-
Notifications
You must be signed in to change notification settings - Fork 59
/
Copy pathCISCO-PKI-PARTICIPATION-MIB.mib
1222 lines (1077 loc) · 48.1 KB
/
CISCO-PKI-PARTICIPATION-MIB.mib
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
-- *********************************************************************
-- CISCO-PKI-PARTICIPATION-MIB.my: Cisco Public Key Infrastructure
-- Participation MIB
--
-- May 2005, Ramachandran V R
--
-- Copyright (c) 2005 by cisco Systems, Inc.
-- All rights reserved.
--
-- *********************************************************************
CISCO-PKI-PARTICIPATION-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY,
OBJECT-TYPE,
Unsigned32
FROM SNMPv2-SMI
MODULE-COMPLIANCE,
OBJECT-GROUP
FROM SNMPv2-CONF
TEXTUAL-CONVENTION,
DateAndTime, TruthValue, StorageType, RowStatus
FROM SNMPv2-TC
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB
ciscoMgmt
FROM CISCO-SMI;
cpkiMIB MODULE-IDENTITY
LAST-UPDATED "200510220000Z"
ORGANIZATION "Cisco Systems, Inc."
CONTACT-INFO
" Cisco Systems
Network Management Technology Group
Postal: 170 W Tasman Drive
San Jose, CA 95134
USA
Tel: +1 800 553-NETS
E-mail: [email protected]"
DESCRIPTION
"A networking device may provide several security services
and protocols like SSL, SSH, IPSec/IKE etc. which need
identities in the form of X509 certificates. The device
uses these certificates (called identity certificates) to
authenticate itself to various clients communicating with
the device using these protocols and also to provide other
protection for the communication like confidentiality,
integrity and non-repudiation. In addition, the device may
need to authenticate the clients which involves, among
other things, verifying the certificates presented by the
clients (peer certificates) during the protocol exchanges.
The certificate verification, in turn, involves the
certificate revocation status checking and the certificate
signature verification. This MIB applies to the public key
infrastructure (PKI) participation feature which enables a
networking device to participate in one or more PKI
services (also called Certificate Authorities) enabling
it to obtain one or more X509 identity certificates for
its own use as well as to verify peer certificates.
This MIB organizes the various certificates, key-pairs and
Certificate Authority related information into the tables:
the trustpoint table for certificate and CA information
and a key-pair table for the key-pair information for each
type of key-pair such as RSA, DSA etc. An entry in the
trustpoint table corresponds to a trusted CA for obtaining
an identity certificate from and also for verifying the
peer certificates issued by that CA. The entry contains
information about the CA certificate, the identity
certificate - if obtained - from the CA, the corresponding
key-pair from a key-pair table (for which the identity
certificate was obtained) and the information needed for
revocation checking of certitifates issued by the CA.
For each type (RSA, DSA etc.) of key-pair supported by the
device, a key-pair table is present and contains an entry
for each key-pair of that type present in the device. This
allows future expansion of the MIB to support additional
key-pair types (currently only RSA key-pair is supported).
As seen above, a key-pair entry from a key-pair table can
be associated to an entry in the trustpoint table. A key-
pair entry can be associated to multiple trustpoint table
entries but not vice versa.
This MIB supports the certificate work-flow operations,
generally used for generating the key-pairs and obtaining
the certificates for them from various CAs. The following
are the steps in one typical work-flow:
1. create a trustpoint (an entry in trustpoint table) in
the device.
2. Authenticate a CA (this involves manually verifying the
CA certificate/chain fingerprints and then inputing the
CA certificate/chain into the trustpoint).
3. Generate a key-pair (an entry in key-pair table).
4. Associate the key-pair to the trustpoint.
5. Generate a pkcs#10 Certificate Signing Request (CSR) in
the trustpoint.
7. Submit CSR to the CA and get the identity certificate.
9. Input the identity certificate into the trustpoint.
In another typical certificate work-flow, the key-pair and
the corresponding identity certificate are allowed to be
generated/obtained outside the device by whatever means
and then input to the device in the pkcs#12 form.
This MIB does not support the configuration of individual
security services like SSL, SSH, IPsec/IKE etc. to use
particular trustpoints or certificates and key-pairs in
them. Instead the security services certificate usage
configuration is supported in the respective feature MIBs.
