Table Of Contents
Managing Certificates
Getting started with Wizards
Certificate Wizards
Understanding Wizards
Launching Certificate Wizards
Configuring a Certificate Trustpoint Using the Wizard
Setting up a Proxy Service Trustpoint
Setting up a CA Trustpoint
Configuring a Trustpoint and RSA Key Pair
Configuring SSL Certificate Attributes
Configuring Enrollment Parameters
Selecting a CA Certificate Source
Importing a CA Certificate Chain
Configuring Trustpoint Tasks
Viewing Wizard Summary
Delivering Configuration to an SSL Module
Viewing Trustpoint Configuration Status
Viewing Certificate Signing Request (CSR)
Importing and Exporting Certificates
Importing Certificates from an External PKI System
Importing PEM File
Exporting Certificates Using the Wizard
Viewing Certificate Export Wizard Summary
Viewing the Certificate Export Status
Exporting Certificates in Bulk Using the Certificate Export Wizard
Selecting Certificates and Format (PEM, PKCS#12)
Specifying the Destination (PEM)
Specifying the Destination (PKCS#12)
Viewing Certificate Trustpoints
Certificate Trustpoint Grouper
Certificate Trustpoint Details
Authenticating Trustpoints
Enrolling Trustpoints
Authenticating and Enrolling Trustpoints
Importing SSL Certificate Trustpoints
Renewing Trustpoints
Exporting Trustpoints
Editing Trustpoint Configuration
Selecting Available ACLs
Selecting Available Key Pairs
Certificate Hierarchy
Deleting Certificates
Challenge Password
How Do I...
How Do I Import an SSL Certificate and Private Key to SSLSM?
How do I Import a CA Certificate Chain on the SSLSM?
How do I generate a Certificate Signing Request (CSR)?
How do I import the SSL certificate obtained using CSR?
How Do I Export Certificates and Private Keys from SSLSM?
How Do I Renew an SSL Certificate?
Managing Certificates
A Trustpoint is an association of a CA Certificate, an RSA Key pair, and the corresponding SSL Client and Server Certificate.
The following topics are described in this section:
•
Getting started with Wizards
• Understanding Wizards
• Importing and Exporting Certificates
• Exporting Certificates in Bulk Using the Certificate Export Wizard
• Viewing Certificate Trustpoints
• Certificate Trustpoint Details
• Editing Trustpoint Configuration
• Deleting Certificates
• Certificate Hierarchy
• How Do I...
Getting started with Wizards
The details below help you navigate as per the menu.
For more information on Wizards, see Understanding Wizards
Certificate Wizards
The certificate wizards helps you to configure a certificate trustpoint using a wizard, Importing certificates and private keys, and export certificates and private keys.
Configuring a Certificate Trustpoint Using the Wizard
This wizard helps you to configure a certificate Trustpoint, generate the Certificate Signing Request (CSR), and install the SSL certificate obtained using the CSR.
The wizard also helps you to configure certificate authority (CA) Trustpoints and install a CA certificate or a CA certificate chain.
Note If the CA issuing your certificate is a subordinate CA, then you must first install all of the CA certificates in the certification path.
Importing CA Certificate or CA certificate chain
Step 1 Configure a trustpoint name. For details, see Configuring a Trustpoint and RSA Key Pair
Step 2 Specify a CA certificate source. For details, see Selecting a CA Certificate Source
Step 3 Specify a CA certificate. For details, see
• Importing a CA Certificate Chain using Copy and Paste
• Importing a CA Certificate Chain from a TFTP Server
• Importing a CA Certificate Chain from a Local Hard Disk
• Specifying a CA Certificate (PEM)
Step 4 Select Trustpoint setup tasks. For details, see
• Configuring Trustpoint Tasks
• Viewing Wizard Summary
• Delivering CLI Commands to the Device, page 1-22
• Viewing Trustpoint Configuration Status
Generating Certificate Signing Request (CSR)
Step 1 Configure Trustpoints and RSA key pair. For details, see Configuring a Trustpoint and RSA Key Pair
Step 2 Configure SSL certificate attributes. For details, see
• Configuring SSL Certificate Attributes
Step 3 Configure enrollment parameters. For details, see
• Configuring Enrollment Parameters
Step 4 Specify a CA certificate (for the copy-paste method only). For details, see
• Specifying a CA Certificate (PEM)
Step 5 Select Trustpoint setup tasks. For details, see
• Configuring Trustpoint Tasks
• Viewing Wizard Summary
• Delivering CLI Commands to the Device, page 1-22
• Viewing Certificate Signing Request (CSR)
Importing the SSL certificate
For more details, see How do I import the SSL certificate obtained using CSR?.
Import Certificates and Private Key
This wizard lets you to import certificates and private key to SSLSM from an external public key infrastructure (PKI). You can import certificates in X.509 PEM, X.509 DER, PKCS#7, or PKCS#12 format. The instructions below guides you through the steps based on the format and source of the certificates.
Importing CA Certificate, SSL Certificate and Private Key.
To launch the task, see Importing Certificates from an External PKI System
Importing in PEM format- Local Hard Disk
Step 1 Specify certificate formats and source. For details, see Configuring Certificate Source and Format
Step 2 Specify certificates and private key files. For details, see
• Configuring Certificates and Key Files (PEM - Local Hard Disk)
• Viewing the Summary
• Viewing the Certificate Import Status
Importing in PEM format- Copy-and-paste
Step 1 Specify certificate formats and source. For details, see Configuring Certificate Source and Format
Step 2 Specify CA certificate. For more details, see Specifying a CA Certificate (PEM).
