Usage Guidelines
Issuing this command places the router in ca-certificate-map configuration mode where you can specify several certificate fields together with their matching criteria. The general form of these fields is as follows:
field-name match-criteria match-value
The field-name field in the above example is one of the certificate fields. Field names are similar to the names used in the ITU-T X.509 standard. The field-name is a special field that matches any subject name or related name field in the certificate, such as the alt-subject-name, subject-name, and unstructured-subject-name fields.
alt-subject-name
--
Case-insensitive string.
expires-on
--Date field in the format
dd mm yyyy hh:mm:ss or mmm dd yyyy hh:mm:ss.
issuer-name
--
Case-insensitive string.
name
--
Case-insensitive string.
serial-number--Case-insensitive string.
subject-name
--Case-insensitive string.
unstructured-subject-name
--
Case-insensitive string.
valid-start
--Date field in the format
dd MM. yyy hh:mm:ss or mmm dd yyyy hh:mm:ss.
Note |
The time portion is optional in both the expires-on date and valid-start field and defaults to 00:00:00 if not specified. The time is interpreted according to the time zone offset configured for the router. The string utc can be appended to the date and time when they are configured as Universal Time, Coordinated (UTC) rather than local time.
|
The match-criteria
field in the example is one of the following logical operators:
eq
--equal (valid for name and date fields)
ne
--not equal
(valid for name and date fields)
co
--contains (valid only for name fields)
nc
--does not contain (valid only for name fields)
lt
--less than (valid only for date fields)
ge
--greater than or equal to (valid only for date fields)
The match-value
field is a case-insensitive string or a date.
Examples
The following example shows how to configure a certificate-based ACL that will allow any certificate issued by Company to an entity within the company.com domain. The label is Company, and the sequence is 10.
crypto pki certificate map Company 10
issuer-name co Company
unstructured-subject-name co company.com
The following example accepts any certificate issued by Company for an entity with DIAL or organizationUnit component ou=WAN. This certificate-based ACL consists of two separate ACLs tied together with the common label Group. Because the check for DIAL has a lower sequence number, it is performed first. Note that the string “DIAL” can occur anywhere in the subjectName field of the certificate, but the string WAN must be in the organizationUnit component.
crypto pki certificate map Group 10
issuer-name co Company
subject-name co DIAL
crypto pki certificate map Group 20
issuer-name co Company
subject-name co ou=WAN
Case is ignored in string comparisons; therefore, DIAL in the previous example will match dial, DIAL, Dial, and so on. Also note that the component identifiers (o=, ou=, cn=, and so on) are not required unless it is desirable that the string to be matched occurs in a specific component of the name. (Refer to the ITU-T security standards for more information about certificate fields and components such as ou=.)
If a component identifier is specified in the match string, the exact string, including the component identifier, must appear in the certificate. This requirement can present a problem if more than one component identifier is included in the match string. For example, “ou=WAN,o=Company” will not match a certificate with the string “ou=WAN,ou=Engineering,o=Company” because the “ou=Engineering” string separates the two desired component identifiers.
To match both “ou=WAN” and “o=Company” in a certificate while ignoring other component identifiers, you could use this certificate map:
crypto pki certificate map Group 10
subject-name co ou=WAN
subject-name co o=Company
Any space character proceeding or following the equal sign (=) character in component identifiers is ignored. Therefore “o=Company” in the proceeding example will match “o = Company,” “o =Company,” and so on.
The following example shows a CA map file used to certificate serial number session control:
crypto pki trustpoint CA1
enrollment url http://CA1
ip-address FastEthernet0/0
crl query ldap://CA1_ldap
revocation-check crl
match certificate crl-map1
crypto pki certificate map crl-map1 1
serial-number ne 489d