Glossary of the terms used in this MIB:
--------------------------------------
key-pair -
A pair of public-key cryptographic keys in which one is
public and the other private.
RSA key-pair -
A key-pair belonging to the RSA public-key cryptography
algorithm.
Certificate Authority (CA) -
A service which issues X509 certificates to certify the
identity (name) and public-key of end entities.
X509 -
A standard for certificates and CRLs.
Reference: RFC 2459.
CA certificate -
The self-signed certificate of a CA certifying its own
identity and public-key.
CA certificate chain -
If a CA is certified by another CA which, in turn, was
certified by a third CA and so on, ending in a CA which
is self-certified, the original CA is said to be a
subordinate CA and its CA certificate is a chain which
is the set of CA certificates of all CAs involved.
Identity certificate -
The certificate of a device issued by a CA in which the
device identity and public-key are certified.
Trustpoint -
The various information about a CA (including its CA
certificate/chain), which the device wants to trust so
that it can use it to enroll with the CA to g et an
identity certificate and/or use it to verify the peer
certificates issed by the CA.
Certificate fingerptint -
The digest of a certificate computed using MD5 or SHA
hash algorithm.
CA authentication -
The process of configuring the CA certificate/chain for
a trustpoint. The process involves calculating the
fingerprints of the CA certificates and verifying them
against the same already published by the CAs.
Enrollment -
The process of creating a Certificate Signing Request in
a trustpoint, submitting it to corresponding CA, getting
back the identity certificate and inputing it into the
trustpoint.
Certificate verification -
The process of verifying the signature on a certificate
to see if it was really signed by the CA who issued it.
This verification process uses the CA certificate/chain.
The certificate verification also involves verifying the
validity of certificate with respect to current time by
checking against the validity interval given in the
certificate and the revocation status of the certificate
as maintained by the CA.
Certificate Signing Request (CSR) -
A request to a CA for signing a certificate of an entity.
The request contains the public key, the name and other
attributes of the entity.
pkcs#10 -
A standard syntax for the CSR, Reference: RFC 2986.
pkcs#12 -
A standard for exporting and importing a certificate
along with associated key-pair and CA certificate/chain.
Reference: PKCS #12 v1.0: Personal Information Exchange
Syntax Standard, RSA Laboratories, June 24, 1999
CRL -
Certificate Revocation List, a list of certificates that
are revoked, as maintained by a CA.
OCSP -
Online Certificate Staus Protocol, a protocol for online
checking of the revocation status of certificates.
PEM format -
A printable text encoding format for certificates,
key-pairs and CRLs, as employed by the Privacy Enhanced
Mail standard. Reference: RFCs 1421-1424.
"
REVISION "200510220000Z"
DESCRIPTION
"Initial version."
::= { ciscoMgmt 505 }
--
-- Objects, Notifications & Conformances
--
cpkiMIBNotifs OBJECT IDENTIFIER
::= { cpkiMIB 0 }
cpkiMIBObjects OBJECT IDENTIFIER
::= { cpkiMIB 1 }
cpkiMIBConform OBJECT IDENTIFIER
::= { cpkiMIB 2 }
cpkiConfig OBJECT IDENTIFIER
::= { cpkiMIBObjects 1 }
--
-- Textual Conventions
--
CiscoPkiAction ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The PKI Support Actions for performing the certificate
work-flow operations.
'noop' - No operation
'caauth' - Certificate Authority (CA) authentication.
This operation is provided to authenticate
a CA and install its CA certificate/chain
in a trustpoint This action needs to be
followed up with the 'certconfirm' or
'certnoconfirm' action explained below.
'cadelete' - CA Certificate/chain deletion. This
operation is provided to delete the CA
certificate/chain from a trustpoint.
'certreq' - Identity certificate Request creation. This
operation is provided to generate a pkcs#10
format certificate request needed to obtain
an identity certificate from a CA.
'certimport' - Identity certificate import. This
operation is provided to install an
identity certificate obtained from a CA
for an earlier certificate request, in
a trustpoint.
'certdelete' - Identity certificate deletion. This
operation is provided to delete the
identity certificate from a trustpoint.
If the certificate is the only generic
certificate in the device, delete is not
allowed; 'forcecertdelete' operation needs
to be used to force the delete.
'pkcs12import' - This operation is provided to facilitate
the importing of the identity
certificate, corresponding key-pair and
CA certificate/chain in pkcs#12 format
into a trustpoint.