Step 3 Specify Private Key Specifying Private Key (PEM Format).
Step 4 Specify SSL certificate. For more details, see:
• Specifying SSL Certificate (PEM Format)
• Viewing the Summary
• Viewing the Certificate Import Status
Importing in PEM format- Remote system
Step 1 Specify certificate formats and source. For details, see
• Configuring Certificate Source and Format
Step 2 Specify certificates and private key files.
• Configuring Certificates and Key Files (PEM - Remote System)
• Viewing the Summary
• Viewing the Certificate Import Status
Importing in DER, PKCS#12, or PKCS#7
See the following sections:
• Configuring Certificate Source and Format
• Viewing the Summary
• Viewing the Certificate Import Status
Importing CA Certificate chain, SSL Certificate and Private Key
To launch the task, see Importing Certificates from an External PKI System
Importing in PEM - Local Hard Disk
Step 1 Specify certificate format and source. For details, see Configuring Certificate Source and Format
Step 2 Specify certificates and private key files. For details, see
• Specifying Certificates and Private Key
• Viewing the Summary
• Viewing the Certificate Import Status
Importing in PEM- Copy- and- paste
Step 1 Specify certificate format and source. For details, see Configuring Certificate Source and Format
Step 2 Specify the CA certificates. For details, see Specifying CA Certificates
Step 3 Specify private key. For details, see Specifying Private Key (PEM Format)
Step 4 Specify the SSL certificate. For details, see:
• Specifying SSL Certificate (PEM Format)
• Viewing the Summary
• Viewing the Certificate Import Status
Importing in PKCS#12, or PKCS#7
See the following sections:
• Configuring Certificate Source and Format
• Viewing the Summary
• Viewing the Certificate Import Status
Export Certificates and Private Keys
This wizard lets you to export certificates and private keys from the SSLSM in PKCS#12 or PEM format. You can export certificates and private keys to an external system (local hard disk or remote server) or to another SSLSM. When exporting the certificates in PEM format, you can optionally choose to export the CA certificates in the certificate chain.
The instructions below guides you through the steps based on the format and source of the certificates.
To launch the task, do the following:
Step 1 Click Setup in the CVDM-SSLSM task bar. The Setup page appears
Step 2 Click Wizards in the left-most pane. The Setup Wizards information appears in the content area.
Step 3 Select Export Certificates and Private Keys, then click Launch the Selected Task. The Certificate Export Wizard appears.
Exporting in PEM format- Local Hard Disk
Step 1 Select the certificates and format. For details, see Selecting Certificates and Format (PEM, PKCS#12).
Step 2 Select a destination. For details, see Specifying the Destination (PEM).
Step 3 Specify the destination details. For details, see:
• Specify Destination Details (PEM - Local Hard Disk)
• Viewing Certificate Export Wizard Summary
• Viewing the Certificate Export Status
Exporting using Copy and Paste method
Step 1 Select the certificates and format. For details, see
• Selecting Certificates and Format (PEM, PKCS#12)
Step 2 Select a destination. For details, see
• Specifying the Destination (PEM)
• Viewing Certificate Export Wizard Summary
• Viewing the Certificate Export Status
Exporting to Remote system
Step 1 Select the certificates and format. For details, see Selecting Certificates and Format (PEM, PKCS#12).
Step 2 Select a destination. For details, see Specifying the Destination (PEM).
Step 3 Specify the destination details. For details, see
• Specify Destination Details (PEM - Remote System)
• Viewing Certificate Export Wizard Summary
• Viewing the Certificate Export Status
Exporting to Redundant SSLSM
Step 1 Select the certificates and format. For details, see Selecting Certificates and Format (PEM, PKCS#12).
Step 2 Select a destination. For details, see Specifying the Destination (PEM).
Step 3 Specify the destination details. For details, see
• Specify Destination Details (PEM - Redundant SSLSM)
• Viewing Certificate Export Wizard Summary
• Viewing the Certificate Export Status
PKCS#12
Step 1 Select the certificates and format. For details, see Selecting Certificates and Format (PEM, PKCS#12).
Step 2 Select a destination. For details, see Specifying the Destination (PKCS#12).
Exporting to Remote system
Step 1 Select the certificates and format. For details, see Selecting Certificates and Format (PEM, PKCS#12).
Step 2 Select a destination. For details, see Specifying the Destination (PKCS#12).
Step 3 Specify the destination details. For details, see
• Specify Destination Details (PKCS#12 - Remote System)
• Viewing Certificate Export Wizard Summary
• Viewing the Certificate Export Status
Exporting to Redundant SSLSM
Step 1 Select the certificates and format. For details, see Selecting Certificates and Format (PEM, PKCS#12).
Step 2 Select a destination. For details, see Specifying the Destination (PKCS#12).
Step 3 Specify the destination details. For details, see
• Specify Destination Details (PKCS#12 - Redundant SSLSM)
• Viewing Certificate Export Wizard Summary
• Viewing the Certificate Export Status
Understanding Wizards
Wizards helps you to configure keys, certificates, and proxy services. You can access Certificate Wizards and Proxy Service Wizards from this page.
Figure 3-1 Wizards page
The following topics are included in this section:
Certificate Wizards
The Certificate Wizards helps you to configure keys and certificates. You can either create certificates and enroll them to the CA or import the certificates and the associated keys from an external PKI system. You can export the certificates and private keys using wizards.
• Configuring a Certificate Trustpoint Using the Wizard
• Importing Certificates from an External PKI System
• Exporting Certificates Using the Wizard
• Exporting Certificates in Bulk Using the Certificate Export Wizard
Proxy Service Wizards
The Certificate Wizards helps you to configure Proxy Services.
