Certificates

An X.509 certificate is a digital document that securely associates cryptographic key pairs with identities such as individuals, organizations, machines or services. It is used by public key infrastructures (PKI) to verify that a public key belongs to the identity contained within the certificate.

An X.509 certificate contains information about the identity to which a certificate is issued and the identity that issued it. Common issuance fields included in X.509 certificate are:

  • Version: X.509 version applies to the certificate.

  • Serial Number: a serial number that distinguishes a certificate from other certificates.

  • Algorithm information: the algorithm used by the issuer to sign the certificate.

  • Issuer Distinguished Name: the name of the entity issuing the certificate.

  • Validity: period in which the certificate can be trusted (start/end date).

  • Subject Distinguished Name: the name of the identity the certificate is issued to.

  • Subject Public Key Information: the public key associated with the identity.

  • Extensions (optional): other useful fields such Subject Alternative Name(s) and Key Usage.

The following sections explain various supported operations used to manage certificates in the Virtual Service Router’s local database using nc-cli commands.

Import a Certificate

Use the command cmd certificate import name <cert-name> url <remote-url> to import a root CA or an intermediate CA to the local database. As an example we use this command to import two CAs named rootca and 6WIND:

vsr running config# cmd certificate import name rootca url http://10.16.0.190:8999/rootca.pem
OK.
..

We can use also the previous command to import a user certificate user01 with its private key:

vsr running config# cmd certificate import name user01 url http://10.16.0.190:8999/user01_cert.pem private-key-url http://10.16.0.190:8999/user01_key.pem
OK.
..

Use the show certificate list command to show the imported certificates:

vsr running config# show certificate list
6WIND
rootca
user01
user02

See also

The Import certificate command reference for details.

Export a certificate

Use command cmd certificate export name <cert-name> url <remote-url> to export a certificate stored in the local database to a remote location:

vsr> cmd certificate export name rootca url http://remote_server:8999/
OK.
..

See also

The Export certificate command reference for details.

Add a certificate

Use this command cmd certificate add <cert-name> data <pem-format-input>, to add certificate as a string input (the pem encoded format):

vsr> cmd certificate add name user03 data "-----BEGIN CERTIFICATE-----
... MIIDazCCAlOgAwIBAgIUOittEYmcZTGUGioankW6HvDYTMcwDQYJKoZIhvcNAQEL
... BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
... GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTA4MjcxNTEwNTFaFw0yMjA4
... MjcxNTEwNTFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
... HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
... AQUAA4IBDwAwggEKAoIBAQCwebLs/zQB0RyVi1VJW7sT/ZUgkTg2kf/1ab312+Fh
... 1nCnMz7q5loNVm7ZJ/8+kwdGIEkCxwbZr++asN8EjKOvSNZphk7kOJbam6ui1j5C
... ollm77CF4n6urj9/mA73OJJkwkTbzzBwTcfSXephAa5lAw0z83C04WaVleBlH5c8
... RhEcwx+8dlMmBkpwuaaxFBDfXHHeu4W554PpJEY0/W1m3uaX44QvXbRZV+f6/CpM
... RpdBKsMqPvj776VDeYylHewb0MlwOadXw8YMXs7pkkRoP2AvuP0hFev8+LTj6kkG
... 4c89VX5s6DPuu/P1cLowLCnt5DppAt69nTK8Zbk4wjVJAgMBAAGjUzBRMB0GA1Ud
... DgQWBBR3c9b3DavflgTCoUEWQY6OyqXhmzAfBgNVHSMEGDAWgBR3c9b3DavflgTC
... oUEWQY6OyqXhmzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAm
... vleOmDHBChJ7at+yEQM8hmAqmupVWX3aUXaoKkGMpD8vg46uYhxxcInzBPaySblQ
... QyGLom2raUW0a27hhAucQe1ZRqpfIAvJ5/hUkztkOsUOC2nptMn9lZQvbnmGFoSR
... AQP3me3QffYVU4ozL2UeqUQV1yd91cIQOGu9DZFQOQkeVj7J5O4iAw3Xp0xxNuAJ
... GgncUQMya16UW4wbAjXpq0ZVKIWQtkZw+0ZffVfIyYUFsq3j6pFVcETa6VDrES0h
... r6phc+0OVpwUU0AQg7SJucApPNOf0KbnGyLli/e8yUtsrDouifSr29QipRiHhrOr
... eS4EeexMXu6W4TsFjpkP
... -----END CERTIFICATE-----"
OK.
..