'pkcs12export' - This operation is provided to facilitate
the exporting of the key-pair, identity
certificate and the CA certificate in
pkcs#12format from a trustpoint.
'certconfirm' - This operation is provided to confirm the
acceptability of a certificate after
manual verification of its fingerprint
subsequent to the action 'caauth', there
by completing that action and installing
the certificate in the trustpoint.
'certnoconfirm' - This operation is provided to confirm
the unacceptability of a certificate
after the manual verification of its
fingerprint subsequent to the action
'caauth', there by rejecting the
certificate and completing that action.
'forcecertdelete' - Same as 'certdelete' except it forces
the delete.
'crlimport' - CRL import. This operation is provided to
import a CRL into a trustpoint.
'crldelete' - CRL delete. This operation is provided to
delete the CRL from a trustpoint.
"
SYNTAX INTEGER {
noop (1),
caauth (2),
cadelete (3),
certreq (4),
certimport (5),
certdelete (6),
pkcs12import (7),
pkcs12export (8),
certconfirm (9),
certnoconfirm (10),
forcecertdelete (11),
crlimport (12),
crldelete (13)
}
CiscoPkiActionResult ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"Result of the PKI Support action performed. An instance
of this TC corresponds to an instance of the TC
CpkiAction.
'none' - No action was performed yet.
'success' - Execution of the action triggered is
completed successfully.
'failed' - Execution of the action triggered has
failed.
'inProgress' - Execution of the action triggered is
in progress.
'needConfirm' - Further continuation of execution of
the action triggered requires
confirmation from the user.
"
SYNTAX INTEGER {
none (1),
success (2),
failed (3),
inProgress (4),
needConfirm (5)
}
--
-- The RSA key-pair entries
--
cpkiRSAKeyPairTable OBJECT-TYPE
SYNTAX SEQUENCE OF CpkiRSAKeyPairEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A list of RSA key-pair entries."
::= { cpkiConfig 1 }
cpkiRSAKeyPairEntry OBJECT-TYPE
SYNTAX CpkiRSAKeyPairEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The RSA key-pair entry. The entry specifies the key-pair
name, size, whether it is exportable and the filename
where the key-pair is stored. Each entry corresponds
to a RSA key-pair generated internally in the device or
imported from outside. When a new entry is created, a
new RSA key-pair is generated in the device and stored
in a corresponding file. When an entry is deleted through
row deletion, the corresponding key-pair is destroyed. The
entry is not allowed to be modified after creation as a
key-pair is not modifiable after its generation.
"
INDEX { cpkiRSAKeyPairName }
::= { cpkiRSAKeyPairTable 1 }
CpkiRSAKeyPairEntry ::=
SEQUENCE {
cpkiRSAKeyPairName SnmpAdminString,
cpkiRSAKeyPairId Unsigned32,
cpkiRSAKeyPairSize INTEGER,
cpkiRSAPvtKeyFileName SnmpAdminString,
cpkiRSAKeyPairExportable TruthValue,
cpkiRSAKeyPairStorageType StorageType,
cpkiRSAKeyPairConfigRowStatus RowStatus
}
cpkiRSAKeyPairName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (1..64))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The unique name or label of key-pair."
::= { cpkiRSAKeyPairEntry 1 }
cpkiRSAKeyPairId OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique identification nubmer of the RSA key-pair.
This is included to support ordered lists of RSA
key-pairs when needed. One such scenario where such
ordered list may be needed is for per application
configuration of key-pairs."
::= { cpkiRSAKeyPairEntry 2 }
cpkiRSAKeyPairSize OBJECT-TYPE
SYNTAX INTEGER {
rsa512 (1), -- 512-bit RSA key
rsa768 (2), -- 768-bit RSA key
rsa1024 (3), -- 1024-bit RSA key
rsa1536 (4), -- 1536-bit RSA key
rsa2048 (5) -- 2048-bit RSA key
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The size of the key.
The following modulus sizes are defined:
512-bit, 768-bit, 1024-bit, 1536-bit and 2048-bit.
Once created, the size cannot be changed. After
key-pair has been deleted through row deletion,
the entry can be created again with another size.
"
DEFVAL { rsa512 }
::= { cpkiRSAKeyPairEntry 3 }
cpkiRSAPvtKeyFileName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The name of the file storing the RSA private key.