• Basic Proxy Service Wizard, page 7-3
• Advanced Proxy Service Wizard, page 7-8
Launching Certificate Wizards
To launch certificate wizards, do one of the following:
Step 1 Click Setup in the task bar. The Setup page appears.
Step 2 Click Wizard in the left-most pane. The Wizards information page appears.
Step 3 Click the Certificate Wizards tab to create a CertificateTrustpoint.
You can select either of the following tasks:
–Configure Certificate Trustpoint
–Import Certificates and Private Key.
–Export Certificates and Private Key.
Step 4 Select one of the tasks, then click Launch the Selected Task. The Trustpoint Setup wizard appears with information on the steps to follow.
Or:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector.
Step 2 Click the Setup Wizard and select either of the following wizards:
–Configure Certificate Trustpoint
–Import Certificates and Private Key.
–Export Certificates and Private Key.
Configuring a Certificate Trustpoint Using the Wizard
You can use the wizard to configure a certificate Trustpoint, authenticate, and enroll with a CA using the wizard.
To configure a certificate trustpoint:
Step 1 Click Setup in the task bar. The Setup page appears.
Step 2 Click Wizards in the left-most pane. The Wizards information page appears.
Step 3 Click the Certificate Wizards. The Certificate Wizards page appears.
Step 4 Select Configure Certificate Trustpoint, then click Launch the Selected Task. The Trustpoint Configuration dialog box appears. The dialog box provides information on the steps to be followed to configure a Trustpoint.
You can use the wizard to configure either of the following Trustpoints:
•Proxy Service Trustpoint.
•CA Trustpoint.
Step 5 Click Next to continue.
Setting up a Proxy Service Trustpoint
You can use any one of the following options to set up a proxy service trustpoint:
•Create a new proxy service Trustpoint.
•Configure a proxy service Trustpoint using the copy-and-paste method.
To create a new Proxy Service Trustpoint:
Step 1 Click Setup in the task bar. The Setup page appears.
Step 2 Click Wizard in the left-most pane. The Wizards information page appears.
Step 3 Click the Proxy Service Wizards tab to create a proxy service Trustpoint.
Step 4 Configure Trustpoint name and RSA key pair.
Step 5 (Optional) Configure SSL certificate attributes, then click Next.
Step 6 Configure enrollment parameters, then click Next.
Step 7 Select Trustpoint setup tasks, then click Next. The summary dialog box appears.
Step 8 Click Finish. The Deliver Configuration to SSLSM dialog box appears with the details on the CLI commands to be delivered to the module.
Step 9 Click Deliver to deliver the CLI commands. The Trustpoint Configuration Status dialog box appears.
To configure a Proxy Service Trustpoint using the copy-and-paste method:
Step 1 Configure Trustpoint name and RSA key pair.
Step 2 (Optional) Configure SSL certificate attributes, then click Next.
Step 3 Configure enrollment parameters, then click Next.
Step 4 Specify CA certificate, then click Next.
Step 5 Select Trustpoint setup tasks, then click Next. Summary dialog box appears.
Step 6 Click Finish.
Setting up a CA Trustpoint
To configure a CA Trustpoint:
Step 1 Configure Trustpoint Name.
Step 2 Specify CA Certificate source.
To configure a CA Trustpoint using the copy-and-paste method:
Step 1 Configure Trustpoint Name.
Step 2 Specify CA Certificate source.
Step 3 Specify CA Certificate.
Configuring a Trustpoint and RSA Key Pair
The Configure Trustpoint and RSA Key Pair page helps you set up a proxy service Trustpoint or a CA Trustpoint. You can either use an existing key pair for the Trustpoint or generate a new key pair.
Note If you are creating the Trustpoint for the first time, generate a new key pair. You will not be able to use an existing key pair.
The following fields appear:
Field
|
Action/Description
|
Trustpoint Name
|
You can add a new trustpoint or select an existing Truspoint.
|
Trustpoint Type
|
Proxy Service Trustpoint
|
Select this option to create a proxy service Trustpoint, generate CSR and, install the enrolled SSL certificate.
|
CA Trustpoint
|
Select this option to install a CA certificate or a CA certificate chain.
|
RSA Key Pair
|
Generate a new Key Pair
|
Select this option to generate a new key pair.
|
Key Pair Name
|
Enter the name of the key pair.
We recommend that you use a key pair name that matches the trustpoint name.
|
Key Size
|
The size of the key.
Key size can be 512, 768, 1024, 1536, or 2048
|
Allow Private Key Export
|
Select this option to make the new key exportable.
You need to select this to export the key at a later point of time.
|
Use an Existing Key Pair
|
Select this option to use an existing key pair.
|
Key Pair Name
|
Select the key pair name.
|
Configuring SSL Certificate Attributes
The SSL Certificate Attributes wizard page allows you to enter the SSL certificate attributes for the certificate Trustpoint. Even though it is not mandatory to fill any of these fields, we recommend you to fill the common name (CN) field.
The following fields appear on the SSL certificate attributes dialog box:
Field
|
Description
|
Subject Distinguished Name (DN)
|
The fully qualified domain name in the certificate.
The subject name uses Lightweight Directory Access Protocol (LDAP) format.
|
Common Name (CN)
|
The common name to be used.
Example: server.domain.com, where
server is the name of the SSL
server that appears in the URL.
|
Email Address (EA)
|
E-mail address.
|
Organization Unit (OU)
|
Organization Unit.
Example: Cisco
|
Department (D)
|
Name of the department.
Example:Lab
|
Location (L)
|
The location of the organization.
