUDJZtaGRfBwlwZZNAO7XK+
... WsdCT3wiRy1oBp2CQCO7EEkdgbcCAwEAAaM9MDswHwYDVR0jBBgwFoAU3b0cdvBm
... 7pqrGL/87K8AgYAN05AwGAYDVR0RBBEwD4INZHV0LjZ3aW5kLmNvbTANBgkqhkiG
... 9w0BAQsFAAOCAQEAyA05wtha7ewEt2BEKHLMhxeKOH/QEB7P0NpuuJWYpOL9qopp
... G0a1PUG1uQwvUM/c4Z2WgpQ/HsP/2Wc9q8B7dLBCYApmEssRVDJHQdBO6cxSlOm6
... pNyHO2ch1LPV2DFpY/04tqBZXrljEeATn53rhswESndiNIP6SuGRZGDTijy0L+og
... rc/w3uy3Yu9CiDgUbthvnunSshGnTsEYhHjmjvWiVclE/nagPHAZc2kuHDb8+t8M
... q5Wdzkub+ADaP8Npiz/qsxPWvgRfSFNRECk2pgn8+KNKo+yOTpgJVeLBUR6LqoA0
... 00oLbVEqiaS9FnbeBTspX+ftzEB+7Bt/dk5qFQ==
... -----END CERTIFICATE-----" private-key "-----BEGIN RSA PRIVATE KEY-----
... MIIEoQIBAAKCAQEA693UGafI9a1Kp2kJTTpLKA2jWRspar3stPRC+6Jn9UWp9/n6
... DCVZWHzYqNGtnCbMk8s4Do/HhDv9dOwRuHxprxhkHHr6y6k/AB4Gut+rXqGo3tPd
... +0kQzdxiEYdIaTljSESDD6WPEUL2Q5L/LioUaSHm5UOGlKtMx46EAuB/BYSowOtc
... RsRolrTvorHxwldnp0BBaGAXEQUO+9jlXWKJO5p9Hpl0FqWq4SgsNMI0Rsg0HYNF
... biZ4O+9lQAjGx1sBfS6m4Lc5K7xa9t3SyH9K/vbV2RO1Nn97gDcQK5ymUk9EV3x9
... L3sJn2TfP2qmogNrlCn65mhEScy5hUru0uHI4wIDAQABAoH/VPQTaLTA3SqC3Xc8
... 194Hd/0vxJdb+SDiOasz6CM+rE3WBV/+Nwh3gDLJou9tTouV2JnzU+sOH3MGlrmc
... /z5PPneu8tAwxogISxHJqEOJjChENmn13YsWzrDxKdInnQeJzIqoVXgLiKUMSMlR
... MGNtEGdtNIkHdOBjp3gO29vhmSnKC81djHa0OKjTIQqWN2HcSmlobDfy4D2Gn5s+
... D2bDrrW87yzTMc+E+XftR3k40AqUGow6bH9QjQOiqlFlFNQCM9YIJKMMHe4DWU8p
... AdUPshTXV4U+xJTFMYAB2UASEr9UK0eAGAbG0grop/qzk1fv6ZCsmoTBJoh8RiJq
... fF5VAoGBAP+ec58r8GmA+r9XrZ/gFTwDEo+qBEtuRaXPK1Rpy7OsLa6DGJZrUfWE
... cNWgzHuC/XJBtfgBF2E8s09jpmxZbY9zC5/lLdEMh+5IWJWThDULOi66LzT5sADl
... TTolUHKdIahycy3vxWEpmQbmLPSozGVFx8tTm+0y0ITM4JIFUKptAoGBAOw31sns
... Xx63UI7yJlYPEnc7PqRO+lEZHEJW6Vz/qHas/gLHrsV9Swbx7D+nZA+D7ivwY4cs
... Dcp8xjjBRaVDf0LiKGNV/QcFU2s7tHaeq3NQ/HVSFExXYBaoUzOrhBgKBOxMPTvZ
... FlzxMou9O9yZr+OhNccuiuDDqMqySbP9Hy6PAoGBAIP4H0NfIPinQU2GC7qNqwjX
... oT6QjTUQUl7fTUSAdk1lqBP/1LLb5211GfgA03E02HqjmDnY/mQSPZTQIryvktPL
... loXPgU77RDZuHWXjyg7EpB45u2ODQS3FNJC/cQArRZQ8umBN+L5IBpw8O5t4hkYG
... t7aujMLySBs31v0sR1AlAoGAMsgaU9SN6mOMXP6vwSaCWMGSyO31oEOesKBQkN6h
... T8oG3YAiEXDLFVYi7NhGiZNaO3X1X5TX7iT+1Cqwl0O4cx99gUV2HPFHKrFuLWYV
... A7hwXaRkmrjZ/mT3Zg9EWYql3krRizEzPo3XyPTIjrc3ed8pWYWm84T8n37Om3Qa
... JP8CgYAbaF0PLMeb6P9HvHB7QIALuHJhTksRhBe58P3+UdZv32XSwg7Dw/JriUYa
... y+3tCbZg8TQleF7wARDOXKK1wHbQx+174fF4MmJGJR7+BjJwnKStt+iZ5VFgaXiL
... oVHArQyT28hcsOa/cY7wD6939J0NSE/iLpZFJ4pFUK5p0EbyCQ==
... -----END RSA PRIVATE KEY-----"
OK.
or in two steps:
vsr> cmd certificate add name user01 data "-----BEGIN CERTIFICATE-----
... (...)
... -----END CERTIFICATE-----"
OK.
vsr> cmd certificate add name user01 private-key "-----BEGIN RSA PRIVATE KEY-----
... (...)
... -----END RSA PRIVATE KEY-----"
OK.
If the private key is password-encrypted, you must provide its password in the
add command with the private-key-password keyword:
vsr> cmd certificate add name user01 private-key "-----BEGIN ENCRYPTED PRIVATE KEY-----
... MIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIpx1zr7fEn2UCAggA
... MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBD4RjV7qLJnQVJVwhycLdfjBIIE
... 0AHY3K4OpmhnBZdQSQkQuJrKSeCmVUS5CxZSlSQpBGCENyb1VK5UN3eRXKEeAOmi
... LqOR48gYF+KhgAAudCuVmYIC11zA2r4QATuuJb/irhQiZeAFU+p9b1HGINKozIk5
... Sc7xfEPmdEDNySrDOwqs4tyIH9U10aYN/Rvxs0NLUV7VnjWWAO67jnqY39thgkFj
... XruEKxRIqNFqdr68xr3syDUYkb8dFFQuN5QcjwTgDV6x0zWIkxT165ye5OKUi99n
... 6AOFFjrUuzmcSqXhrCcjAHnXYbVn7QKtmE1M/nZKrr+NGCUhhS5R4nWSwQaL1iD4
... JcdGvl45/DPQheMT2LMkSaB3PEX+vhYqjFpSYWffStAhedEIL5prKIItlXPqnDbv
... v/f20hN6QWSS8c/oqXqerPLy1vtGmm644vNYnccyTpsEKUIQH5Jpol2LP3Iep+7L
... qOVz5k592Sqy0HX39O9Su3ZLvv8Eaj3eFGVBwPAnyWJAY0eO7nNtTz0SjEn/+nAC
... 2PP9LEwdieyNw0IhbLQ+o5eO5I1uSKVGQmfmMSzRCS3uDFFDf5hysx7slMBOvZXo
... SCVXN5ZaOpBnb85a2qm1V7hXUKF0jLDtBy/v44Q/F2Qd4lL6VYBQCWmzdMZnfWLU
... f7Z2aJZXf81ddRrWTZhdKmIRrM490H1NdxHcS2G3RWHc6prmsmCsb6ZsQWd9x4qg
... RXcRUOyp3ZgHPs0XwGCSunOiDbfZLXketigUsuWzDYaKxw9QcHFB/xXFJwq8RYnL
... fAZGMHBYM2X0vsuLwfb6hqrfBGZItyo2cYonke2djV/07yEVnFwLFeuqX2pMGd7B
... PIA2cRJjznkIlZSyXRgSEy4Iesp0UsOIHYlGSYUr5YPzic+3MCWE+YLQbOjNB0yb
... aw2G2HrpkfZW+yjFT+P/UDIc4cMuMAxyUhAIQqFRdUlZp+stjQxwjM7nBYGo5ooL
... SIsfycrf44DfD6f9UheQGhTWKRZn9T3zXS6YhCruBJXA9FHqWYQ32S3ceUhLEx44
... /2PCIMZ8PEcJULFxAnVzL81AFdxup39YDLtI6nhVy16V6GBnT/mgSooQWqS5JAqb
... 3CrEgafdh/Pczc4f9B7qTZz9/isHAjy6hb449h1p764Oiycwdjhenpj9m58oMvEx
... KedVX5MOPbvtUJHxc7N9jry3uhhLDURgdUDCAb3CuIKLhhL3LoKIIIA7STZ9/E0z
... 4ifqUU3JN/Ox051cokoXKsh6nAsMTUMTQG+CRFjsZ17NbrhVSmly9+72pFgj9hLV
... bz4yRND/3yo2BHLNKHpbw/XaS/ZasIqwgzhlXOUF5ZsQNNBQ/cwzdA9e8t4JfeyH
... 0tAMixIJYfVkYRnPwXrk38mJSSEOKit2oEH1ZQMzH/uzNqrJPGZBu15SY/C4dJCi
... 2PFgiIpKd6FDoTR8YWdbLiL6tl4LorlAtyvNpXr62i/KYJjTlPVyR+NVpgQWVIMj
... BfjbDrumTpjDk7STXxrfDXzIRLNyKKa1+dDQjnFc86rWFggyp+YfWD2D7qXwhqmH
... su99XnJ01H3U2wdOBH5iS8jA73PlAAqjHkjS1ZABp13einK5ZDUqywv8yjE3olTS
... m+7jir9EoI9sDGQGMpcOPT6AodBOSg1YN7ewPQIfKwmY
... -----END ENCRYPTED PRIVATE KEY-----" private-key-password "kEE#p@$$wd!"