This filename is automatically generated from the
key-pair name. It is a unix style '/' seperated string
representing the absolute path of the file in the
file system of the device"
::= { cpkiRSAKeyPairEntry 4 }
cpkiRSAKeyPairExportable OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The key-pair is exportable through the 'exportpkcs12'
PKI support action. Once created, the exportable flag
value cannot be changed. After key-pair has been
deleted through row deletion, the entry can be created
again with another value for the exportable flag"
DEFVAL { true }
::= { cpkiRSAKeyPairEntry 5 }
cpkiRSAKeyPairStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The storage type for this conceptual row."
DEFVAL { nonVolatile }
::= { cpkiRSAKeyPairEntry 6 }
cpkiRSAKeyPairConfigRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The conceptual row status of the key-pair entry.
Deleting an entry through row delete will fail if the
entry is being pointed to from an instance from
cpkiTrustPointTable.
The objects in the entry may not be modified while
the value of this object is active(1).
An attempt to set these objects while the value of
cpkiRSAKeyPairConfigRowStatus is active(1) will
result in an inconsistentValue error."
::= { cpkiRSAKeyPairEntry 7 }
--
-- The trustpoint entries
--
cpkiTrustPointTable OBJECT-TYPE
SYNTAX SEQUENCE OF CpkiTrustPointEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A list of trustpoint, associated key-pair,
certificates and revocation checking
configuration entries.
The table also provides control, actions, current
operating state information and last action result
information for the certificate work-flow if being
carried out using the PKI support actions."
::= { cpkiConfig 2 }
cpkiTrustPointEntry OBJECT-TYPE
SYNTAX CpkiTrustPointEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The trustpoint configuration entry. This entry
specifies the trustpoint name, the associated key-pair
index, the identity certificate filename, some important
attributes in the identity certificate and the issuer
(CA) certificate filename and important attributes in the
issuer certificate.
The entry also specifies the certificate revocation
checking methods and OCSP URL configuration.
"
INDEX { cpkiTrustPointName }
::= { cpkiTrustPointTable 1 }
CpkiTrustPointEntry ::=
SEQUENCE {
cpkiTrustPointName SnmpAdminString,
cpkiTrustPointId Unsigned32,
cpkiKeyPairName SnmpAdminString,
cpkiIdCertFileName SnmpAdminString,
cpkiIdCertSubjectName SnmpAdminString,
cpkiIdCertSerialNum SnmpAdminString,
cpkiIdCertStartDate DateAndTime,
cpkiIdCertEndDate DateAndTime,
cpkiIdCertFingerPrint SnmpAdminString,
cpkiIssuerCertFileName SnmpAdminString,
cpkiIssuerCertSubjectName SnmpAdminString,
cpkiIssuerCertSerialNum SnmpAdminString,
cpkiIssuerCertStartDate DateAndTime,
cpkiIssuerCertEndDate DateAndTime,
cpkiIssuerCertFingerPrint SnmpAdminString,
cpkiRevokeCheckMethods OCTET STRING,
cpkiOCSPurl SnmpAdminString,
cpkiAction CiscoPkiAction,
cpkiActionUrl SnmpAdminString,
cpkiActionPassword SnmpAdminString,
cpkiLastAction CiscoPkiAction,
cpkiLastActionResult CiscoPkiActionResult,
cpkiLastActionFailureReason SnmpAdminString,
cpkiTrustPointStorageType StorageType,
cpkiTrustPointConfigRowStatus RowStatus
}
cpkiTrustPointName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (1..64))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The unique name or label of a trustpoint."
::= { cpkiTrustPointEntry 1 }
cpkiTrustPointId OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A unique identification number of the trustpoint.
This is included to support ordered lists of trustpoints
when needed. One such scenario where such ordered list
may be needed is for per application configuration of
trustpoints for certificate selection"
::= { cpkiTrustPointEntry 2 }
cpkiKeyPairName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..64))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The name of the associated key-pair from a key-pair
table. If a key-pair is not yet associated, the value
of this object will be a zero length string.
If a key-pair is already associated, it can be modified
only if the identity certificate is absent as indicated
by a non-zero length string value of the object
cpkiIssuerCertFileName. This is because of the fact that
the identity certificate is certifying this key-pair."