Example, San Jose
|
State (ST)
|
The name of the state.
Example, California
|
Country (C)
|
The country name.
Example: US
|
Include SSLSM Serial Number
|
Select this option to include the serial number of the SSLSM module in the certificate.
|
Unstructured
|
Unstructured Name
|
The unstructured URL of the server.
Example: server5.domain.com
|
Subject IP Address
|
IP address to be included in the certificate.
|
Other
|
Certificate Purpose
|
Select between the options SSL Client and SSL Server.
|
Configuring Enrollment Parameters
The Configure Enrollment Parameters page of the wizard allows you to specify the enrollment parameters for your certificate authority.
The following field appears in the configure enrollment parameters page:
Field
|
Description
|
CA
|
The name of the certificate authority.
•If you are configuring enrollment parameters for a new CA, choose the field display as <NEW>.
•If you want to enroll with a CA already configured, select the CA from the list and modify the parameters.
|
Simple Certificate Enrollment Protocol (SCEP)
|
Select this to use the SCEP.
|
CA Server URL
|
URL of the CA server.
|
Challenge Password
|
Enter a Challenge Password.
|
Confirm the Password
|
Confirm the challenge password.
|
Retry Count
|
Number of retries.
|
Enable Auto-Enrollment
|
Select to enable auto-enrollment.
|
Retry Period (Minutes)
|
Time to wait for the next retry.
|
HTTP Proxy
|
URL of the HTTP proxy to be used for the enrollment.
|
Port
|
The port to be used for the enrollment.
|
TFTP
|
Select this if you are using TFTP.
|
CA Server URL
|
URL of the CA server.
Example: tftp://ipaddress/Certificates/filename
The suffix.ca is appended to the file name.
|
Copy and Paste / Local Hard Disk
|
Select this option to Copy-and-Paste the Certificate or specify Certificate from the local Hard Disk.
|
The TFTP and cut-and-paste feature allows you to generate a certificate request and accept certification authority certificates as well as router certificates. These tasks are accomplished with a TFTP server or manual cut-and-past operations.
You may want to use TFTP or manual cut-and-paste enrollment in the following situations:
•Your certificate authority does not support Simple Certificate Enrollment Protocol (SCEP).
•A network connection between the router and certificate authority is not possible. The router running Cisco IOS software obtains its certificates using a network connection between the router and the certificate authority.
Selecting a CA Certificate Source
The CA Certificate Source page of the wizard allows you to specify the source of the CA certificate. You can import a CA certificate or a CA certificate chain. You can import a certificate chain using X.509 PEM or PKCS#7 format.You can select any of the following formats:
•X.509 PEM
•X.509 DER
•PKCS#7
Note To import the certificate using SCEP, select the PKCS#7 format.
If you have selected X.509PEM, the following options appear:
•Local Hard Disk—Select this option to import the CA certificate from the client machine.
•Copy and Paste—Select this option to import the CA certificate using copy and paste method.
•TFTP—Select this option to import the CA certificate from a TFTP server.
•Select the Import a CA Certificate Chain check box to import the certificate chain.
If you have selected X.509 DER, you need to select the CA Certificate File. Click Browse and browse to the directory where you have the certificate file, then select the file.
If you have selected PKCS#7, the following fields appear:
Field
|
Description
|
Simple Certificate Enrollment Protocol (SCEP)
|
Select this option to import file using SCEP.
|
CA Server URL
|
Enter the URL of the CA Server.
|
Local Hard Disk
|
Select this option to import a file from the local hard disk.
|
PKCS#7 File
|
Click Browse and browse to the directory where you have the PKCS#7 file, then select the file.
|
PKCS#7 CA Certificates
|
CRL Verification
|
Options are:
•Strict (Default)
•Optional
•Best Effort
|
CA Level
|
Level of CA in the certificate chain.
|
CA Name
|
Name of the CA.
|
Trustpoint Name
|
Name of the Trustpoint to which the CA certificate is imported.
|
Click Next to continue.
Importing a CA Certificate Chain
You can specify all the certificates in a certificate chain and the wizard will create CA Trustpoints for each of the CA certificate.
A suffix is added to Trustpoint name based on whether the CA certificate is a root or sub-ordinate CA certificate. You can edit the default Trustpoint name by using the CA Trustpoints tab. As the certificates are added, the status of the certificate and certificate chain is displayed.
To import a CA certificate chain:
Step 1 Configure Trustpoint Name.
Step 2 Specify CA Certificate source as X.509 PEM.
Step 3 Select the source from where you want to import the certificate chain. The options are: Local Hard Disk, Copy and Paste, TFTP.
Step 4 Select Import a CA Certificate Chain check box.
•If you have selected Local Hard Disk, see Importing a CA Certificate Chain from a Local Hard Disk.
•If you have selected Copy and Paste, see Importing a CA Certificate Chain using Copy and Paste.
•If you have selected Local Hard Disk, see Importing a CA Certificate Chain from a TFTP Server.
Importing a CA Certificate Chain from a Local Hard Disk
Step 1 Configure Trustpoint Name.
Step 2 Specify CA Certificate source as X.509 PEM.
Step 3 Select Local Hard Disk.
Step 4 Select Import a CA Certificate Chain check box, then click Next. The Specify CA Certificate page appears.
Step 5 Specify the CA certificates in the CA Certificate Chain
Step 6 Click Next to continue.
To specify the certificates in the certificate chain:
Step 1 Click Add. The Add a Certificate popup window appears.
Step 2 Click Browse to browse to the directory where you have the certificate file and select it.
Step 3 Click OK.