OK.
See also
The Add certificate command reference for details.
Delete a certificate¶
Use the cmd certificate delete name <cert-name> command to delete a certificate
from the local database. In this example we delete the certificate user01 stored before:
vsr> cmd certificate delete name user01
OK.
See also
The Delete certificate command reference for details.
Rename a certificate¶
Use the cmd certificate rename name <cert-name> new-name <new-cert-name>
command to rename a certificate.
The certificate remains in the same certificate store and scheduled automatic updates via an online enrollment protocol are preserved.
In this example we rename the certificate user01 to userbob:
vsr> cmd certificate rename name user01 new-name userbob
OK.
See also
The Rename certificate command reference for details.
Show certificate list¶
Use the show certificate list command to list certificates stored in the local database,
these certificates might be imported using the cmd certificate import command
or by another service:
vsr> show certificate list
6WIND
rootca
user02
user03
..
See also
The Show certificate list command reference for details.
Show certificate content¶
Use show certificate name <cert-name> to show the content of a certificate.
The output format may additionally be specified:
details: display the details of the certificate in human-redable form (this is the default).pem: display the certificate in the PEM format.
vsr> show certificate name 6WIND
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:54:ca:5f:55:97:1c:09:67:1b:d6:ab:ad:50:f7:9d:6e:96:72:79
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=6WIND"
Validity:
Not Before: Thu Aug 12 12:49:41 2021
Not After : Fri Aug 12 12:49:40 2022
Subject: "CN=6WIND"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
d7:22:f8:56:fb:06:8c:2d:28:2a:44:9c:28:40:79:96:
(....)
55:93:79:05:74:f9:63:88:96:66:d1:30:00:4f:d0:d0:
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.
Name: Certificate Authority Key Identifier
Key ID:
c9:4f:b9:85:92:d0:de:2a:28:76:e6:2c:2c:7f:c0:20:
73:a4:71:b1
Name: Certificate Subject Key ID
Data:
c9:4f:b9:85:92:d0:de:2a:28:76:e6:2c:2c:7f:c0:20:
73:a4:71:b1
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Certificate Signing
CRL Signing
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
a5:6c:26:6a:ef:6d:f1:75:7d:f9:a5:57:69:c0:19:97:
(...)
fa:2a:88:11:26:f7:c1:f4:cf:8f:4d:31:c5:42:ce:26:
Fingerprint (SHA-256):
E2:E2:D8:0D:B0:...:2D:05:56:96:F6:21:5D:EA:62:B9
Fingerprint (SHA1):
6C:EB:86:6A:C5:...:0A:9A:43:6E:2A:14:0C:F8:B9:4F
..
Include pem option to print the PEM format of the certificate,
show certificate name <cert-name> pem:
vsr> show certificate name 6WIND pem
-----BEGIN CERTIFICATE-----
MIIDETCCAfmgAwIBAgIUBFTKX1WXHAlnG9arrVD3nW6WcnkwDQYJKoZIhvcNAQEL
BQAwEDEOMAwGA1UEAwwFNldJTkQwHhcNMjEwODEyMTI0OTQxWhcNMjIwODEyMTI0
OTQwWjAQMQ4wDAYDVQQDDAU2V0lORDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANci+Fb7BowtKCpEnChAeZYLfO6THUIXZv7RKNOCkEiq5MvWt5uxO980
w7IM+LZRHq2YNfmtLXrpEe6j/ptdMj8haXqXBCJHKTAiFPWXASeQJ40ufyy29ACS
YM4/ukutCFWTeQV0+WOIlmbRMABP0NCMt7IwQa+cGtGufsb+PnLdqOEGLITwZnDY
K9mDtgLCYU+WM+PMU0xWgUoa/GyZ5jy+6pCwYBCJDVGHiSVjk2mBme+UE4Y/rUsS
SIdbbdcEXhh6gX4LsLO0VwT0X7z+5N2JyEnYHR+oZ8UEjK66k9HtfDu+txeMUnwC
C9plh6MUCn9mh6Qp6iaY2MQqQHIM+A0CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB
/zAfBgNVHSMEGDAWgBTJT7mFktDeKih25iwsf8Agc6RxsTAdBgNVHQ4EFgQUyU+5
hZLQ3iooduYsLH/AIHOkcbEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUA
A4IBAQClbCZq723xdX35pVdpwBmXIHTuGxFvt7aUischhg5WssjR+evB5R0OSMEl
ZVULiJ/6KogRJvfB9M+PTTHFQs4mgQSpQuiWzYvl6jdz6pma2SNxOC+kNOFLsLPR
yFL8qmjnYF659Vi2NklHCxDYshw7kZ5oCnGIwcxXQdXEYRHoY8k43kYoutTlRpeV
PJfE7HZbltJXKemDtSpmPoKnKmsudL7wphf73u1ynZeL0Kvv/lqh3y5kiLh+X43P
SMQtQWvniW2LoPYMdVPY3/n8g6Gg4vtHwbZEOrjOVt6nmuEa0FYZEiFoKfKZuaGH
tIil3m9hg05tJ0838yO5v0c0cB4s
-----END CERTIFICATE-----
See also
The Show certificate detail command reference for details.
Show certificate private key¶
Use show certificate key name <cert-name> to show the private key of the given
certificate.
The output format may additionally be specified:
pem: display the certificate in the PEM format (this is the default).details: display the details of the private-key in human-redable form.
vsr> show certificate key name user01
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCwebLs/zQB0RyV
i1VJW7sT/ZUgkTg2kf/1ab312+Fh1nCnMz7q5loNVm7ZJ/8+kwdGIEkCxwbZr++a
sN8EjKOvSNZphk7kOJbam6ui1j5Collm77CF4n6urj9/mA73OJJkwkTbzzBwTcfS
XephAa5lAw0z83C04WaVleBlH5c8RhEcwx+8dlMmBkpwuaaxFBDfXHHeu4W554Pp
JEY0/W1m3uaX44QvXbRZV+f6/CpMRpdBKsMqPvj776VDeYylHewb0MlwOadXw8YM
Xs7pkkRoP2AvuP0hFev8+LTj6kkG4c89VX5s6DPuu/P1cLowLCnt5DppAt69nTK8
Zbk4wjVJAgMBAAECggEAeznfaIGjDQm5Term+Lxm20SclwsQF3rHIdReYojQzgJw
0y+DZX7HrryF1niJUGZWE++DS78x11t0ka2jbIfP3BueLD0uZUnmfGtq4995xgmb
J7eCqVpIXy0pBa1l9da40kac0mfQSPrm5svRVz9XSQ1icL4yGvuxKA5pi/MNJXYW
mC+NbUx0vrpvk9CPBSu3H3gc3x/YhVOk4cs5y96TQKiRl6L7zmJOUwPT4GN8IHHZ
lQihgefJTO0nC4YPmV2mM5wbYYjtVcoB9cD6TQgDnCYiOlo5hW2Pj7ER0WMKMCBr
6J/hCIMjOiwX1W2pkfGFgPmgk/MmwBWiYs7VWQXyCQKBgQDaP0w1Nu5bW+kjRGZ8
d4S7NJCPiylMIvY2AMK99K41uOZpIIc63GQ6rlTJDI1/IGsVKvUJKUxhuk5MUXDC
yJE0uvoqNZI3BToZkePaHKPJlnrK//dW4BjHxI0CC5l3VsishDwgztbj6wKcwOiG
DyDEJH6oSw/hUwONxElNzAnlgwKBgQDPAJsw2L1E018HNOqvCCAzCzub2CM6Q/ry
juhJY5tE+cALKkrHofPGxUJXTuET2YLz0oIVdxmqN3JEY4LkPy3O5nhPYUv7BSEk
hO+mb/0IPSekXcs6MvEB/98TSSgEhWZvgK10zCbANwPa1qdVzASy6o14iBsBsdKo
T+Bnk6MMQwKBgQCmV/5exOpxiaEtdzHiBjqNcSgJsFiepjsgt/22SKsLWU2MrPVF
QLvIGh2XS1EBpxTXAnHXNLn59sU82Ano/HPoS+bmiwRRmVNKL+8JzDBuMpqO5P+B
ILbidAXBnFOxKN002Gj33I7fEr1f+ox/uUIRHXvIC8YjyGD6CbSRbkXQvwKBgAhg
YedMHfyXARVtksGadpMaNUNNL7+/2HvQRJ4TpcjYwmixQW1qpE661MBrtLf06VOs
hQ8RTryQmdMio71QwS3KLbwol8aEop6zsm7twTOAJgaEtSCZxx7pl8FUCIaGT2rb
rik3yamlkEZewU67fsUusKLb/xvGclvVP6NxWfu5AoGAfwtptH0mXIVx9ZL9X9T1
uzbfHqFNriOoQ5KyvC3B0vmYSz3DqPX5/l/PSP+l6I8syjK4U1HzYz0vYTpPYK9q
vtNRD9VXfwvCRSwVaIAE9c8aSagnDf0Y7FRo/wa4kxkNlTgSVR5JxfRgJkmeVJmd
S262RQu3Hkpu+4iML8zjHGo=
-----END PRIVATE KEY-----
Include details option to print the details of the private key,
show certificate key name <cert-name> details:
vsr> show certificate key name user01 details
Private-Key: (2048 bit, 2 primes)
modulus:
00:b0:79:b2:ec:ff:34:01:d1:1c:95:8b:55:49:5b:
bb:13:fd:95:20:91:38:36:91:ff:f5:69:bd:f5:db:
e1:61:d6:70:a7:33:3e:ea:e6:5a:0d:56:6e:d9:27:
ff:3e:93:07:46:20:49:02:c7:06:d9:af:ef:9a:b0:
df:04:8c:a3:af:48:d6:69:86:4e:e4:38:96:da:9b:
ab:a2:d6:3e:42:a2:59:66:ef:b0:85:e2:7e:ae:ae:
3f:7f:98:0e:f7:38:92:64:c2:44:db:cf:30:70:4d:
c7:d2:5d:ea:61:01:ae:65:03:0d:33:f3:70:b4:e1:
66:95:95:e0:65:1f:97:3c:46:11:1c:c3:1f:bc:76:
53:26:06:4a:70:b9:a6:b1:14:10:df:5c:71:de:bb:
85:b9:e7:83:e9:24:46:34:fd:6d:66:de:e6:97:e3:
84:2f:5d:b4:59:57:e7:fa:fc:2a:4c:46:97:41:2a:
c3:2a:3e:f8:fb:ef:a5:43:79:8c:a5:1d:ec:1b:d0:
c9:70:39:a7:57:c3:c6:0c:5e:ce:e9:92:44:68:3f:
60:2f:b8:fd:21:15:eb:fc:f8:b4:e3:ea:49:06:e1:
cf:3d:55:7e:6c:e8:33:ee:bb:f3:f5:70:ba:30:2c:
29:ed:e4:3a:69:02:de:bd:9d:32:bc:65:b9:38:c2:
35:49
publicExponent: 65537 (0x10001)
privateExponent:
7b:39:df:68:81:a3:0d:09:b9:4d:ea:e6:f8:bc:66:
db:44:9c:97:0b:10:17:7a:c7:21:d4:5e:62:88:d0:
ce:02:70:d3:2f:83:65:7e:c7:ae:bc:85:d6:78:89:
50:66:56:13:ef:83:4b:bf:31:d7:5b:74:91:ad:a3:
6c:87:cf:dc:1b:9e:2c:3d:2e:65:49:e6:7c:6b:6a:
e3:df:79:c6:09:9b:27:b7:82:a9:5a:48:5f:2d:29:
05:ad:65:f5:d6:b8:d2:46:9c:d2:67:d0:48:fa:e6:
e6:cb:d1:57:3f:57:49:0d:62:70:be:32:1a:fb:b1:
28:0e:69:8b:f3:0d:25:76:16:98:2f:8d:6d:4c:74:
be:ba:6f:93:d0:8f:05:2b:b7:1f:78:1c:df:1f:d8:
85:53:a4:e1:cb:39:cb:de:93:40:a8:91:97:a2:fb:
ce:62:4e:53:03:d3:e0:63:7c:20:71:d9:95:08:a1:
81:e7:c9:4c:ed:27:0b:86:0f:99:5d:a6:33:9c:1b:
61:88:ed:55:ca:01:f5:c0:fa:4d:08:03:9c:26:22:
3a:5a:39:85:6d:8f:8f:b1:11:d1:63:0a:30:20:6b:
e8:9f:e1:08:83:23:3a:2c:17:d5:6d:a9:91:f1:85:
80:f9:a0:93:f3:26:c0:15:a2:62:ce:d5:59:05:f2:
09
prime1:
00:da:3f:4c:35:36:ee:5b:5b:e9:23:44:66:7c:77:
84:bb:34:90:8f:8b:29:4c:22:f6:36:00:c2:bd:f4:
ae:35:b8:e6:69:20:87:3a:dc:64:3a:ae:54:c9:0c:
8d:7f:20:6b:15:2a:f5:09:29:4c:61:ba:4e:4c:51:
70:c2:c8:91:34:ba:fa:2a:35:92:37:05:3a:19:91:
e3:da:1c:a3:c9:96:7a:ca:ff:f7:56:e0:18:c7:c4:
8d:02:0b:99:77:56:c8:ac:84:3c:20:ce:d6:e3:eb:
02:9c:c0:e8:86:0f:20:c4:24:7e:a8:4b:0f:e1:53:
03:8d:c4:49:4d:cc:09:e5:83
prime2:
00:cf:00:9b:30:d8:bd:44:d3:5f:07:34:ea:af:08:
20:33:0b:3b:9b:d8:23:3a:43:fa:f2:8e:e8:49:63:
9b:44:f9:c0:0b:2a:4a:c7:a1:f3:c6:c5:42:57:4e:
e1:13:d9:82:f3:d2:82:15:77:19:aa:37:72:44:63:
82:e4:3f:2d:ce:e6:78:4f:61:4b:fb:05:21:24:84:
ef:a6:6f:fd:08:3d:27:a4:5d:cb:3a:32:f1:01:ff:
df:13:49:28:04:85:66:6f:80:ad:74:cc:26:c0:37:
03:da:d6:a7:55:cc:04:b2:ea:8d:78:88:1b:01:b1:
d2:a8:4f:e0:67:93:a3:0c:43
exponent2:
08:60:61:e7:4c:1d:fc:97:01:15:6d:92:c1:9a:76:
93:1a:35:43:4d:2f:bf:bf:d8:7b:d0:44:9e:13:a5:
c8:d8:c2:68:b1:41:6d:6a:a4:4e:ba:d4:c0:6b:b4:
b7:f4:e9:53:ac:85:0f:11:4e:bc:90:99:d3:22:a3:
bd:50:c1:2d:ca:2d:bc:28:97:c6:84:a2:9e:b3:b2:
6e:ed:c1:33:80:26:06:84:b5:20:99:c7:1e:e9:97:
c1:54:08:86:86:4f:6a:db:ae:29:37:c9:a9:a5:90:
46:5e:c1:4e:bb:7e:c5:2e:b0:a2:db:ff:1b:c6:72:
5b:d5:3f:a3:71:59:fb:b9
coefficient:
7f:0b:69:b4:7d:26:5c:85:71:f5:92:fd:5f:d4:f5:
bb:36:df:1e:a1:4d:ae:23:a8:43:92:b2:bc:2d:c1:
d2:f9:98:4b:3d:c3:a8:f5:f9:fe:5f:cf:48:ff:a5:
e8:8f:2c:ca:32:b8:53:51:f3:63:3d:2f:61:3a:4f:
60:af:6a:be:d3:51:0f:d5:57:7f:0b:c2:45:2c:15:
68:80:04:f5:cf:1a:49:a8:27:0d:fd:18:ec:54:68:
ff:06:b8:93:19:0d:95:38:12:55:1e:49:c5:f4:60:
26:49:9e:54:99:9d:4b:6e:b6:45:0b:b7:1e:4a:6e:
fb:88:8c:2f:cc:e3:1c:6a
See also
The Show certificate key command reference for details.
CA certificate stores¶
By default, all EE and CA certificates are stored in the same store: the global certificate store.
Now, all services are not supposed to trust the same authorities. Some services, like IKE, trust all CA certificates in this store by default.
It is therefore possible to install CA certificates in different CA certificate stores, in order to create different trust anchors.
Certificate names are unique across all certificate stores (the global certificate store and CA certificate stores). A certificate can be referenced by its name regardless of the store in which it is installed.
Create a CA certificate store¶
To create a CA certificate store named myta, use the following command:
vsr> cmd ca-certificate-store add name myta
This will create a new CA certificate store, and return an error if it already
exists. An error will not be issued if the store already exists and option
force is set.
Note
A CA certificate store cannot be named global.
The name global is reserved to refer the global certificate store.
Adding a certificate in a CA certificate store¶
The commands to manually add or import a certificate can specify in which CA certificate store it should be installed.
Manually add a certificate in CA certificate store myta:
vsr> cmd certificate add name mycacert1 certificate-store myta data "
... -----BEGIN CERTIFICATE-----
... (...)
... -----END CERTIFICATE-----
... "
If the CA certificate store does not exist, then it is created.
Import a certificate in CA certificate store myta:
vsr> cmd certificate import name mycacert2 url http://10.16.0.190:8999/mycacert2.pem certificate-store myta
Note
Only CA certificates may be installed in a CA certificate store.
List CA certificate stores¶
To list the CA certificate stores, use the following command:
vsr> show ca-certificate-store list
myta
List certificates in a CA certificate store¶
By default, the show certificate list lists all certificates, in all stores.
To only list certificates in the global store, type:
vsr> show certificate list certificate-store global
To only list certificates in the CA certificate store named myta, type:
vsr> show certificate list certificate-store myta
mycacert1
mycacert2
Delete a CA certificate store¶
To delete a certificate store named myta, use the following command:
vsr> cmd ca-certificate-store delete name myta
This will delete a CA certificate store, and return an error if it does not
exist or is not empty. If option force is set, the command first deletes all
certificates in the CA store, then deletes the store itself, and does not
complain if the store does not exist.
Certificate Authority profiles (ca-profiles)¶
A CA is in charge of delivering signed certificates to EEs or sub-CAs (either manually or online) after verifying their credentials, but also to renew and possibly revoke their certificates.
A ca-profile enables to define various information about a CA, such as
certificate revocation URLs (a.k.a. CDPs), or information about
certificate enrollment.
Certificate Authority profiles are defined in the pki configuration context.
Configure CRL distribution points¶
A CA must in particular issue a list of revoked certificates in the form of a CRL in the PKCS #7 syntax. The CRL may commonly be downloaded in the PEM format from a file server.
The download URLs (called CDPs) are usually embedded in the EE certificates signed by the CA in the X509v3 CRLDistributionPoints extension, however if not, they must be provided separately.
A CA profile enables to provide additional information about the CA that is not embedded in its certificate, such as its CDPs.
