PKI Trustpool Management

Last Updated: October 9, 2012

The PKI Trustpool Management feature is used to authenticate sessions, such as HTTPS, that occur between devices by using commonly recognized trusted agents called certificate authorities (CAs). The Cisco IOS software uses the PKI Trustpool Management feature, which is enabled by default, to create a scheme to provision, store, and manage a pool of certificates from known CAs in a way similar to the services a browser provides for securing sessions.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for PKI Trustpool Management

The use of certificates requires that a crypto subsystem is included in the Cisco IOS software image.

Restrictions for PKI Trustpool Management

Device certificates that use CA certificates cannot be enrolled in a PKI trustpool.

Information About PKI Trustpool Management

CA Certificate Storage in a PKI Trustpool

The router uses a built-in CA certificate bundle that is contained in a special certificate store called a PKI trustpool, which is updated automatically from Cisco. This PKI trustpool is known by Cisco and other vendors. A CA certificate bundle can be in the following formats:

  • X.509 certificates in Distinguished Encoding Rules (DER) binary format enveloped within a public-key cryptographic message syntax standard 7 (pkcs7), which is used to sign and encrypt messages under a PKI. An X.509 certificate is a PKI and Privilege Management Infrastructure (PMI) standard that specifies, among other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
  • A file containing concatenated X.509 certificates in Privacy Enhanced Mail (PEM) format with PEM headers.

PKI Trustpool Updating

The PKI trustpool is treated as a single entity that needs to be updated when the following conditions occur:

  • A certificate in the PKI trustpool is due to expire or has been reissued.
  • The published CA certificate bundle contains additional trusted certificates that are needed by a given application.
  • The configuration has been corrupted.

Note
A built-in certificate in the PKI trustpool cannot be physically replaced. However, a built-in certificate is rendered inactive after an update if its X.509 subject-name attribute matches the certificate in the CA certificate bundle.

The PKI trustpool can be updated automatically or manually. The PKI trustpool may be used by certficate validation depending upon the application using it. See the "Manually Updating Certificates in the PKI Trustpool" and "Configuring Optional PKI Trustpool Policy Parameters" sections for more information.

The PKI trustpool timer matches the CA certificate with the earliest expiration time. If the timer is running and a bundle location is not configured and not explicitly disabled, syslog warnings are issued to alert the administrator that the PKI trustpool policy option is not set.

Automatic PKI trustpool updates use the configured URL.

When the PKI trustpool expires, the policy is read, the bundle is loaded, and the PKI trustpool is replaced. If the automatic PKI trustpool update encounters problems when initiating, then the following schedule is used to initiate the update until the download is successful: 20 days, 15 days, 10 days, 5 days, 4 days, 3 days, 2 days, 1 day, and then once every hour.

CA Handling in Both the PKI Trustpool and a Trustpoint

There may be circumstances where a CA resides in both the PKI trustpool and a trustpoint; for example, a trustpoint is using a CA and a CA bundle is downloaded later with this same CA inside. In this scenario, the CA in the trustpoint and the policy of this trustpoint is considered before the CA in the PKI trustpool or PKI trustpool policy to ensure that any current behavior is not altered when the PKI Trustpool Management feature is implemented on the router.

How to Configure PKI Trustpool Management

Manually Updating Certificates in the PKI Trustpool

The PKI Trustpool Management feature is enabled by default and uses the built-in CA certificate bundle in the PKI trustpool, which receives automatic updates from Cisco. Perform this task to manually update certificates in the PKI trustpool if they are not current, are corrupt, or if certain certificates need to be updated.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    crypto pki trustpool import clean [terminal | url url]

4.    crypto pki trustpool import {terminal | url url}

5.   exit

6.   show crypto pki trustpool


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
crypto pki trustpool import clean [terminal | url url]


Example:

Router(config)# crypto pki trustpool import clean

 
(Optional) Manually removes all downloaded PKI CA certificates.
  • The clean keyword specifies the removal of the downloaded PKI trustpool certificates before the new new certificates are downloaded. Use the optional terminal keyword to remove the existing CA certificate bundle terminal setting or the url keyword and url argument to remove the existing URL file system setting.
 
Step 4
crypto pki trustpool import {terminal | url url}


Example:

Router(config)# crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b

 
Manually imports (downloads) the CA certificate bundle into the PKI trustpool to update or replace the existing CA certificate bundle.
  • The terminal keyword specifies the importation of a CA certificate bundle through the terminal (cut-and-paste) in PEM format.
  • The url keyword with the url argument specifies the importation of a CA certificate bundle through a URL. This URL can be through a variety of URL file systems such as HTTP. See the "PKI Trustpool Updating" section for more information.
 