Note When specifying the certificates in the certificate chain, add Root CA through the subordinate CA in accordance with the certificate hierarchy.
Importing a CA Certificate Chain using Copy and Paste
Step 1 Configure Trustpoint Name.
Step 2 Specify CA Certificate source as X.509 PEM.
Step 3 Select Copy and Paste.
Step 4 Select Import a CA Certificate Chain check box, then click Next. The Specify CA Certificate page appears.
Step 5 Specify the CA certificates in the CA Certificate Chain.
Step 6 Click Next to continue.
To specify the certificates in the certificate chain:
Step 1 Click Add. The Add a Certificate popup window appears.
Step 2 Copy and Paste the certificate in PEM format to the Certificate field.
Click Clear to remove the content or click View Details to view the details of the certificate.
Step 3 Click OK to add the certificate.
Note When specifying the certificates in the certificate chain, add Root CA through the subordinate CA in accordance with the certificate hierarchy.
Importing a CA Certificate Chain from a TFTP Server
To import a CA certificate chain from a TFTP server:
Step 1 Configure Trustpoint Name.
Step 2 Specify CA Certificate source as X.509 PEM.
Step 3 Select TFTP.
Step 4 Select Import a CA Certificate Chain check box, then click Next. The Specify CA Certificate page appears.
Specify the CA certificate in the certificate chain. You must specify all certificates in the chain from root CA.
The following fields appear:
Field
|
Description
|
CA Level
|
Level of CA in the certificate chain.
|
CA Certificate File
|
URL (TFTP) of the CA certificate.
|
Trustpoint Name
|
Name of the Trustpoint to which the CA certificate is imported.
|
You can add certificates to the list. To add a CA certificate:
Step 1 Click Add. The Add a Certificate popup window appears.
Step 2 Enter the TFTP Server IP address.
Step 3 Enter the file name. The certificate file name must have a.ca extension.
Note The validity of the certificate or the completeness of the certificate chain is not validated. Please make sure that you specify valid CA certificates and all the certificates are in the certificate chain.
Note When specifying the certificates in the certificate chain, add Root CA through the subordinate CA in accordance with the certificate hierarchy.
Configuring Trustpoint Tasks
The Trustpoint Setup Tasks wizard page allows you to select a Trustpoint configuration task that you want to perform on the certificate Trustpoint.
You can select one of the following tasks:
Field
|
Action/Description
|
Generate CS R (Enroll)
|
Select this option to apply the trustpoint configuration, authenticate the CA certificate, and generate certificate request (enroll).
|
Authenticate the CA Certificate
|
Select this option to apply the trustpoint configuration and authenticate the CA certificate
|
Import SSL Server Certificate
|
Select this option to apply the Trustpoint configuration and import the SSL certificate. This is applicable only to manual enrollment methods.
|
Viewing Wizard Summary
When you use a wizard to perform a configuration, the wizard's Summary page displays the values that you have configured. You can examine those values and click the wizard's Back button to return to a screen on which you need to make a change. When you have made the changes, click the Finish button to save your changes and leave the wizard.
Delivering Configuration to an SSL Module
This page provides information on the CLI commands you have configured.
Click Deliver to deliver the commands to the module
Click Save to File to save the commands to a file.
Click Deliver Later to deliver the commands at a later point of time.
For more information on delivering CLI commands, see Delivering CLI Commands to the Device, page 1-22
Viewing Trustpoint Configuration Status
The Trustpoint Configuration Status dialog box provides the status details of the Trustpoint configuration tasks. The details displayed vary according to the task you selected. The dialog box displays the status against each task. The configuration performed on the module is displayed in the content area. If any task fails, you can review the task details and take necessary action.
Click OK to view the Certificate Signing Request (CSR). For more information on Certificate Signing Request (CSR), see Viewing Certificate Signing Request (CSR)
For authentication, after displaying the status, the finger print information appears. Verify the finger print displayed and accept the certificate to complete the authentication.
Viewing Certificate Signing Request (CSR)
The Certificate Request dialog box provides information on the certificate requested.
Click Save to File to save the certificate request. The file is saved with the default extension.csr.
Click Cancel to close the dialog box.
Importing and Exporting Certificates
You can use wizards to import and export certificates. This section contains the following information:
• Importing Certificates from an External PKI System
• Exporting Certificates Using the Wizard
• Exporting Certificates in Bulk Using the Certificate Export Wizard
Importing Certificates from an External PKI System
The Certificate Wizard allows you to import Certificates and Private Keys from an external PKI. You can import certificates in X.509 PEM, X.509 DER, PKCS#7, or PKCS#12 format.
To import certificates using Trustpoint Wizard:
Step 1 Click Setup in the CVDM-SSLSM task bar.The Setup page appears
Step 2 Click Wizards in the left-most pane. The dialog box appears.
Step 3 Select Import Certificates and Private Key, then click Launch the Selected Task. The Certificate Import Wizard appears.
You can import files in either of the following formats:
•X.509 PEM file, See Importing PEM File.
•PKCS#12 file, See Importing PKCS#12 File.
•X509 DER file
•PKCS#7 file
Importing PKCS#12 File
You can use an external PKI system to generate a PKCS#12 file and then import this file to the module.
When creating a PKCS#12 file, include the entire certificate chain, from server certificate to root certificate, and public and private keys. You can also generate a PKCS#12 file from the module and export it.
Note Imported key pairs cannot be exported.
If you are using SSH, we recommend using SCP when importing or exporting a PKCS#12 file. SCP authenticates the host and encrypts the transfer session.
To import a PKCS#12 File:
Step 1 Enter certificate format and source, then click Next. The Summary dialog box appears.