See also

The Add certificate command reference for details.

Delete a certificate

Use the command cmd certificate delete name <cert-name> to delete a certificate from the local database. In this example we delete the certificate user01 stored before:

vsr> cmd certificate delete name user01
OK.
..

See also

The Delete certificate command reference for details.

Show certificate list

Use command show certificate list is used to list certificates stored in the local database, these certificates might be imported using the ‘cmd certificate import’ or by another service:

vsr running config# show certificate list
6WIND
rootca
user02
user03
..

See also

The Show certificate list command reference for details.

Show certificate detail

Use show certificate name <cert-name> to show certificate content in ASCII format:

vsr running config# show certificate name 6WIND
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:54:ca:5f:55:97:1c:09:67:1b:d6:ab:ad:50:f7:9d:6e:96:72:79
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=6WIND"
        Validity:
            Not Before: Thu Aug 12 12:49:41 2021
            Not After : Fri Aug 12 12:49:40 2022
        Subject: "CN=6WIND"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    d7:22:f8:56:fb:06:8c:2d:28:2a:44:9c:28:40:79:96:
                    (....)
                    55:93:79:05:74:f9:63:88:96:66:d1:30:00:4f:d0:d0:
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with no maximum path length.
            Name: Certificate Authority Key Identifier
            Key ID:
                c9:4f:b9:85:92:d0:de:2a:28:76:e6:2c:2c:7f:c0:20:
                73:a4:71:b1
            Name: Certificate Subject Key ID
            Data:
                c9:4f:b9:85:92:d0:de:2a:28:76:e6:2c:2c:7f:c0:20:
                73:a4:71:b1
            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Certificate Signing
                    CRL Signing
    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        a5:6c:26:6a:ef:6d:f1:75:7d:f9:a5:57:69:c0:19:97:
        (...)
        fa:2a:88:11:26:f7:c1:f4:cf:8f:4d:31:c5:42:ce:26:
    Fingerprint (SHA-256):
        E2:E2:D8:0D:B0:...:2D:05:56:96:F6:21:5D:EA:62:B9
    Fingerprint (SHA1):
        6C:EB:86:6A:C5:...:0A:9A:43:6E:2A:14:0C:F8:B9:4F
..

Include base64 option to print the PEM format of the certificate, show certificate name <cert-name> base64:

vsr running config# show certificate name 6WIND base64
-----BEGIN CERTIFICATE-----
MIIDETCCAfmgAwIBAgIUBFTKX1WXHAlnG9arrVD3nW6WcnkwDQYJKoZIhvcNAQEL
BQAwEDEOMAwGA1UEAwwFNldJTkQwHhcNMjEwODEyMTI0OTQxWhcNMjIwODEyMTI0
OTQwWjAQMQ4wDAYDVQQDDAU2V0lORDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANci+Fb7BowtKCpEnChAeZYLfO6THUIXZv7RKNOCkEiq5MvWt5uxO980
w7IM+LZRHq2YNfmtLXrpEe6j/ptdMj8haXqXBCJHKTAiFPWXASeQJ40ufyy29ACS
YM4/ukutCFWTeQV0+WOIlmbRMABP0NCMt7IwQa+cGtGufsb+PnLdqOEGLITwZnDY
K9mDtgLCYU+WM+PMU0xWgUoa/GyZ5jy+6pCwYBCJDVGHiSVjk2mBme+UE4Y/rUsS
SIdbbdcEXhh6gX4LsLO0VwT0X7z+5N2JyEnYHR+oZ8UEjK66k9HtfDu+txeMUnwC
C9plh6MUCn9mh6Qp6iaY2MQqQHIM+A0CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB
/zAfBgNVHSMEGDAWgBTJT7mFktDeKih25iwsf8Agc6RxsTAdBgNVHQ4EFgQUyU+5
hZLQ3iooduYsLH/AIHOkcbEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUA
A4IBAQClbCZq723xdX35pVdpwBmXIHTuGxFvt7aUischhg5WssjR+evB5R0OSMEl
ZVULiJ/6KogRJvfB9M+PTTHFQs4mgQSpQuiWzYvl6jdz6pma2SNxOC+kNOFLsLPR
yFL8qmjnYF659Vi2NklHCxDYshw7kZ5oCnGIwcxXQdXEYRHoY8k43kYoutTlRpeV
PJfE7HZbltJXKemDtSpmPoKnKmsudL7wphf73u1ynZeL0Kvv/lqh3y5kiLh+X43P
SMQtQWvniW2LoPYMdVPY3/n8g6Gg4vtHwbZEOrjOVt6nmuEa0FYZEiFoKfKZuaGH
tIil3m9hg05tJ0838yO5v0c0cB4s
-----END CERTIFICATE-----
..