::= { cpkiTrustPointEntry 3 }
cpkiIdCertFileName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The name of the file storing the identity
certificate. It is a unix style '/' seperated string
representing the absolute path of the file in the
file system of the device. If there is no identity
certificate obtained as yet, the value of this object
will be a zero length string.
This object gets its non-zero length string value
after a successful 'certimport' or 'pkcs12import'
PKI support action triggered on the object cpkiAction.
This object gets set to zero length string when the
identity certificate is deleted through a successful
'certdelete' action triggered on the object
cpkiAction."
::= { cpkiTrustPointEntry 4 }
cpkiIdCertSubjectName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The subject name of the identity certificate.
If there is no certificate (as indicated by a zero
length string value of the object cpkiIdCertFileName)
or no subject name in the certificate, the value of
this object will be a zero length string."
REFERENCE
"RFC 2459, Internet X.509 Public Key Infrastructure
Certificate and CRL Profile, Section 4.1.2.6"
::= { cpkiTrustPointEntry 5 }
cpkiIdCertSerialNum OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The serial number of the identity certificate.
If there is no certificate (as indicated by a zero
length string value of the object cpkiIdCertFileName),
the value of this object will be a zero length string."
REFERENCE
"RFC 2459, Internet X.509 Public Key Infrastructure
Certificate and CRL Profile, Section 4.1.2.2"
::= { cpkiTrustPointEntry 6 }
cpkiIdCertStartDate OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The time when the identity certificate starts to be
valid, corresponding to the notBefore field in the
certificate.
If there is no certificate (as indicated by a zero
length string value of the object cpkiIdCertFileName),
the value of this object will be a zero length string."
REFERENCE
"RFC 2459, Internet X.509 Public Key Infrastructure
Certificate and CRL Profile, Section 4.1.2.5"
::= { cpkiTrustPointEntry 7 }
cpkiIdCertEndDate OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The time when the identity certificate validity ends,
corresponding to the notAfter field in the
certificate.
If there is no certificate (as indicated by the zero
length string value of the object cpkiIdCertFileName),
the value of this object will be a zero length string."
REFERENCE
"RFC 2459, Internet X.509 Public Key Infrastructure
Certificate and CRL Profile, Section 4.1.2.5"
::= { cpkiTrustPointEntry 8 }
cpkiIdCertFingerPrint OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The MD5 fingerprint of the identity certificate in
HEX string format.
If there is no certificate (as indicated by a zero
length string value of the object cpkiIdCertFileName),
the value of this object will be a zero length string."
::= { cpkiTrustPointEntry 9 }
cpkiIssuerCertFileName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The name of the file storing the issuer certificate.
It is a unix style '/' seperated string representing
the absolute path of the file in the file system of
the device. If there is no issuer certificate obtained
yet, the value of this object will be a zero length
string.
This object gets its non-zero length string value
after a successful 'caauth' PKI support action
triggered on the object cpkiAction.
This object gets set to zero length string when the
issuer certificate is deleted through a successful
'cadelete' action triggered on the object
cpkiAction."
::= { cpkiTrustPointEntry 10 }
cpkiIssuerCertSubjectName OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The issuer name (subject name in issuer certificate
which will be the same as the issuer name in the
identity certificate if present).
If there is no certificate (as indicated by a zero
length string value of the object cpkiIssuerCertFileName),
the value will be a zero length string."
REFERENCE
"1. RFC 2459, Internet X.509 Public Key Infrastructure
Certificate and CRL Profile, Section 4.1.2.6
2. RFC 2459, Internet X.509 Public Key Infrastructure
Certificate and CRL Profile, Section 5.1.2.3"
::= { cpkiTrustPointEntry 11 }
cpkiIssuerCertSerialNum OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The serial number of the issuer certificate.
If there is no certificate (as indicated by a zero
length string value of the object
cpkiIssuerCertFileName), the value will be a zero
length string."
REFERENCE
"RFC 2459, Internet X.509 Public Key Infrastructure
Certificate and CRL Profile, Section 4.1.2.2"
::= { cpkiTrustPointEntry 12 }
cpkiIssuerCertStartDate OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The time when the issuer certificate starts to be
valid, corresponding to the notBefore field in the
certificate.
If there is no certificate (as indicated by a zero
length string value of the object
cpkiIssuerCertFileName), the value will be a zero
length string."