Step 2 Click Finish to complete importing the certificate.
Importing PEM File
To import a PEM File:
Step 1 Enter the format and source.
Step 2 Specify the certificate and key Files.
Step 3 Specify the private key.
Step 4 Specify SSL certificate.
Step 5 Click Next. The summary dialog box appears.
Step 6 Click Finish to complete importing the file.
You can copy and paste the CA Certificate in PEM format.
To import a PEM File using the copy-and-paste method:
Step 1 Enter the format and source
Step 2 Copy-and-paste the CA Certificate in PEM format.
Step 3 Click Next. The summary dialog box appears.
Step 4 Click Finish to complete importing the file.
Configuring Certificate Source and Format
The Certificate Source and Format page of the wizard allows you to enter the Trustpoint name, format and source.
You can select any of the following formats and select the source of the certificates and private key:
•X.509 PEM
•PKCS#12
•X.509 DER
•PKCS#7
X.509 PEM
Step 1 Select one of the following PEM formats:
•Local Hard Disk—to import certificates from the client workstation.
•Copy and Paste—to import certificates and key using copy-and-paste method.
•Remote system—to import certificates from a remote system using TFTP, FTP, RCP, or SCP.
Step 2 (Optional) Select Import Certificate Chain to import the certificate chain associated with the Trustpoint. (This option is available only if you select Local Hard Disk or Copy and Paste)
Step 3 Select one of the option, then click Next.
•If you have selected Local Hard Disk and Import Certificate Chain, the next step is specifying certificates and key pairs.
•If you have selected Copy and Paste, and Import Certificate Chain, the next step is specifying CA certificates.
PKCS#12
Step 1 Select PKCS#12, the following fields will be displayed:
Field
|
Description
|
Protocol
|
Select any of the following protocols to be used for importing the file:
•TFTP
•FTP
•RCP
•SCP
|
IP Address
|
IP address of the certificate source.
|
User Name
|
User name for the remote system.
|
Password
|
Password to be used for the remote system.
|
PKCS#12 File
|
File name with the absolute path and the file name.
Example:
d:/tftpboot/certs/cert.p12
|
Passphrase
|
Passphrase to be used to decrypt the key.
|
Create Trustpoints for CA Certificates in Certificate Chain
|
Select this is to create Trustpoints for certificates higher in the hierarchy.
|
X.509 DER
Field
|
Description
|
CA Certificate File
|
Click Browse and select the certificate file from the directory.
|
Private Key File
|
Click Browse and select the certificate file from the directory.
|
Private Key Passphrase
|
Enter the Passphrase for the private key.
|
NET Format (Netscape Server/Microsoft IIS)
|
For private key in NET format, you must specify the RC4 passphrase used to encrypt the key. The same passphrase will be used to encrypt the private key in PEM format.
|
SGC Key
|
This is active only for NET Format key.
|
Allow Private Key Export
|
Select the check box to allow exporting the private keys.
|
PKCS#7
The wizard will use the following suffixes when creating the CA Trustpoints:
•Root CA Certificate: -rootCA
•Sub-ordinate CA Certificate: -subCA<level>
Field
|
Description
|
PKCS#7 Certificate File
|
Click Browse and select the certificate file from the directory.
|
Create Trustpoints for CA Certificates in Certificate Chain
|
Select this option to create Trustpoints for certificates in a chain. On selecting this check box a new set of field details appears below.
For details see PKCS#7 CA Certificates field in the same table.
|
Private Key File (PEM)
|
Click Browse and select the certificate file from the directory.
|
Private Key Passphrase
|
Passphrase to be used to decrypt the key.
|
Allow Private Key Export
|
Select the check box to allow exporting the private keys.
|
PKCS#7 CA Certificates
|
This field appears only if you select Create Trustpoints for CA certificates in Certificate Chain option. It provides the list of CA certificates in the PKCS#7 file.
|
CRL Verification
|
You can select any option given below:
•Strict (default)
•Optional
•Best Effort
This selected option applies to the entire table below.
|
The table below provides the list of CA certificates in the PKCS#7 file.
|
CA Level
|
The level of the CA in the certificate chain.
|
CA Name
|
The name of the certification authority.
|
Trustpoint Name
|
The name of the trustpoint associated with the certificate.
|
A passphrase protects a PEM file that contains a private key. The PEM file is encrypted by DES or 3DES.
Enter the details, then click Next.
Specifying Certificates and Private Key
If you have selected to import a certificate chain in X.509 PEM format from the local hard disk you need to specify the CA certificates, SSL (Server/Client) certificate and private key.
You must specify all CA certificates in the chain from the root CA to the issuer of the SSL certificate.
The following fields appear:
Fields
|
Description
|
CA Certificate Chain
|
CRL Verification
|
Select the level of verification. It can be one of the following:
•Strict
•Optional
•Best Effort
|
Chain
|
Add the certificate in the chain.
Add—Click Add to add a CA certificate to the chain. A popup dialog box appears.
Enter the CA Trustpoint Name, The certificate in PEM format is displayed.
Click View Details to view the details of the CA Certificate.
Click OK to complete adding the certificate.
Remove—Select a certificate from the chain, then click Remove to remove the CA certificate from the chain.
|
CA Trustpoints
|
Provides the details of the CA Trustpoints.
You can specify the name of the Trustpoint and can even edit the name of the Trustpoint.
CA Level—Level of the CA in the certificate chain.
CA Name—The name of the certification authority.
Trustpoint Name—Name of the trustpoint associated with the certificate.