Step 5
exit


Example:

Router(config)# exit

 
Exits global configuration mode.  
Step 6
show crypto pki trustpool


Example:

Router(config)# show crypto pki trustpool

 
Displays the PKI trustpool certificates of the router in a verbose format.  

Configuring Optional PKI Trustpool Policy Parameters

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    crypto pki trustpool policy

4.    cabundle url {url | none}

5.   chain-validation

6.   crl {cache {delete-after {minutes | none} | query url}

7.   default command-name

8.   match certificate certificate-map-name [allow expired-certificate | override {cdp directory ldap-location | ocsp {number url url | trustpool name number url url} | sia number url} | skip [revocation-check | authorization-check]]

9.   ocsp {disable-nonce | url url}

10.   revocation-check method1 [method2 [method3]]

11.   source interface name number

12.   storage location

13.   vrf vrf-name

14.   show


DETAILED STEPS
  Command or Action Purpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
crypto pki trustpool policy


Example:

Router(config)# crypto pki trustpool policy Router(ca-trustpool)#

 

Enters ca-trustpool configuration mode where commands can be accessed to configure CA PKI trustpool policy parameters.

 
Step 4
cabundle url {url | none}


Example:

Router(ca-trustpool)# cabundle url http://www.cisco.com/security/pki/crl/crca2048.crl

 

Specifies the URL from which the PKI trustpool certificate authority CA certificate bundle is downloaded .

  • The url argument is the URL of the CA certificate bundle.
  • The none keyword specifies that autoupdates of the PKI trustpool CA are not permitted.
 
Step 5
chain-validation


Example:

Router(ca-trustpool)# chain-validation

 
Enables chain validation from the peer's certificate to the root CA certificate in the PKI trustpool. The default has validation stopping at the peer certificate's issuer.  
Step 6
crl {cache {delete-after {minutes | none} | query url}


Example:

Router(ca-trustpool)# crl query http://www.cisco.com/security/pki/crl/crca2048.crl

 
Specifies the certificate revocation list (CRL) query and CRL cache options for the PKI trustpool.
  • The cache keyword specifies CRL cache options.
  • The delete-after keyword removes the CRL from the cache after a timeout.
  • The minutes argument is the number of minutes from 1 to 43,200 to wait before deleting the CRL from the cache.
  • The none keyword specifies that CRLs are not cached.
  • The query keyword with the url argument specifies the URL published by the CA server to query the CRL.
 
Step 7
default command-name


Example:

Router(ca-trustpool)# default crl query http://www.cisco.com/security/pki/crl/crca2048.crl

 
Resets the value of a ca-trustpool configuration subcommand to its default .
  • The command-name argument is the ca-trustpool configuration mode command with its applicable keywords.
 
Step 8
match certificate certificate-map-name [allow expired-certificate | override {cdp directory ldap-location | ocsp {number url url | trustpool name number url url} | sia number url} | skip [revocation-check | authorization-check]]


Example:

match certificate mycert override ocsp 1 url http://ocspts.identrust.com

 
Enables the use of certificate maps for the PKI trustpool.
  • The certifcate-map-name argument matches the certificate map name.
  • The optional allow expired-certificate keyword ignores expired certificates.
    Note    If this keyword is not configured, the router does not ignore expired certificates.
  • The override keyword overrides the online certificate status protocol (OCSP) or SubjectInfoAccess (SIA) attribute fields in a certificate that is in the PKI trustpool.
  • The cdp keyword overrides the certificate distribution point (CDP) in a certificate.
  • The directory keyword and ldap-location specifies the CDP in either the http: or ldap: URL, or LDAP directory to override in the certificate.
  • The ocsp keyword and number argument and url keyword and url argument specifies the OCSP sequence number from 0 to 10000 and URL to override in the certificate.
  • The trustpool keyword and name and number arguments with the url keyword and url argument override the PKI trustpool for verifying the OCSP certificate by specifying the PKI trustpool name, sequence number, and URL.
  • The sia keyword and number and url arguments override the SIA URL in a certificate by specifying the SIA sequence number and URL.
  • The optional skip revocation-check keyword combination allows the PKI trustpool to enforce certificate revocation lists (CRLs) except for specific certificates.
    Note    If this keyword combination is not configured, then the PKI trustpool enforces CRLs for all certificates.
  • The optional skip authorization-check keyword combination skips the authentication, authorization, and accounting (AAA) check of a certificate when public key infrastructure (PKI) integration with an AAA server is configured.
    Note    If this keyword combination is not configured, and PKI integration with an AAA server is configured, then the AAA checking of a certificate is done.
 