REFERENCE
"RFC 2459, Internet X.509 Public Key Infrastructure
Certificate and CRL Profile, Section 4.1.2.5"
::= { cpkiTrustPointEntry 13 }
cpkiIssuerCertEndDate OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The time when the issuer certificate validity ends,
corresponding to the notAfter field on in the
certificate.
If there is no certificate (as indicated by a zero
length string value of the object
cpkiIssuerCertFileName), the value will be a zero
length string."
REFERENCE
"RFC 2459, Internet X.509 Public Key Infrastructure
Certificate and CRL Profile, Section 4.1.2.5"
::= { cpkiTrustPointEntry 14 }
cpkiIssuerCertFingerPrint OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The MD5 fingerprint of the issuer's certificate in
HEX string format.
If there is no certificate (as indicated by a
zero length string value of cpkiIssuerCertFileName),
the value of this object will be a zero length string."
::= { cpkiTrustPointEntry 15 }
cpkiRevokeCheckMethods OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (16))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"Revocation checking methods list which is an ordered
list of certificate revocation checking methods to be
employed while verifying peer certificates issued by
the CA corresponding to this trust point entry.
The value of this object is a ordered list of one or
more 1-octet values, where each 1-octet value
corresponds to a method in the revocation checking method
enumeration:
none (1) - No revocation status checking needed;
instead consider the certificate as
not revoked.
crl (2) - Use CRL for checking the revocation
status of certificates.
ocsp (3) - Use OCSP for checking the revocation
status of certificates.
If 'none' occures in the list, it should be the last value.
The octets after the last value in the ordered list
should be zero octets.
The order in which the revocation checking methods
occur within the value of this object determines
the order the revocation checking methods are attempted
during the verification of a peer certificate.
The default value of this object (after row creation)
contains only the revocation checking method 'crl'."
DEFVAL { '02000000000000000000000000000000'H }
::= { cpkiTrustPointEntry 16 }
cpkiOCSPurl OBJECT-TYPE
SYNTAX SnmpAdminString (SIZE (0..255))
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The contact http url of the external OCSP server for
certificate revocation checking using OCSP protocol.
The default value of this object (after row creation)
is a zero length string"
DEFVAL { ''H }
::= { cpkiTrustPointEntry 17 }
cpkiAction OBJECT-TYPE
SYNTAX CiscoPkiAction
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The PKI support action to be triggered for this
trustpoint entry.
The PKI support actions are steps in the certificate
work-flow used to facilitate the configuration of the
RSAkey-pair, identity certificate and CA certificates
in a trustpoint. A PKI support action is triggered by
setting this object to the corresponding value as defined
in TC CiscoPkiAction. The value of this object and the
values of the objects cpkiActionUrl and cpkiActionPassword
are interpreted and applied together as single action
trigger. All thease actions operate over the trustpoint
and modify appropriate columns in the entry.
An attempt to set this object when the value of the
object cpkiActionResult is 'inProgress' will result in an
inconsistentValue error.
The work-flow nature of certificate operations requires
that the trustpoint entry already exists. Some of the
operation requires that some other previous operations
are already performed successfully, as seen below.
The following is a brief of each action semantics, its
parameters and the result:
'caauth' - This action is used to authenticate a CA and
configure its CA certificate/chain in this trustpoint. This
is generally the first step in a certificate work-flow.
It requires the parameter objects cpkiActionUrl and
cpkiActionPassword set with appropriate values. The CA
certificate/chain being installed should be available in
PEM fromat in a file on bootflash. The filename is
specified as 'bootflash:<filename>' as the value of the
object cpkiActionUrl. On successful completion of the
operation, the CA certificate fingerprint will be
available as the value of the object
cpkiIssuerCertFingerPrint and the value of the object
cpkiLastActionResult will be 'needConfirm'. This action
is to be followed up with a subsequent 'certconfirm' or
'certnoconfirm' as explained later, to complete the CA
authentication process.
'cadelete' - This action is used to delete the CA
certificate/chain from this trustpoint. On successful
completion of the operation, the values of all issuer
certificate related objects (cpkiIssuerCertFileName
etc.) in this trustpoint entry will zero length strings.
For this action to succeed, a CA certificate/chain should
have been already configured through the 'caauth' action.