To provide the CDPs of a CA whose certificate is installed on the
Virtual Service Router, create a ca-profile by the same name:
vsr running config# pki
vsr running pki# ca-profile rootca
vsr running ca-profile rootca# revocation
vsr running revocation# crl
vsr running crl# url http://pki1.example.com/rootca/crl
vsr running crl# url http://pki2.example.com/rootca/crl
vsr running crl# commit
vsr running pki# /
vsr running config# show config pki
pki
ca-profile rootca
revocation
crl
url http://pki1.example.com/rootca/crl
url http://pki2.example.com/rootca/crl
..
..
..
..
The ca-profile information in the example above is used by the IKE service,
in all VRFs where IKE is enabled and trusts the CA certificate rootca
from the certificate store (it is not used if a certificate named rootca is
locally defined in the IKE context).
The IKE service in all VRFs will therefore download a CRL from one of
the listed CDPs to validate certificates presented by remote peers, that
were signed by the CA certificate rootca.
Note
The CA profile may be defined or modified before or after the rootca
certificate is installed.
Configure requested certificate extensions¶
The X509v3 extensions to request when enrolling a certificate (manually or
online), may be specified in a ca-profile, in the certificate-extensions
section. The requested extensions may be specified as follows:
vsr running config# pki
vsr running pki# ca-profile rootca
vsr running ca-profile rootca# certificate-extensions
vsr running certificate-extensions# key-usage
vsr running key-usage# critical
vsr running key-usage# digital-signature
vsr running key-usage# key-encipherment
vsr running key-usage# key-agreement
vsr running key-usage# ..
vsr running certificate-extensions# extended-key-usage
vsr running extended-key-usage# server-auth
vsr running extended-key-usage# client-auth
vsr running extended-key-usage# ..
vsr running certificate-extensions# subject-key-identifier hash
vsr running certificate-extensions# commit
vsr running certificate-extensions# exit
vsr>
vsr> show config / pki
pki
ca-profile rootca
certificate-extensions
key-usage
critical
digital-signature
key-encipherment
key-agreement
..
extended-key-usage
server-auth
client-auth
..
subject-key-identifier hash
..
..
..
These extensions will be requested when performing manual or online
enrollment with this ca-profile.
Configure data for online enrollment¶
Several commands enable to enroll or update certificates online.
The parameters regarding the enrollment server and CA are retrieved from a
ca-profile, stored in the configuration.
Example:
vsr> edit running
vsr running config# pki
vsr running pki# ca-profile rootca
vsr running ca-profile rootca# cmp
vsr running cmp# url http://pki-host:8080/cmp/client
vsr running cmp# server-certificate 6WIND
vsr running crl# commit
vsr running pki# /
vsr running config# show config pki
pki
ca-profile rootca
cmp
vrf main
url http://pki-host:8080/cmp/client
server-certificate 6WIND
install-ca-certificates true
..
..
..
More details are provided in the online enrollment paragraphs.
Manual enrollment and update via Certificate Signing Requests¶
The standard method to manually request a certificate from a CA while keeping the private key local and secret is to generate a key pair and a CSR, provide the CSR to the CA (for example by copy/pasting the CSR in a web interface), then add or import the certificate generated and signed by the CA.
The CSR contains in particular the user identity information that is expected
to be present in the certificate (a Subject Name and optional
Subject Alternative Names), and the public key extracted from the key pair.
The Virtual Service Router supports the PKCS #10 syntax for CSRs, described in RFC 2986.
Generate a certificate request¶
To generate a key pair and a CSR, use the cmd certificate-request generate
command.
This command generates a key pair and a CSR.
In addition to the certificate Subject Name, a list of optional Subject
Alternative Names may be specified with the san argument:
vsr> cmd certificate-request generate name host1 subject "/O=6WIND/CN=host1" san ip:10.125.0.1 san dns:host1.6wind.com
OK.
SANs can be of the following types:
dns: domain nameemail: e-mail addressuri: URIip: IPv4 or IPv6 address
It is mandatory to prepend a prefix to the SAN value, to specify its type
(e.g. dns:host1.6wind.com).
Use the private-key-algorithm option to specify the desired key algorithm and
size. The default is rsa-2048.
Generate a certificate request with extensions¶
To request specific X509v3 extensions, add a ca-profile argument in the cmd
certificate-request generate command, that references a ca-profile with a
certificate-extensions section:
vsr> show config / pki
pki
ca-profile rootca
certificate-extensions
key-usage
critical
digital-signature
key-encipherment
key-agreement
..
extended-key-usage
server-auth
client-auth
..
subject-key-identifier hash
..
..
..
vsr> cmd certificate-request generate name host1 subject "/O=6WIND/CN=host1" san ip:10.125.0.1 san dns:host1.6wind.com ca-profile rootca
OK.
vsr> show certificate-request name host1 details
Certificate Request:
Data:
Version: 1 (0x0)
Subject: O = 6WIND, CN = host1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e4:1a:41:b7:41:cd:66:59:89:14:a2:2f:6b:ac:
6d:4a:29:9e:f1:c6:49:e3:e2:70:b5:10:b7:e5:db:
5b:f7:ec:d2:a5:4f:73:2f:98:99:8a:5b:92:d8:1a:
06:4b:ab:22:c0:19:8d:e7:02:42:1b:76:5f:80:d1:
9a:2c:79:2d:d6:37:a6:3c:a5:81:09:28:a6:15:dd:
ea:2f:a3:ee:8d:ae:a7:79:d0:74:2d:8c:4c:74:df:
b8:21:3e:46:6f:19:85:d3:06:b4:de:86:0e:40:c2:
6d:7a:ae:f7:4d:4f:3e:67:6f:a2:e1:9c:a1:3f:92:
2e:26:b5:b2:39:5b:d7:44:fd:49:a9:a7:b5:6a:7b:
3a:5f:91:86:81:cb:1c:28:69:f1:da:07:6a:fc:ac:
2f:9d:ef:9f:5b:98:61:2f:86:cf:23:83:c2:be:53:
42:5c:6f:ab:39:97:eb:5a:04:95:23:a8:1e:ef:95:
8e:7f:4d:6b:52:e9:c5:89:87:91:37:df:4f:1d:17:
b4:88:df:b6:37:ed:e2:07:1a:d4:23:91:8c:de:9b:
59:3d:39:79:09:ec:e7:0a:57:36:02:94:67:54:09:
ce:be:02:7a:6f:65:34:31:4d:e4:bf:bc:d5:26:f0:
46:c4:4e:6c:ed:48:af:aa:72:9d:db:6d:b7:cf:aa:
9e:ff
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
IP Address:10.125.0.1, DNS:host1.6wind.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Key Identifier:
C4:5D:EC:6A:65:D7:05:7E:C4:1A:7C:E3:D6:40:9D:5E:58:CE:FA:0B
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
a0:56:9e:fd:4b:27:4d:56:5b:d9:e3:84:3c:df:0b:8b:90:7d:
69:e1:ca:a5:e5:ce:cc:71:b1:53:21:fb:e5:29:5a:4c:df:7e:
32:63:13:74:a1:47:21:8b:72:f6:f2:7a:f6:66:3e:00:a6:98:
1a:15:eb:fd:ed:70:1e:51:51:e2:70:0f:fe:57:44:4f:0d:d8:
5b:4b:69:31:f4:03:48:3d:0b:33:14:f2:ef:63:05:1b:43:31:
be:b7:11:d3:66:ea:d6:50:a5:70:6f:c3:d8:b6:fb:6a:bf:9d:
ae:f7:97:30:4f:90:42:b4:87:27:88:65:1a:c8:48:42:03:f9:
83:d4:9b:9f:97:50:df:5c:13:10:d9:32:73:38:d6:dc:29:c2:
f0:0d:91:67:eb:f4:c7:6e:38:37:8f:05:fe:70:b0:35:f7:43:
5f:6f:4e:82:c2:da:bd:18:9b:2c:35:a4:0b:be:04:c1:11:82:
f2:46:8f:71:d1:8e:64:52:f2:45:1c:60:0b:9d:74:25:ae:96:
a6:a1:d6:65:d4:f6:27:0a:41:67:cb:31:90:64:7d:92:7c:24:
00:9e:dd:83:22:72:71:20:91:4a:32:e2:f6:ac:c5:e9:09:c5:
f0:12:9c:7a:a7:86:4e:71:d1:3c:c1:c9:8d:56:4d:c2:d6:8f:
f6:c9:2d:d7
Display a certificate request¶
The pending certificate requests may be listed as follows:
vsr> show certificate-request list
host1
A certificate request may be displayed in the PEM format:
vsr> show certificate-request name host1
-----BEGIN CERTIFICATE REQUEST-----
MIICmDCCAYACAQAwIDEOMAwGA1UECgwFNldJTkQxDjAMBgNVBAMMBWhvc3QxMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9FXsXcjcnI1ft1b9+5ORtAGu
gab9cRPlPkbwZRc9t7z0RnZtu6FCmA/C9htNNYf7EulX8GyasmqWb234WdU7blZm
tFo10d/LBNlZj695y/0E9skFeNjYaC9Vwcl2EdCbYJOCB5N5O4KPACbMF7D7qU70
nzXJ1//FemDToiMQAUlM2bUAXKpoHbNkAd/etVGDxhyicngO+XfIfzch4vMpA22I
8LpIDUuwncmC6I5oUXWfX5B63Ygc7Cofusfq2eOdScePQUONkpQyrCLkO1huhBD6
SXBfTA5MqXSFMiuZpC2x3Jxlmzoa1SVcOcmBqzAfoTy9uYBAOpPsyAmllH7rHQID
AQABoDMwMQYJKoZIhvcNAQkOMSQwIjAgBgNVHREEGTAXhwQKfQABgg9ob3N0MS42
d2luZC5jb20wDQYJKoZIhvcNAQELBQADggEBAM8jqohALwdhJnvEI/MM1Lhu7oTY
tZ4p8fdiHR9J3YYU6t/FS8SpBdiCCoV3r06Ix+xNgfDAo3k0AazlKzIfoBUhVvIb
mh61aQzLb1FJO75C5xBnqjANp+ju75EPcBjcfS3UN/c2ur7xxdGLukTBk2oA5PeF
MAMdS095pSQTnvHkwbaRNGwMu28wpowvMU/JZal/xTpIOmNOv4APt9gykxNtGcgd
m5AYpMal44zZClYuBLoiDSTvaydZOFWZwraXLPSKF8YYCK4PJsRT/IQmdVfs8/sy
JYL4fJc4yvWsqs9tLWqnn1Yn0GEFMNZD0N/d5LVNpXvAJG0FyDjDNTzXqGs=
-----END CERTIFICATE REQUEST-----
This output will typically be copy/pasted to the web interface of a CA, to generate a signed certificate.