Step 9
ocsp {disable-nonce | url url}


Example:

Router(ca-trustpool)# ocsp url http://ocspts.identrust.com

 
Specifies OCSP settings for the PKI trustpool.
  • The disable-nonce keyword disables the OCSP Nonce extension.
  • The url keyword and url argument specify the OCSP server URL to override (if one exists) in the Authority Info Access (AIA) extension of the certificate. All certificates associated with a configured PKI trustpool are checked by the OCSP server at the specified HTTP URL. The URL can be a hostname, IPv4 address, or an IPv6 address.
 
Step 10
revocation-check method1 [method2 [method3]]


Example:

Router(ca-trustpool)# revocation-check ocsp crl none

 
Disables revocation checking when the PKI trustpool policy is being used. The method argument is used by the router to check the revocation status of the certificate. Available keywords are as follows:
  • crl--Certificate checking is performed by a certificate revocation list (CRL). This is the default behavior.
  • none--Certificate checking is not required.
  • ocsp--Certificate checking is performed by an online certificate status protocol (OCSP) server.
If a second and third method are specified, each method is used only if the previous method returns an error, such as a server being down.  
Step 11
source interface name number


Example:

Router(ca-trustpool)# source interface tunnel 1

 
Specifies the source interface to be used for CRL retrieval, OCSP status, or the downloading of a CA certificate bundle for the PKI trustpool .
  • The name and numberarguments are for the interface type and number used as the source address for the PKI trustpool.
 
Step 12
storage location


Example:

Router(ca-trustpool)# storage storage disk0:crca2048.crl

 
Specifies a file system location where PKI trustpool certificates are stored on the router.
  • The location is the file system location where the PKI trustpool certificates are stored. The types of file system locations are disk0:, disk1:, nvram:, unix:, or a named file system.
 
Step 13
vrf vrf-name


Example:

Router(ca-trustpool)# vrf myvrf

 
Specifies the VPN routing and forwarding (VRF) instance to be used for enrolment, CRL retrieval, and OCSP status.  
Step 14
show


Example:

Router(ca-trustpool)# show Chain validation will stop at the first CA certificate in the pool Trustpool CA certificates will expire 12:58:31 PST Apr 5 2012 Trustpool policy revocation order: crl Certficate matching is disabled Policy Overrides:

 
Displays the PKI trustpool policy of the router.  

Configuration Example for PKI Trustpool Management

The following show crypto pki trustpool command output displays the certificates in PKI trustpool:


Note
The command output in this example is abridged because it is verbose. 
Router# show crypto pki trustpool

CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 00D01E474000000111C38A964400000002
  Certificate Usage: Signature
  Issuer: 
    cn=DST Root CA X3
    o=Digital Signature Trust Co.
  Subject: 
    cn=Cisco SSCA
    o=Cisco Systems
  CRL Distribution Points: 
    http://crl.identrust.com/DSTROOTCAX3.crl
  Validity Date: 
    start date: 12:58:31 PST Apr 5 2007
    end   date: 12:58:31 PST Apr 5 2012

CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 6A6967B3000000000003
  Certificate Usage: Signature
  Issuer: 
    cn=Cisco Root CA 2048
    o=Cisco Systems
  Subject: 
    cn=Cisco Manufacturing CA
    o=Cisco Systems
  CRL Distribution Points: 
    http://www.cisco.com/security/pki/crl/crca2048.crl
  Validity Date: 
    start date: 14:16:01 PST Jun 10 2005
    end   date: 12:25:42 PST May 14 2029

Additional References

Related Documents

Related Topic Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

Security commands

Technical Assistance

Description Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for PKI Trustpool Management

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for PKI Trustpool Management
Feature Name Releases Feature Information

PKI Trustpool Management

15.2(2)T

15.1(1)SY

This feature is used to authenticate sessions, such as HTTPS, that occur between devices by using commonly recognized trusted agents called certificate authorities (CAs). The Cisco IOS software uses the PKI Trustpool Management feature, which is enabled by default, to create a scheme to provision, store, and manage a pool of certificates from known CAs in a way similar to the services a browser provides for securing sessions.

The following commands were introduced or modified: cabundle url, chain-validation (ca-trustpool), crypto pki trustpool import, crypto pki trustpool policy, crl, default (ca-trustpool), match certificate (ca-trustpool), ocsp, revocation-check (ca-trustpool), show (ca-trustpool), show crypto pki trustpool, source interface (ca-trustpool), storage, vrf (ca-trustpool).

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.