| A networking device may provide several security services
and protocols like SSL, SSH, IPSec/IKE etc. which need
identities in the form of X509 certificates. The device
uses these certificates (called identity certificates) to
authenticate itself to various clients communicating with
the device using these protocols and also to provide other
protection for the communication like confidentiality,
integrity and non-repudiation. In addition, the device may
need to authenticate the clients which involves, among
other things, verifying the certificates presented by the
clients (peer certificates) during the protocol exchanges.
The certificate verification, in turn, involves the
certificate revocation status checking and the certificate
signature verification. This MIB applies to the public key
infrastructure (PKI) participation feature which enables a
networking device to participate in one or more PKI
services (also called Certificate Authorities) enabling
it to obtain one or more X509 identity certificates for
its own use as well as to verify peer certificates.
This MIB organizes the various certificates, key-pairs and
Certificate Authority related information into the tables:
the trustpoint table for certificate and CA information
and a key-pair table for the key-pair information for each
type of key-pair such as RSA, DSA etc. An entry in the
trustpoint table corresponds to a trusted CA for obtaining
an identity certificate from and also for verifying the
peer certificates issued by that CA. The entry contains
information about the CA certificate, the identity
certificate - if obtained - from the CA, the corresponding
key-pair from a key-pair table (for which the identity
certificate was obtained) and the information needed for
revocation checking of certitifates issued by the CA.
For each type (RSA, DSA etc.) of key-pair supported by the
device, a key-pair table is present and contains an entry
for each key-pair of that type present in the device. This
allows future expansion of the MIB to support additional
key-pair types (currently only RSA key-pair is supported).
As seen above, a key-pair entry from a key-pair table can
be associated to an entry in the trustpoint table. A key-
pair entry can be associated to multiple trustpoint table
entries but not vice versa.
This MIB supports the certificate work-flow operations,
generally used for generating the key-pairs and obtaining
the certificates for them from various CAs. The following
are the steps in one typical work-flow:
1. create a trustpoint (an entry in trustpoint table) in
the device.
2. Authenticate a CA (this involves manually verifying the
CA certificate/chain fingerprints and then inputing the
CA certificate/chain into the trustpoint).
3. Generate a key-pair (an entry in key-pair table).
4. Associate the key-pair to the trustpoint.
5. Generate a pkcs#10 Certificate Signing Request (CSR) in
the trustpoint.
7. Submit CSR to the CA and get the identity certificate.
9. Input the identity certificate into the trustpoint.
In another typical certificate work-flow, the key-pair and
the corresponding identity certificate are allowed to be
generated/obtained outside the device by whatever means
and then input to the device in the pkcs#12 form.
This MIB does not support the configuration of individual
security services like SSL, SSH, IPsec/IKE etc. to use
particular trustpoints or certificates and key-pairs in
them. Instead the security services certificate usage
configuration is supported in the respective feature MIBs.
Glossary of the terms used in this MIB:
--------------------------------------
key-pair -
A pair of public-key cryptographic keys in which one is
public and the other private.
RSA key-pair -
A key-pair belonging to the RSA public-key cryptography
algorithm.
Certificate Authority (CA) -
A service which issues X509 certificates to certify the
identity (name) and public-key of end entities.
X509 -
A standard for certificates and CRLs.
Reference: RFC 2459.
CA certificate -
The self-signed certificate of a CA certifying its own
identity and public-key.
CA certificate chain -
If a CA is certified by another CA which, in turn, was
certified by a third CA and so on, ending in a CA which
is self-certified, the original CA is said to be a
subordinate CA and its CA certificate is a chain which
is the set of CA certificates of all CAs involved.
Identity certificate -
The certificate of a device issued by a CA in which the
device identity and public-key are certified.
Trustpoint -
The various information about a CA (including its CA
certificate/chain), which the device wants to trust so
that it can use it to enroll with the CA to g et an
identity certificate and/or use it to verify the peer
certificates issed by the CA.
Certificate fingerptint -
The digest of a certificate computed using MD5 or SHA
hash algorithm.
CA authentication -
The process of configuring the CA certificate/chain for
a trustpoint. The process involves calculating the
fingerprints of the CA certificates and verifying them
against the same already published by the CAs.
Enrollment -
The process of creating a Certificate Signing Request in
a trustpoint, submitting it to corresponding CA, getting
back the identity certificate and inputing it into the
trustpoint.
Certificate verification -
The process of verifying the signature on a certificate
to see if it was really signed by the CA who issued it.
This verification process uses the CA certificate/chain.
The certificate verification also involves verifying the
validity of certificate with respect to current time by
checking against the validity interval given in the
certificate and the revocation status of the certificate
as maintained by the CA.
Certificate Signing Request (CSR) -
A request to a CA for signing a certificate of an entity.
The request contains the public key, the name and other
attributes of the entity.
pkcs#10 -
A standard syntax for the CSR, Reference: RFC 2986.
pkcs#12 -
A standard for exporting and importing a certificate
along with associated key-pair and CA certificate/chain.
Reference: PKCS #12 v1.0: Personal Information Exchange
Syntax Standard, RSA Laboratories, June 24, 1999
CRL -
Certificate Revocation List, a list of certificates that
are revoked, as maintained by a CA.
OCSP -
Online Certificate Staus Protocol, a protocol for online
checking of the revocation status of certificates.
PEM format -
A printable text encoding format for certificates,
key-pairs and CRLs, as employed by the Privacy Enhanced
Mail standard. Reference: RFCs 1421-1424.
|