To display it in a human readable form, add the details keyword:
vsr> show certificate-request name host1 details
Certificate Request:
Data:
Version: 1 (0x0)
Subject: O = 6WIND, CN = host1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f4:55:ec:5d:c8:dc:9c:8d:5f:b7:56:fd:fb:93:
(...)
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
IP Address:10.125.0.1, DNS:host1.6wind.com
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
cf:23:aa:88:40:2f:07:61:26:7b:c4:23:f3:0c:d4:b8:6e:ee:
(...)
The private key associated to the certificate-request may be displayed in the PEM format:
vsr> show certificate-request key name host1
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD0VexdyNycjV+3
Vv37k5G0Aa6Bpv1xE+U+RvBlFz23vPRGdm27oUKYD8L2G001h/sS6VfwbJqyapZv
bfhZ1TtuVma0WjXR38sE2VmPr3nL/QT2yQV42NhoL1XByXYR0Jtgk4IHk3k7go8A
JswXsPupTvSfNcnX/8V6YNOiIxABSUzZtQBcqmgds2QB3961UYPGHKJyeA75d8h/
NyHi8ykDbYjwukgNS7CdyYLojmhRdZ9fkHrdiBzsKh+6x+rZ451Jx49BQ42SlDKs
IuQ7WG6EEPpJcF9MDkypdIUyK5mkLbHcnGWbOhrVJVw5yYGrMB+hPL25gEA6k+zI
CaWUfusdAgMBAAECggEAbTZYzATDo1BHx83hAcnQtyqHQ1mOcDRJ4//WZQEx64ZQ
k4xM+TCX8RsedF34sWRCFA5r6cHJldUxv8XiW9kFUwjYqGWoJ9LFzrmOIDz5jnXe
eaaZxQ38EPmTdeakWUsqoEzesp828aQmYhV1ZWOM4X0yt1VWDq+7J7vO7OqKNWAc
GK3i6HgCTO7SFJNSDFfFB4yOEmo6AczlmrhLIaOD2obSTynvCmWfnENbDUQS9JSY
0tY7yzAZDJUxtck+wrGSZh759baPMbEdEE6LFw57rcc3zWJpSQbfb0bLn1hHXzdF
pebYNIboehvlcSj1oBHcX2izAena+k9Jv6AWGuIbawKBgQD9sOjHS3NjWxgQ7+rF
m0s91ed+hha3vlvqgh+3gF63syE0qyJ84OA+WgzY0dSw8ZMxeMqppZzOwNiRS8/7
HIXeLCkq3V6x0iSRlihy8f9e4eTzJoL9g47I+9GnejDU+w9+xwlB5LxM3fkeY08t
WIItQW9wxq/MNLwxTLYOfzrc3wKBgQD2jzdcEZrCqqSYuxHC5/Wl6cMAcVW8YKGV
5x9F+nk7vyptWDWlnliYkJtTglD3j+sw7dZ7TfyHMwLiUzRjmpBkt2KN9wsfoFxY
Fqi0zMQ1qNl+purBHnfPp7EKtxxiwqygerRDp9FCSaZJnh/WZEaeu+K5rg0yEA5y
lcAxnhe7gwKBgC1kD+JIv7aRP/cX1jvRE19W/HqI51us9ak56w7cKxZXOKPB0wPh
AH5nglDxCks2jg2V/TzpYusjWhx1Ihtd+R3NbPg8b4sFfIGICmi2n+iMJnjS9TEC
7vNLCzIaDM6utREL774YfRCLztz/C9WjNnd+c8AL7Lxu2xU/Env5i8ClAoGBAMZu
LJekc3EH9MAWjgzWshR9Nbs9e0rIWkNSZxDirH8xMuwdec94yMTAXMGwt4kGArq2
L0+9S+djXobXf+pJkrv7+w1WLVWesbMTSWN5CNBGvAP6QiR6aOJui0WcaPPyyQu+
tSVeAkPfEj1dTTI2Mb++ZpIZSfVohrghXTSRj3gRAoGBAODmeGklvdCdgxGDc8bz
EPjLnv9M9dPguTQmggYTXB/wanozsAiGIQMaszhk9BbS3W7q9K9psgxpeyfFTcsV
2RZJ2OT3XcupY5dhKNBVFzcNup//ugXs9FclTwjS7miMu9gYWsgMZwYg1vXFvVbu
x+wbgRg2L5etvzSHm/S0FS6b
-----END PRIVATE KEY-----
To display it in a human readable form, add the details keyword:
vsr> show certificate-request key name host1 details
Private-Key: (2048 bit, 2 primes)
modulus:
00:f4:55:ec:5d:c8:dc:9c:8d:5f:b7:56:fd:fb:93:
(...)
publicExponent: 65537 (0x10001)
privateExponent:
6d:36:58:cc:04:c3:a3:50:47:c7:cd:e1:01:c9:d0:
(...)
prime1:
00:fd:b0:e8:c7:4b:73:63:5b:18:10:ef:ea:c5:9b:
(...)
prime2:
00:f6:8f:37:5c:11:9a:c2:aa:a4:98:bb:11:c2:e7:
(...)
exponent1:
2d:64:0f:e2:48:bf:b6:91:3f:f7:17:d6:3b:d1:13:
(...)
exponent2:
00:c6:6e:2c:97:a4:73:71:07:f4:c0:16:8e:0c:d6:
(...)
coefficient:
00:e0:e6:78:69:25:bd:d0:9d:83:11:83:73:c6:f3:
(...)
Export a certificate request¶
As an alternative to copy/pasting the CSR to the web interface of a CA, the
CSR may be exported to a file server, via the cmd certificate-request export
command:
vsr> cmd certificate-request export name host1 url http://remote-server/host1.req
OK.
Import or copy/paste the signed certificate¶
Once generated and signed by the CA, the certificate may be installed, either
via a cmd certificate add command in which the certificate is copy/pasted in
the PEM format, or via a cmd certificate import command.
If the certificate name matches a certificate request name, then the Virtual Service Router verifies that the CSR key pair matches the certificate key. If they match, then the certificate is installed with the CSR private key, and the certificate request is deleted.
Manually install the certificate via a copy/paste:
vsr> cmd certificate add name host1 data "-----BEGIN CERTIFICATE-----
... MIIDFTCCAf2gAwIBAgIIPz0uQc+/2/EwDQYJKoZIhvcNAQELBQAwLjELMAkGA1UE
... BhMCRlIxDjAMBgNVBAoTBTZXSU5EMQ8wDQYDVQQDEwZyb290Y2EwHhcNMjMwNjE1
... MTIzMjQ2WhcNMjYwNjE0MTIzMjQ2WjAgMQ4wDAYDVQQKEwU2V0lORDEOMAwGA1UE
... AxMFaG9zdDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0VexdyNyc
... jV+3Vv37k5G0Aa6Bpv1xE+U+RvBlFz23vPRGdm27oUKYD8L2G001h/sS6VfwbJqy
... apZvbfhZ1TtuVma0WjXR38sE2VmPr3nL/QT2yQV42NhoL1XByXYR0Jtgk4IHk3k7
... go8AJswXsPupTvSfNcnX/8V6YNOiIxABSUzZtQBcqmgds2QB3961UYPGHKJyeA75
... d8h/NyHi8ykDbYjwukgNS7CdyYLojmhRdZ9fkHrdiBzsKh+6x+rZ451Jx49BQ42S
... lDKsIuQ7WG6EEPpJcF9MDkypdIUyK5mkLbHcnGWbOhrVJVw5yYGrMB+hPL25gEA6
... k+zICaWUfusdAgMBAAGjRTBDMB8GA1UdIwQYMBaAFOGEMLU7m4VUYIJBZatiB5eh
... gW4oMCAGA1UdEQQZMBeHBAp9AAGCD2hvc3QxLjZ3aW5kLmNvbTANBgkqhkiG9w0B
... AQsFAAOCAQEAXMjI/SnVrgHoi+IkLe9mDJGfazE7mNj036rizvE0LBwhGchc1pQa
... K9MT7TgtDa9zlS1RfVyRQW1h0vCRJRWEf8iT6Lhzm9ndKX85UdeB6CkHk153r1kK
... RoUTTjpQ3PHyHHxS5zEfmiq0wKjjnIZNYXgA695LC1uwp51AyuiwrljoIOrYnOoC
... DYTlpSXQ73FuMhbMtBQl+ru8ob0gsyNzDreh9ZK+gLdzraKsDtm6Grah6TJHtYAZ
... SatKve74B4Jef5VxoY9M17B4hISvdC98+PPVLexXvldzoIABIXw3Pgkp9vhcsJDJ
... 2HJpJRmPqhY6/kPO/qRBV243OYtiyn3EhQ==
... -----END CERTIFICATE-----"
OK.