See also

The Show certificate detail command reference for details.

Show certificate private key

Use show certificate key name <cert-name> to show the private key of the given certificate in PEM format:

vsr running config# show certificate key name user01
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCwebLs/zQB0RyV
i1VJW7sT/ZUgkTg2kf/1ab312+Fh1nCnMz7q5loNVm7ZJ/8+kwdGIEkCxwbZr++a
sN8EjKOvSNZphk7kOJbam6ui1j5Collm77CF4n6urj9/mA73OJJkwkTbzzBwTcfS
XephAa5lAw0z83C04WaVleBlH5c8RhEcwx+8dlMmBkpwuaaxFBDfXHHeu4W554Pp
JEY0/W1m3uaX44QvXbRZV+f6/CpMRpdBKsMqPvj776VDeYylHewb0MlwOadXw8YM
Xs7pkkRoP2AvuP0hFev8+LTj6kkG4c89VX5s6DPuu/P1cLowLCnt5DppAt69nTK8
Zbk4wjVJAgMBAAECggEAeznfaIGjDQm5Term+Lxm20SclwsQF3rHIdReYojQzgJw
0y+DZX7HrryF1niJUGZWE++DS78x11t0ka2jbIfP3BueLD0uZUnmfGtq4995xgmb
J7eCqVpIXy0pBa1l9da40kac0mfQSPrm5svRVz9XSQ1icL4yGvuxKA5pi/MNJXYW
mC+NbUx0vrpvk9CPBSu3H3gc3x/YhVOk4cs5y96TQKiRl6L7zmJOUwPT4GN8IHHZ
lQihgefJTO0nC4YPmV2mM5wbYYjtVcoB9cD6TQgDnCYiOlo5hW2Pj7ER0WMKMCBr
6J/hCIMjOiwX1W2pkfGFgPmgk/MmwBWiYs7VWQXyCQKBgQDaP0w1Nu5bW+kjRGZ8
d4S7NJCPiylMIvY2AMK99K41uOZpIIc63GQ6rlTJDI1/IGsVKvUJKUxhuk5MUXDC
yJE0uvoqNZI3BToZkePaHKPJlnrK//dW4BjHxI0CC5l3VsishDwgztbj6wKcwOiG
DyDEJH6oSw/hUwONxElNzAnlgwKBgQDPAJsw2L1E018HNOqvCCAzCzub2CM6Q/ry
juhJY5tE+cALKkrHofPGxUJXTuET2YLz0oIVdxmqN3JEY4LkPy3O5nhPYUv7BSEk
hO+mb/0IPSekXcs6MvEB/98TSSgEhWZvgK10zCbANwPa1qdVzASy6o14iBsBsdKo
T+Bnk6MMQwKBgQCmV/5exOpxiaEtdzHiBjqNcSgJsFiepjsgt/22SKsLWU2MrPVF
QLvIGh2XS1EBpxTXAnHXNLn59sU82Ano/HPoS+bmiwRRmVNKL+8JzDBuMpqO5P+B
ILbidAXBnFOxKN002Gj33I7fEr1f+ox/uUIRHXvIC8YjyGD6CbSRbkXQvwKBgAhg
YedMHfyXARVtksGadpMaNUNNL7+/2HvQRJ4TpcjYwmixQW1qpE661MBrtLf06VOs
hQ8RTryQmdMio71QwS3KLbwol8aEop6zsm7twTOAJgaEtSCZxx7pl8FUCIaGT2rb
rik3yamlkEZewU67fsUusKLb/xvGclvVP6NxWfu5AoGAfwtptH0mXIVx9ZL9X9T1
uzbfHqFNriOoQ5KyvC3B0vmYSz3DqPX5/l/PSP+l6I8syjK4U1HzYz0vYTpPYK9q
vtNRD9VXfwvCRSwVaIAE9c8aSagnDf0Y7FRo/wa4kxkNlTgSVR5JxfRgJkmeVJmd
S262RQu3Hkpu+4iML8zjHGo=
-----END PRIVATE KEY-----
..