Select a CA Trustpoint, then click Edit to edit the CA Trustpoint.
|
SSL Certificate and Private Key File
|
SSL Certificate File
|
Click Browse, and navigate to the folder where you have the SSL Certificate file.
|
Private Key File
|
Click Browse, and navigate to the folder where you have the Private Key file.
|
Private Key Passphrase
|
Passphrase to be used to decrypt the private key.
|
Allow Private Key Export
|
Select this check box if you want to allow the private key to be exported.
|
Specifying CA Certificates
If you have selected to import a certificate chain in X.509 PEM format using the copy and paste method, you need to specify the CA certificates from the root CA to the issuer of the SSL certificate. The following fields appear:
Field
|
Description
|
CA Certificate Chain
|
CRL Verification
|
Select the level of verification. It can be one of the following:
•Strict
•Optional
•Best Effort
|
Chain
|
Displays the certificate chain.
Add—Click Add to add a CA certificate to the chain. A popup dialog box appears.
Enter the CA Trustpoint Name, The certificate in PEM format is displayed.
Click View Details to view the details of the CA Certificate.
Click OK to complete adding the certificate.
Remove—Select a certificate from the chain, then click Remove to remove the CA certificate from the chain.
|
CA Trustpoints
|
Provides the details of the CA Trustpoints.
CA Level—Level of the CA in the certificate chain.
CA Name—The name of the certification authority.
Trustpoint Name—Name of the trustpoint associated with the certificate.
Select a CA Trustpoint, then click Edit to edit the CA Trustpoint.
|
Click Next to continue.
Configuring Certificates and Key Files (PEM - Local Hard Disk)
The Certificates and Key Files dialog box allows you to specify the location of the certificates and key files.
The following fields are displayed:
Field
|
Description
|
CA (Certificates Issuer)
|
To create a new CA, specify the CA (issuer of the SSL certificate) certificate, private key and SSL certificate files you want to import. If the CA certificate is available on the SSLSM select the corresponding CA name.
|
CA Certificate File
|
The CA certificate file name with the absolute path. You can browse and select the file from the local hard disk.
|
Private Key File
|
The private key file name with the absolute path. You can browse and select the file from the local hard disk.
|
Private Key Passphrase
|
The passphrase to decrypt the key.
|
Allow Private Key
|
Select the check box to allow the private key export facility.
|
SSL Certificate File
|
The SSL certificate file name with the absolute path. You can browse and select the file from the local hard disk.
|
Note A passphrase protects a PEM file that contains a private key. The PEM file is encrypted by DES or 3DES. The encryption key is derived from the pass phrase. A PEM file containing a certificate is not encrypted and is not protected by the pass phrase.
Configuring Certificates and Key Files (PEM - Remote System)
The Certificates and Key Files dialog box allows you to specify the location of the certificates and key files.
The following fields appear:
Field
|
Description
|
Protocol
|
Select the protocol to be used for importing the file. You can select any of the following protocols:
•TFTP
•FTP
•RCP
•SCP
|
IP Address
|
IP address of the remote system.
|
Username
|
User name for the remote system.
|
Password
|
Password for the remote system.
|
CA Certificate File
|
The CA certificate file name with the absolute path.
Enter the absolute path and the file name.
Example: /Certs/cert.pem
|
Private Key File
|
The Private Key file name with the absolute path.
Enter the absolute path and the file name.
Example: /Certs/cert.pem
|
Passphrase
|
The passphrase to decrypt the key.
|
SSL Certificate File
|
The SSL certificate file name with the absolute path.
Example:
/user/local/Certs/cert.pem
|
Note A passphrase protects a PEM file that contains a private key. The PEM file is encrypted by DES or 3DES. The encryption key is derived from the pass phrase. A PEM file containing a certificate is not encrypted and is not protected by the pass phrase.
Specifying a CA Certificate (PEM)
This page of the wizard allows you to copy-and-paste the CA certificate in PEM format.
In Certificate Trustpoint Setup Wizard you can browse and specify the CA certificate file.
In Certificate Import Wizard you can select the CA certificate from the CA (Certificate Issuer) drop-down list. If you select any of the CA, the certificate details are displayed.
Click Next to continue.
Specifying Private Key (PEM Format)
Copy and paste the RSA private key in PEM format and enter the passphrase used to protect the key.
Click Next to continue.
Specifying SSL Certificate (PEM Format)
Copy and paste the SSL Certificate in PEM format.
Click Next to continue.
Viewing the Summary
When you use a wizard to perform a configuration, the wizard's Summary screen displays the summary of the certificate you are about to import.
You can examine the values and click the Back button to return to a screen on which you need to make a change. When you have made the changes, click the Finish button to import the certificate and leave the wizard.
Delivering Configuration to SSL Module
This page provides information on the CLI commands you have configured.
Click Deliver to deliver the commands to the module
Click Save to File to save the commands to a file.
Click Deliver Later to deliver the commands at a later point of time.
For more information on delivering CLI commands, see Delivering CLI Commands to the Device, page 1-22
Viewing the Certificate Import Status
The certificate import status dialog box dialog box provides the status details of the Trustpoint configuration tasks. The details displayed vary according to the task you selected. The dialog box displays the status against each task.
The configuration performed on the module is displayed in the content area. If any task fails, you can review the task details and take necessary action.
Exporting Certificates Using the Wizard
You can export certificates using either PKCS#12 file format or privacy-enhanced mail (PEM) file format.
Exporting certificates of more than one Trustpoint
To export certificates of more than one Trustpoint, see Export Certificates and Private Keys.
Exporting certificates of a selected Trustpoint
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint node from the logical group. You can group the Trustpoints using Trustpoint Grouper.