Or manually install the certificate by an import:
vsr> cmd certificate import name host1 url http://remote-server:8999/host1.cer
OK.
vsr> show certificate name host1
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4556849258162019313 (0x3f3d2e41cfbfdbf1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = FR, O = 6WIND, CN = rootca
Validity
Not Before: Jun 15 12:32:46 2023 GMT
Not After : Jun 14 12:32:46 2026 GMT
Subject: O = 6WIND, CN = host1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f4:55:ec:5d:c8:dc:9c:8d:5f:b7:56:fd:fb:93:
(...)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
E1:84:30:B5:3B:9B:85:54:60:82:41:65:AB:62:07:97:A1:81:6E:28
X509v3 Subject Alternative Name:
IP Address:10.125.0.1, DNS:host1.6wind.com
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
5c:c8:c8:fd:29:d5:ae:01:e8:8b:e2:24:2d:ef:66:0c:91:9f:
(...)
Update a certificate¶
To manually update an installed certificate via a certificate request, generate a new certificate request, and have it signed by the CA, like for the initial enrollment.
Then install the new certificate with the cmd certificate add or cmd
certificate import command, but add the keyword force to force the overriding
of the old certificate:
vsr> cmd certificate add name host1 data "-----BEGIN CERTIFICATE-----
... MIIDFTCCAf2gAwIBAgIIPz0uQc+/2/EwDQYJKoZIhvcNAQELBQAwLjELMAkGA1UE
... (...)
... -----END CERTIFICATE-----" force
OK.
The old certificate remains installed while the request is pending. As soon as the new certificate is installed, it replaces the old one.
Online enrollment and update via CMP¶
The Certificate Management Protocol (CMP) is an Internet protocol standardized by the IETF used for obtaining X.509 digital certificates in a public key infrastructure (PKI). The CMP protocol is mainly transported over HTTP or HTTPS. The main exchanged requests are ‘Initialization Request’, ‘Key Update Request’ and ‘Revocation Request’.
The Virtual Service Router supports the version 2 of the CMP protocol, described in RFC 4210.
CA profile configuration for CMP¶
The use of the CMP protocol implies to configure the CMP parameters in a
ca-profile. The rpc commands to trigger enrollments or updates will refer to
this ca-profile.
Example of CA rootca, which is also the CMP server:
vsr running config# pki
vsr running pki# ca-profile rootca
vsr running ca-profile rootca# cmp
vsr running cmp# url http://pki-host:8080/cmp/client
vsr running cmp# server-certificate 6WIND
vsr running cmp# commit
vsr running cmp# exit
The server-certificate argument is the name of the CMP server certificate. It must have
been imported beforehand. It may be the certificate of the CA itself, or the
certificate of an RA.
Example of CA ca2 (with DN /CN=6WIND CA2), whose CMP server is an RA
(certificate 6WINDRA), contacted via vrf private with source address
10.150.0.1. The CA DN must be specified with the issuer argument, so that
the enrollment command can verify the delivered certificate:
vsr running config# pki
vsr running pki# ca-profile ca2
vsr running ca-profile ca2# cmp
vsr running cmp# vrf private
vsr running cmp# source 10.150.0.1
vsr running cmp# url http://private-pki-host:8080/cmp/client
vsr running cmp# server-certificate 6WINDRA
vsr running cmp# issuer "/CN=6WIND CA2"
vsr running cmp# commit
vsr running cmp# exit
To specify which certificate extensions should be requested in the initial
enrollment, add a certificate-extensions section in the CA profile as
described in Configure requested certificate extensions.
Certificate enrollment via CMP¶
To issue a new end user certificate from a given PKI, the rpc command
cmd certificate cmp enroll can be used.
This command generates a private key, then sends a CMP IR message to a CMP server to request a certificate.
If a valid response message is received, the private key and certificate are
installed with the specified name. If CA certificates are provided in the
caPubs field of the reply, then they are also installed and trusted by IKE.
The parameters regarding the CMP server and CA are retrieved from a
ca-profile, stored in the configuration. The parameters regarding the
certificate to enroll itself are provided on the command line.
In addition to the certificate Subject Name, a list of optional Subject
Alternative Names may be specified with the san argument.
The Virtual Service Router offers two authentication method described in RFC 4210:
Password-Based Message Authentication Code (PBM).
Signature with a vendor certificate/key pair
Password-Based authentication¶
To perform an enrollment with Password-Based authentication, use the cmp
enroll command in which you specify:
a mandatory
secretstring, a.k.a. the IAK (Initial Authentication Key).an optional
referencestring that informs the CMP server which secret was used, a.k.a. SenderKID (Sender Key ID).
vsr> cmd certificate cmp enroll ca-profile rootca name userEE secret password subject /CN=test/O=it san dns:*test.com san ip:10.2.3.5
vsr> show certificate name userEE
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:5a:ae:72:ab:ef:ce:06:02:e2:d5:e2:57:07:0d:ed:
81:8e:06:de
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=6WIND"
Validity:
Not Before: Wed Jul 21 15:53:13 2021
Not After : Sun May 01 00:00:00 2022
Subject: "O=it,CN=test"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
(...)
Signed Extensions:
Name: Certificate Subject Alt Name
DNS name: "*test.com"
IP Address: 10.2.3.5
Name: Certificate Basic Constraints
Critical: True
Data: Is not a CA.
(...)
Authentication via a vendor certificate/key pair¶
To perform an enrollment with Password-Based authentication, specify the vendor
certificate in the ca-profile.
vsr running config# pki ca-profile rootca cmp
vsr running cmp# initial-certificate vendorEE
vsr running cmp# commit
The vendor certificate/key pair must be installed in the global certificate store. The certificate installation may be performed by any method supported by the Virtual Service Router.
cmd certificate add name vendorEE data "
-----BEGIN CERTIFICATE-----
MIIB0DCCAXegAwIBAgIUQLbEP4LPKLPK9kWZaU567fsl1LwwCgYIKoZIzj0EAwIw
PjELMAkGA1UEBhMCRlIxDjAMBgNVBAoMBTZXSU5EMR8wHQYDVQQDDBY2V0lORCBW
ZW5kb3IgRUNEU0EgUkNBMB4XDTI1MDgyNTA5MzM0OFoXDTM1MDgyNTA5MzM0OFow
LTELMAkGA1UEBhMCRlIxDjAMBgNVBAoMBTZXSU5EMQ4wDAYDVQQDDAVjbXBFRTBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABMwG/kQsVSgdRgm5z5bAhAk+2NAXhUgx
SA8tIZx1bwO4W/SdD2znO9TjLVEHXSC0B5r+hEvWGvJnxT0Nz6zFaHWjZDBiMB0G
A1UdDgQWBBREo9XJ4+QFkJ9HUFbAWVD9U35sjDAfBgNVHSMEGDAWgBShzMJUEhC4
hbsvQOpJ4tLw7sVc9jALBgNVHQ8EBAMCBsAwEwYDVR0lBAwwCgYIKwYBBQUHAwIw
CgYIKoZIzj0EAwIDRwAwRAIgXLqnVfCU/ZC+S6fNrV7VSYniEiwGyrN9FRgbsnx4
NqsCICdO4zBv7EjWlYVgUYNqtvKDntPp8RL/dkwqXi0fStSp
-----END CERTIFICATE-----
" private-key "
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgJtphGfFJPMixYMTG
P2kl5J21ZYlb77k1dfWwPZAH8SKhRANCAATMBv5ELFUoHUYJuc+WwIQJPtjQF4VI
MUgPLSGcdW8DuFv0nQ9s5zvU4y1RB10gtAea/oRL1hryZ8U9Dc+sxWh1
-----END PRIVATE KEY-----
"
Then the enrollment may be performed with the cmp enroll command.
vsr> cmd certificate cmp enroll ca-profile rootca name cmpEE subject /CN=cmpee/O=it san dns:cmpee.6wind.com
vsr> show certificate name cmpEE
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:5a:ae:72:ab:ef:ce:06:02:e2:d5:e2:57:07:0d:ed:
81:8e:06:de
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=6WIND"
Validity:
Not Before: Wed Jul 21 15:53:13 2021
Not After : Sun May 01 00:00:00 2022
Subject: "O=it,CN=cmpee"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
(...)
Signed Extensions:
Name: Certificate Subject Alt Name
DNS name: cmpee.6wind.com
Name: Certificate Basic Constraints
Critical: True
Data: Is not a CA.
(...)
Installation of CA certificates¶
By default, the CA certificates returned by the CMP server in the caPubs
field are installed and trusted by IKE. The command dynamically assigns a name to each
of the installed certificates:
if the CA certificate is the issuer of the enrolled certificate and no certificate exists by the
ca-profilename, then the certificate name is set to theca-profilename.otherwise, if an identical certificate is already installed, ignore it.
otherwise build the certificate name based on the 16 least significant digits of the hexadecimal serial number, and append an optional suffix (-00, -01…) in case of duplicate names.
See also
The CMP enroll command reference and PKI command reference for details.
Certificate update via CMP¶
Updating a previously enrolled certificate can be done through the rpc command
cmd certificate cmp update. Note that a new private key will be used and the
old certificate is overwritten.
This command generates a new private key, then sends a CMP KUR message to a CMP server to request an update of the former certificate.
The command requests the same subject name and SANs as in the original certificate.
Like for CMP enrollment, a ca-profile must be specified.
vsr> cmd certificate cmp update name userEE ca-profile 6WIND
OK.
vsr> show certificate name testEE
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
79:80:c5:ac:71:0a:b5:39:1b:fd:df:82:ac:49:e5:95:
0a:20:19:74
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=6WIND"
Validity:
Not Before: Fri Jul 23 13:51:21 2021
Not After : Sun May 01 00:00:00 2022
Subject: "O=it,CN=test"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
(...)
Signed Extensions:
Name: Certificate Subject Alt Name
DNS name: "*test.com"
IP Address: 10.2.3.5
Name: Certificate Basic Constraints
Critical: True
Data: Is not a CA.
..
..
See also
The CMP update command reference and PKI command reference for details.
Certificate scheduled-update via CMP¶
Schedule automatic updates via CMP¶
It is possible to schedule automatic updates of certificates before they expire,
via the cmd certificate cmp scheduled-update command.