'certreq' - This action is used to generate a pkcs#10
certificate signing request (CSR) needed to obtain an
identity certificate from the CA corresponding to this
trustpoint entry. This entry should have a key-pair
already associated (as indicated by non-zero value of
cpkiKeyPairIndex in the entry). Also the CA certificate/
chain should have been already configured through the
'caauth' action. This action requires the parameter
object cpkiActionPassword to be set with a password string
which will be used as the 'challenge password' attribute
in the CSR being created (the password being opional, it
should be a zero length string if no password is being
specified). On successful completion of the operation, the
value of the object cpkiActionUrl will contain a file name
string in the format 'bootflash:<filename>' which will
contain the CSR generated in PEM format. This CSR has to be
submitted to the CA to get the identity certificate. The
process of submitting CSR to the CA and getting the identity
certificate is a step not supported by this MIB currently.
Once the identity certificate is obtained, it has to be
installed in this trustpoint with a subsequent 'certimport'
action explained next.
'certimport' - This action is used to import in this
trustpoint, an idenetity certificate obtained from the
corresponding CA for an earlier CSR generated (previous
operation 'certreq'). It requires that the identity
certificate being installed be available in PEM fromat in a
file on bootflash. The filename is specified as
'bootflash:<filename>' as the value of the object
cpkiActionUrl. On successful completion of the operation,
the values of all identity certificate related objects
(cpkiIdCertFileName etc.) in this entry will get filled
with the appropriate strings as per the corresponding
attributes in the identity certificate.
'certdelete' - This action is used to delete the identity
certificate from this trustpoint. On successful completion
of the operation, the values of all identity certificate
related objects (cpkiIdCertFileName etc.) in this entry
will become zero length strings.
'pkcs12import' - This action is used to import the
key-pair, identity certificate and the CA certificate/chain
in pkcs#12 format into this trustpoint. It requires
that the file containing the import data be
available on bootflash and whose filename be specified as
'bootflash:<filename>' as the value of the object
cpkiActionUrl. It also requires that the parameter
object cpkiActionPassword to be set with a password
string to be used for decoding the pkcs#12 data. On
successful completion of the operation, an entry in the
cpkiRSAKeyPairTable will be created corresponding to the
imported key-pair and it will be named using the trustpoint
name specified. Secondly, the values of all identity
certificate related objects (cpkiIdCertFileName etc.)
and the values of all issuer certificate related objects
(cpkiIssuerCertFileName etc.)in this entry will get filled
with the appropriate strings as per the corresponding
attributes in the identity and CA certificates
respectively.
'pkcs12export' - This action is used to export the
key-pair, identity certificate and the CA certificate/chain
in pkcs#12 format from this trustpoint. It requires that
the filename to contain the exported data be specified as
'bootflash:<filename>' as the value of the object
cpkiActionUrl. It also requires that the parameter
object cpkiActionPassword to be set with a password string
to be used for encoding the pkcs#12 data. On successful
completion of the operation, the exported data will be
available on bootflash in the specified file.
'certconfirm' - This action is used to confirm as
acceptable, the certificate fingerprint for the action
'caauth' in this trustpoint As mentioned earlier, the
certificate fingerprint is available as the value of the
object cpkiIssuerCertFingerPrint and the value of the
object cpkiActionResult will be 'needConfirm' after a
successfull 'caauth' action on a trustpoint. On successful
completion of the 'certconfirm' operation, values of all
issuer certificate related objects (cpkiIssuerCertFileName
etc.) in this entry get filled with the appropriate strings
as per the attributes in the CA certificate.
'certnoconfirm' - This action is used to confirm as not
acceptable, the certificate fingerprint for the action
'caauth. As mentioned earlier, the certificate fingerprint
is available as the value of the object
cpkiIssuerCertFingerPrint and the value of the object
cpkiActionResult will be 'needConfirm' after a successfull
'caauth' action on a trustpoint. On successful completion
of the 'certnoconfirm' action subsequent to a 'caauth'
action, the import pending CA certificate/chain will be
rejected.
'forcecertdelete' - Same as 'certdelete' but the operation
is forced even if the certificate being deleted is the
last-most one.
'crlimport' - This action is used to import in this
trustpoint, the CRL obtained from the corresponding CA.
It requires that the CRL being imported be available in
PEM fromat in a file on bootflash. The filename is specified
as 'bootflash:<filename>' as the value of the object
cpkiActionUrl. On successful completion of the operation,
the CRL will be installed in the trustpoint. For this
action to succeed, a CA certificate/chain should
have been already configured through the 'caauth' action.