See also

The Show certificate key command reference for details.

Enroll/Update Certificates using CMP

The Certificate Management Protocol (CMP) is an Internet protocol standardized by the IETF used for obtaining X.509 digital certificates in a public key infrastructure (PKI). The CMP protocol is mainly transported over HTTP or HTTPS. The main exchanged requests are ‘Initialization Request’, ‘Key Update Request’ and ‘Revocation Request’.

The Virtual Service Router supports the version 2 of the CMP protocol, described in RFC 4210.

Certificate enroll

To issue a new end user certificate from a given PKI, the rpc command cmd certificate cmp enroll can be used.

This command generates an RSA private key, then sends a CMP IR message to a CMP server to request a certificate.

In addition to the certificate subject name, optional Subject Alternative Name(s) may be specified with the san argument:

vsr running config# cmd certificate cmp enroll ca-name 6WIND name userEE url http://pki_host:port/cmp/client secret password subject /CN=test/O=it san *test.com,10.2.3.5
OK.
vsr running config# show certificate name userEE
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            40:5a:ae:72:ab:ef:ce:06:02:e2:d5:e2:57:07:0d:ed:
            81:8e:06:de
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=6WIND"
        Validity:
            Not Before: Wed Jul 21 15:53:13 2021
            Not After : Sun May 01 00:00:00 2022
        Subject: "O=it,CN=test"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
            (...)
        Signed Extensions:
         Name: Certificate Subject Alt Name
         DNS name: "*test.com"
         IP Address: 10.2.3.5
         Name: Certificate Basic Constraints
         Critical: True
         Data: Is not a CA.
(...)

The ca-name argument is the name of the CMP server certificate. It must have been imported beforehand. It may be the certificate of the CA itself, or the certificate of an RA.

The CA DN may optionally be specified with the issuer argument, typically when ca-name references an RA:

vsr running config# cmd certificate cmp enroll ca-name 6WINDRA name userEE url http://pki_host:port/cmp/client secret password subject /CN=test/O=it san *test.com,10.2.3.5 issuer "/CN=6WIND CA2"

See also

The the cmp enroll command reference for details.

Certificate update

Updating a previously enrolled certificate can be done through the rpc command cmd certificate cmp update. Note that a new private key will be used and the old certificate is overwritten.

This command generates a new RSA private key, then sends a CMP KUR message to a CMP server to request an update of the former certificate.

A new private key length or different Subject alternative Name(s) may be used:

vsr running config# cmd certificate cmp update ca-name 6WIND name userEE url http://pki_host:port/cmp/client private-key-length 4096 san new.com,172.0.1.2
OK.
vsr running config# show certificate name testEE
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            79:80:c5:ac:71:0a:b5:39:1b:fd:df:82:ac:49:e5:95:
            0a:20:19:74
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=6WIND"
        Validity:
            Not Before: Fri Jul 23 13:51:21 2021
            Not After : Sun May 01 00:00:00 2022
        Subject: "O=it,CN=test"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
            (...)
        Signed Extensions:
            Name: Certificate Subject Alt Name
            DNS name: "new.com"
            IP Address: 172.0.1.2
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is not a CA.
        ..
    ..

Like for the cmp enrollment command, the CMP server certificate must have been imported beforehand and its name be referenced in ca-name. It may be the CA itself or an RA.

See also

The The cmp update command reference for details.