The syntax is the same as a certificate cmp update command, but the
ca-profile cmp section must include an automatic-update sub-section:
vsr running config# pki
vsr running pki# ca-profile rootca
vsr running ca-profile rootca# cmp
vsr running cmp# url http://pki-host:8080/cmp/client
vsr running cmp# server-certificate 6WIND
vsr running cmp# automatic-update
vsr running automatic-update# remaining-time 1
vsr running automatic-update# retry-delay 15
vsr running automatic-update# commit
vsr running automatic-update# exit
vsr> cmd certificate cmp scheduled-update name userEE ca-profile 6WIND
Note that if the automatic-update sub-section exists at the time of the
enrollment, the automatic update will be started immediately, without the need
to invoke the cmd certificate cmp scheduled-update command.
Note
Any later change in the ca-profile is not taken into account by an
already scheduled update. The actual parameters are those in effect when the
scheduled update was started.
If parameters change, then the cmd certificate cmp scheduled-update command
must be manually invoked again.
See also
The CMP scheduled-update command reference and PKI command reference for details.
Stop automatic updates via CMP¶
To stop automatic updates for a certificate, use the flush certificate cmp
scheduled-update command:
vsr> flush certificate cmp scheduled-update name userEE
Stopped automatic update for userEE.
If no automatic update is scheduled, the command will simply return an informational message:
vsr> flush certificate cmp scheduled-update name userEE
No scheduled automatic update for userEE.
Show status for scheduled automatic update via CMP¶
To show the status of automatic updates for a certificate, use the show
certificate cmp scheduled-update command:
vsr> show certificate cmp scheduled-update name userEE
Expiration of dut in 1094 days 78807 seconds
Automatic update in 1093 days 78807 seconds
Update parameters:
ca-profile 6WIND
vrf main
url http://pki-host:8080/cmp/client
server-certificate 6WIND
private-key-algorithm rsa-2048
automatic-update
remaining-time 1
retry-delay 30
If no automatic update is scheduled, the command will simply return an informational message:
vsr> show certificate cmp scheduled-update name userEE
No scheduled automatic update for userEE.
Online enrollment and update via EST¶
Enrollment over Secured Transport (EST) is an Internet protocol standardized by the IETF, used to acquire EE certificates and associated CA certificates in a PKI. The EST protocol is transported over HTTPS.
The Virtual Service Router supports the EST simpleenroll, simplereenroll and cacerts
exchanges described in RFC 7030.
CA profile configuration for EST¶
The use of the EST protocol implies to configure the EST parameters in a
ca-profile. The rpc commands to trigger enrollments or updates will refer to
this ca-profile.
Enrollment and update requests imply that the Virtual Service Router performs HTTPS client
authentication. The initial enrollment uses a vendor EE certificate (the
initial-certificate), while reenrollments use the EE certificate formerly
acquired from the EST server. The vendor certificate/key pair must be
installed on the device before performing the initial enrollment.
A CA certificate store must be specified (ca-certificate-store). It is used
as a trust anchor both for the EST protocol itself and for other services,
like IKE, that may choose to trust CA certificates from this store.
This CA certificate store must be initialized with at least one trust anchor to authenticate the EST server, and may later be updated via EST with additional or newer CA certificate chains.
Example of CA profile estca, using the CA certificate store eststore as
a trust anchor and the vendor certificate vendorEE.
vsr running config# pki
vsr running pki# ca-profile estca
vsr running ca-profile estca# est
vsr running est#! url https://pki.example.net:8080/.well-known/est
vsr running est# initial-certificate vendorEE
vsr running est# ca-certificate-store eststore
vsr running est# commit
Advanced options may be added such as:
private-key-algorithm: the cryptographic algorithm of private-keys (defaultrsa-2048)source: the source IP address of EST exchangesvrf: the VRF of EST exchangesl3vrf: the L3VRF of EST exchangesuse-ocsp-stapling: whether to check the status of the EST server certificate via OCSP stapling (defaultfalse)ca-certificate-update: whether to perform an update of CA certificates before every certificate enrollment or update (defaultfalse)
Example:
vsr running est# private-key-algorithm ecdsa-nistp256
vsr running est# commit
vsr running est# exit
The CA certificate store must then be populated, and the initial certificate be installed.
Example:
Install the trust anchor in CA certificate store eststore, here a single
root CA certificate:
vsr> cmd certificate add name RootCA1 certificate-store eststore data "
... -----BEGIN CERTIFICATE-----
... MIIB3DCCAYOgAwIBAgIUJlKyvoS+FWLBlm0lammT3B7giRkwCgYIKoZIzj0EAwIw
... PDELMAkGA1UEBhMCRlIxEDAOBgNVBAoMB0V4YW1wbGUxGzAZBgNVBAMMEkV4YW1w
... bGUgRUNEU0EgUkNBMTAeFw0yNTA4MDYwODIzMjJaFw0zNTA4MDYwODIzMjJaMDwx
... CzAJBgNVBAYTAkZSMRAwDgYDVQQKDAdFeGFtcGxlMRswGQYDVQQDDBJFeGFtcGxl
... IEVDRFNBIFJDQTEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT41qyJMW2lOs5m
... ZX7UbbR2M6bOyTcbomo7U4xJIbrV1FVxjPM1yY1OznNuYUDGofZnoSglo3a8oam5
... yx88V23lo2MwYTAdBgNVHQ4EFgQUdoZPGuZw7ZcDI8WogzzwRAVKNy8wHwYDVR0j
... BBgwFoAUdoZPGuZw7ZcDI8WogzzwRAVKNy8wDwYDVR0TAQH/BAUwAwEB/zAOBgNV
... HQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwIDRwAwRAIgBS/EFRryDERefgmcoxh+nk2T
... VvFZCMQCCrSRJzuf1E4CIGgTnvZnyYFt2M6b7rOllYy5x4COGFj0q1b8/MxkFY/F
... -----END CERTIFICATE-----
... "
OK.
vsr> show certificate name RootCA1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
26:52:b2:be:84:be:15:62:c1:96:6d:25:6a:69:93:dc:1e:e0:89:19
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = FR, O = Example, CN = Example ECDSA RCA1
Validity
Not Before: Aug 6 08:23:22 2025 GMT
Not After : Aug 6 08:23:22 2035 GMT
Subject: C = FR, O = Example, CN = Example ECDSA RCA1
(...)
The EST certificate is signed by this CA certificate.
Install the device vendor certificate vendorEE in the global certificate
store:
vsr> cmd certificate add name vendorEE data "
... -----BEGIN CERTIFICATE-----
... MIICEDCCAbagAwIBAgIUBdoJrsqN90Zn2TlJNYL2Dc0JGWwwCgYIKoZIzj0EAwIw
... PDELMAkGA1UEBhMCRlIxDjAMBgNVBAoMBTZXSU5EMR0wGwYDVQQDDBQ2V0lORCBU
... ZXN0IEVDRFNBIElDQTAeFw0yNDEyMTkxMTAxMDlaFw0zMTEyMTkxMTAxMDlaMDkx
... CzAJBgNVBAYTAkZSMQ4wDAYDVQQKDAU2V0lORDEaMBgGA1UEAwwRNldORC0wMDA5
... YzAwZjJkZGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARx8nT6wrN0At0OBOg3
... 5my5fTmK2dyWX7Oug1fGpMQBgNTf4CfVeBcEHFUgCeIxRAYeX3IQUruo00s5STmv
... MDFEo4GYMIGVMB0GA1UdDgQWBBRUqfi6CdVQeR6jYRvZFUXLuJEt7jAfBgNVHSME
... GDAWgBTsL6aypAIw2hDfMF3mZ0oCJoqYujAMBgNVHRMBAf8EAjAAMAsGA1UdDwQE
... AwIDqDA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JscmQuNndpbmQuY29tLzZX
... SU5EVGVzdElDQS5jcmwwCgYIKoZIzj0EAwIDSAAwRQIgKIiYCMSBfkMPZ1SlFmj2
... ZrHjmKUWNf+GvhyknSVD15gCIQCJ2+jG3rrpRNtSaVSkhyDDPbGtJ0OPCa7s7C/Q
... frISFA==
... -----END CERTIFICATE-----
... " private-key "
... -----BEGIN PRIVATE KEY-----
... MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgJLUUu75R3MBGBaLA
... PlZ6aeuXnFy7ZYSJHO07sIMXKv6hRANCAARx8nT6wrN0At0OBOg35my5fTmK2dyW
... X7Oug1fGpMQBgNTf4CfVeBcEHFUgCeIxRAYeX3IQUruo00s5STmvMDFE
... -----END PRIVATE KEY-----
... "
vsr> show certificate name vendorEE
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
05:da:09:ae:ca:8d:f7:46:67:d9:39:49:35:82:f6:0d:cd:09:19:6c
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = FR, O = 6WIND, CN = 6WIND Test ECDSA ICA
Validity
Not Before: Dec 19 11:01:09 2024 GMT
Not After : Dec 19 11:01:09 2031 GMT
Subject: C = FR, O = 6WIND, CN = 6WND-0009c00f2ddd
(...)
This vendor certificate identifies the local device. The EST server trusts the vendor CA certificate chain that signed this certificate.
To specify which certificate extensions should be requested in the initial
enrollment, add a certificate-extensions section in the CA profile as
described in Configure requested certificate extensions.
Certificate enrollment via EST¶
To issue a new end user certificate from a given PKI, the rpc command
cmd certificate est enroll can be used.
This command generates a private key, then sends an EST simpleenroll message
to an EST server to request a certificate.
If a valid response message is received, the private key and certificate are installed with the specified name.
The parameters regarding the EST server are retrieved from a ca-profile,
stored in the configuration. The parameters regarding the certificate to enroll
itself are provided on the command line.
The device authenticates to the server with the certificate referenced by
initial-certificate in the ca-profile est context.
In addition to the certificate Subject Name, a list of optional Subject
Alternative Names may be specified with the san argument.
vsr> cmd certificate est enroll ca-profile estca name estEE subject /C=FR/O=example/CN=6WND-0009c00f2ddd san dns:6WND-0009c00f2ddd.example.com
vsr> show certificate name estEE
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
60:f9:05:57:68:76:d0:4a:e3:79:d3:e7:4d:ff:81:b1:a5:a6:d1:d5
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = FR, O = Example, CN = Example ECDSA RCA1
Validity
Not Before: Aug 7 15:19:05 2025 GMT
Not After : Aug 7 15:19:05 2035 GMT
Subject: C = FR, O = Example, CN = 6WND-0009c00f2ddd
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:de:d6:d7:b3:8a:f5:f1:7f:a9:f0:90:24:46:da:
b8:97:f9:60:2b:66:b9:9e:61:25:54:66:ac:ef:71:
09:43:38:c1:b3:5b:62:c9:f9:a4:53:4d:32:a7:4c:
90:0b:db:a4:f2:e1:6a:c3:68:20:25:0f:28:2f:e0:
cc:10:a3:a6:75
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
2D:B3:26:4C:F4:8A:7C:91:1A:59:5C:40:99:D8:64:57:1D:C4:12:65
X509v3 Authority Key Identifier:
76:86:4F:1A:E6:70:ED:97:03:23:C5:A8:83:3C:F0:44:05:4A:37:2F
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.example.com/ExampleRCA1.crl
X509v3 Subject Alternative Name:
DNS:6WND-0009c00f2ddd.example.com
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:45:02:21:00:85:57:c3:5d:08:70:94:83:a6:a6:14:96:ff:
cf:2a:b6:1d:95:0b:6b:3d:14:8f:c3:2b:ac:58:3f:d5:a6:6b:
cd:02:20:2e:aa:1e:ae:29:cd:5b:7e:35:83:cc:cd:c2:63:cc:
39:a9:21:7c:07:f0:37:d4:e5:8b:20:04:29:b0:60:ec:29
See also
The EST enroll command reference and PKI command reference for details.
Certificate update via EST¶
Updating a previously enrolled certificate can be done through the rpc command
cmd certificate est update. Note that a new private key is generated and
the old certificate is overwritten.
This command generates a new private key, then sends an EST simplereenroll
message to an EST server to request an update of the former certificate.
The device authenticates to the server with the certificate that must be updated.
The command requests the same subject name and X509v3 extensions (including SANs) as in the original certificate.
Like for EST enrollment, a ca-profile must be specified.
vsr> cmd certificate est update ca-profile estca name estEE
OK.
vsr> show certificate name estEE
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
64:78:9d:f0:68:46:6d:50:05:d3:0b:28:fd:cb:57:cd:f8:30:c9:5e
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = FR, O = Example, CN = Example ECDSA RCA1
Validity
Not Before: Aug 7 15:29:51 2025 GMT
Not After : Aug 7 15:29:51 2035 GMT
Subject: C = FR, O = Example, CN = 6WND-0009c00f2ddd
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d3:99:de:ca:25:1e:57:82:b6:c1:fb:35:5c:e7:
1b:54:93:fb:c3:fe:76:18:e5:9c:d2:14:d2:bc:96:
72:b9:0d:df:90:bd:e3:d6:e0:c7:61:a8:5c:8b:90:
f3:46:f3:7c:17:48:22:32:60:5d:b1:37:ce:0b:bc:
1b:d0:41:1d:3f
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
DF:2C:63:4B:7F:1C:63:04:52:58:1C:74:30:1B:B5:46:AD:01:D6:52
X509v3 Authority Key Identifier:
76:86:4F:1A:E6:70:ED:97:03:23:C5:A8:83:3C:F0:44:05:4A:37:2F
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.example.com/ExampleRCA1.crl
X509v3 Subject Alternative Name:
DNS:6WND-0009c00f2ddd.example.com
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:44:02:20:02:f9:57:08:d4:86:d7:43:73:5a:de:08:80:b4:
c6:05:cf:19:4c:2c:8c:0a:90:32:56:5c:54:7c:7a:f1:c8:5b:
02:20:68:0c:29:7b:b8:36:bd:f5:9a:34:de:cb:6d:30:76:a5:
20:15:e1:45:7b:d6:49:21:b6:17:56:2c:70:76:8c:56
See also
The EST update command reference and PKI command reference for details.
Certificate scheduled-update via EST¶
Schedule automatic updates via EST¶
It is possible to schedule automatic updates of certificates before they expire,
via the cmd certificate est scheduled-update command.
The syntax is the same as a certificate est update command, but the
ca-profile est section must include an automatic-update sub-section:
vsr running config# pki
vsr running pki# ca-profile estca
vsr running ca-profile estca# est
vsr running est# automatic-update
vsr running automatic-update# remaining-time 1
vsr running automatic-update# retry-delay 15
vsr running automatic-update# commit
vsr running automatic-update# exit
vsr> cmd certificate est scheduled-update name estEE ca-profile estca
Note that if the automatic-update sub-section exists at the time of the
enrollment, the automatic update will be started immediately, without the need
to invoke the cmd certificate est scheduled-update command.
Note
Any later change in the ca-profile is not taken into account by an
already scheduled update. The actual parameters are those in effect when the
scheduled update was started.
If parameters change, then the cmd certificate est scheduled-update command
must be manually invoked again.
See also
The EST scheduled-update command reference and PKI command reference for details.
Stop automatic updates via EST¶
To stop automatic updates for a certificate, use the flush certificate cmp
scheduled-update command:
vsr> flush certificate est scheduled-update name estEE
Stopped automatic update for userEE.
If no automatic update is scheduled, the command will simply return an informational message:
vsr> flush certificate est scheduled-update name estEE
No scheduled automatic update for userEE.
Show status of scheduled automatic update via EST¶
To show sthe status of automatic updates for a certificate, use the show
certificate est scheduled-update command:
vsr> show certificate est scheduled-update name userEE
Expiration of dut in 1094 days 78807 seconds
Automatic update in 1093 days 78807 seconds
Update parameters:
ca-profile estca
vrf main
url https://pki.example.net:8080/.well-known/est
initial-certificate vendorEE
ca-certificate-store eststore
private-key-algorithm ecdsa-nistp256
automatic-update
remaining-time 1
retry-delay 15
If no automatic update is scheduled, the command will simply return an informational message:
vsr> show certificate est scheduled-update name estEE
No scheduled automatic update for userEE.
Updating CA certificates via EST¶
It is possible to update the CA certificates via EST. To proceed, use
command cmd certificate est update-ca-certificates:
cmd certificate est update-ca-certificates ca-profile estca
This command sends a cacerts message to the EST server to retrieve the
current list of CA certificates and updates the ca-certificate-store
referenced in the ca-profile est section.
The command supports the following options:
insecuredisables TLS authentication and verifications. This option may be used for example when the TLS connection to the EST server fails, e.g. due to an outdated trust anchor.method: specifies how to update the CA certificate store.merge: merge the store with the downloaded CA certificates, remove potential cross-signed certificates. This is the default method.cherry-pick: iteratively update the CA certificate store by only adding certificates that can be validated against the current store. New root certificates may be added to the trust anchor by using cross-signed certificates. This mode is typically used in conjunction with optioninsecureto bootstrap the trust anchor, when the store does not have the latest root CA installed. At the end of the procedure, cross-signed certificates are removed.
Example:
vsr> cmd certificate est update-ca-certificates ca-profile estca
Keeping RootCA1
subject: C=FR, O=Example, CN=Example ECDSA RCA1
issuer: C=FR, O=Example, CN=Example ECDSA RCA1
Successfully updated EST CA certificates for estca
Note
In this context, a cross-signed certificate is an intermediate certificate issued by a trusted CA to sign the public key of another CA root certificate.
Example:
The trusted root CA certificate ca1 signs the cross-signed CA
certificate cross-ca, that itself signs the public key of the root CA
certificate ca2.
ca1 (trusted) => cross-ca => ca2
------------- -------- ---
issuer: ca1 issuer: ca1 issuer: ca2
subject: ca1 subject: ca2 subject: ca2
pubkey: ca1 pubkey: ca2 pubkey: ca2
ca2 is self-signed, but it can also be validated by the CA chain
ca1 => cross-ca => ca2.
It enables to phase in a new root certificate ca2 while maintaining trust
with older systems that trust ca1 but may not yet have the new root ca2
installed in their trust stores.
Note
If the automatic update of CA certificates is enabled in the CA profile
(ca-certificate-update option), the CA certificate update is first tried
with client and server SSL authentication (mode secure and method merge). If
it fails, the CA certificate update is tried without any SSL authentication
(mode insecure and method cherry-pick). If the CA certificate update still
fails, the enrollment or update is canceled.
Revocation global options¶
Set the vrf and source address for CRL retrieval¶
During an IKE negotiation with certificate authentication, if one or more
CRL distribution points are specified for the CA (in a ca-profile or
embedded in the CA certificate), the IKE service tries to retrieve a CRL
during the authentication phase.
By default the CRL retrieval exchange is performed in the same VRF as the IKE negotiation, and the source address is automatically chosen by the routing table.
In some use cases, it may be necessary to specify a different VRF and/or a
specific source address. These parameters may be set in the pki revocation crl
context. They apply to all CA certificates, regardless of the IKE VRF.
vsr> edit running
vsr running config# pki
vsr running pki# revocation
vsr running revocation# crl
vsr running crl# vrf private
vsr running crl# source 10.175.0.3
vsr running crl# commit
vsr running crl# /
vsr running config#
vsr> show config pki
pki
revocation
crl
vrf private
source 10.175.0.3
..
..
..