Step 3 Select a Trustpoint from the list.
Step 4 Click Operations, then select Export from the popup menu.
Step 5 The Trustpoint Export Wizard appears.
You can export Trustpoints in using PKCS#12 or PEM format.
For more information on exporting Trustpoints in PKCS#12 file format, see Exporting PEM Files.
For more information on exporting Trustpoints in PKCS#12 file format, see Exporting PKCS#12 Files.
Exporting PKCS#12 Files
To export a PKCS#12 File:
Step 1 Enter Certificate Format and Destination, the click Next. The summary page appears.
Step 2 Click Finish to compete exporting the file.
Exporting PEM Files
To export a PEM File:
Step 1 Enter certificate format and destination, the click Next.
You can select any of the following:
•Local Hard Disk—to export certificates and keys to the client workstation.
•Copy-and-Paste—to export certificates and keys using copy-and-paste method.
•Remote System—to export certificates and keys using TFTP, FTP, RCP or SCP.
Step 2 Specify Certificate and Key files. The fields change depending on the source you have selected.
Step 3 Click Finish to complete exporting the files.
Certificate Format and Destination
The Certificate Format and Destination page of the wizard allows you to specify the Trustpoint name and then select the format and destination.
The dialog box displays following fields:
Field
|
Description
|
Trustpoint Name
|
The name of the Trustpoint.
|
Pass phrase
|
The pass phrase to be used for decrypting the key.
|
Encryption
|
The encryption to be used for the key pairs.
|
Format
|
The file format. Options are PEM and PKCS#12.
|
If you select PEM, the following fields appear:
Field
|
Description
|
Local Hard Disk
|
Select to export certificates and keys to the client workstation
|
Copy and Paste
|
Select to export certificates and keys through copy-and-paste.
|
Remote System
|
Select to export certificates and keys using TFTP, FTP, RCP or SCP.
|
If you select PKCS#12, the following fields appear:
Field
|
Description
|
Protocol
|
The protocol used for the transferring the keys.
|
IP Address
|
The IP address of the destination system.
|
User Name
|
The user name for the destination system.
|
Password
|
The password to be used for the destination system.
|
PKCS#12 Certificate File
|
Specify the PKCS#12 file format.
|
Certificate and Key Pair Files (PEM - Local Hard Disk)
The Certificate and Key Pair Files (PEM Local Hard Disk) page of the wizard allows you to export PEM files from your local hard disk.
The following fields appear:
Field
|
Description
|
CA Certificate File
|
Enter the CA Certificate file name with the absolute path. Alternatively, you can browse and select the file from the local hard disk.
|
Private Key File
|
Enter the Private Key File name with the absolute path. Alternatively you can browse and select the file from the local hard disk.
|
SSL Certificate File
|
Enter the SSL Certificate File name with the absolute path. Alternatively you can browse and select the file from the local hard disk.
|
Certificate and Key Pair Files (PEM - Remote File System)
The Certificate and Key Pair File (PEM Remote File System) page of the wizard allows you to export a PEM file from a remote file system.
This page allows you to protocol, certificate and private key file destination details.
The following fields appear:
Field
|
Description
|
Protocol
|
Protocol to be used for exporting the file.
|
IP Address
|
IP address of the remote system.
|
User Name
|
User name for the remote system.
|
Password
|
Password for the remote system.
|
CA Certificate File
|
The absolute path to the CA Certificate file.
Example:/certs/cert.pem
|
Private Key File
|
The absolute path to the Private Key file.
Example:/certs/cert.pem
|
SSL Certificate File
|
The absolute path to the SSL Certificate file.
Example:/certs/cert.pem
|
Viewing Certificate Export Wizard Summary
When you use a wizard to perform a configuration, the wizard's Summary page displays the values that you have configured. You can examine those values and click the wizard's Back button to return to a screen on which you need to make a change. When you have made the changes, click the Finish button to save your changes and leave the wizard.
Viewing the Certificate Export Status
The certificate export status dialog box dialog box provides the status details of the certificate export tasks. If the task fails, you can review the task details and take necessary action.
Exporting Certificates in Bulk Using the Certificate Export Wizard
The Certificate Export Wizard allows you to select multiple Certificates and Private Keys and export them.
To export certificates using Certificate Export Wizard:
Step 1 Click Setup in the CVDM-SSLSM task bar.The Setup page appears
Step 2 Click Wizards in the left-most pane. The Setup Wizards information appears in the content area.
Step 3 Select Export Certificates and Private Keys, then click Launch the Selected Task. The Certificate Export Wizard appears.
You can export the certificates in either of the following formats:
•X.509 PEM
•PKCS#12
To export certificates and private keys in X.509 PEM format:
Step 1 Select Certificates and Format (X.509).
Step 2 Specify the Destination Details
Step 3 View the Status.
To export certificates and private keys in PKCS#12 format:
Step 1 Select Certificates and Format (X.509).
Step 2 Select the Destination.
Step 3 Specify the Destination details.
Selecting Certificates and Format (PEM, PKCS#12)
This page of the wizard helps you to specify the certificates to be exported and the format in which you want them to be exported.
The certificates are listed in the Certificates table. The following fields are displayed:
Field
|
Description
|
SSL Certificate Subject
|
The subject of the SSL certificate.
|
Certificate TrustPoint
|
The Trustpoint name of the certificate.
|
Select Export CA Certificate in the Chain to export the CA Certificates in the certificate chain of the selected certificates.
You can add and remove Certificates from the list:
•Click Add to add certificates to the export list. A popup window appears with the list of Trustpoints and Proxy Services. Select the Trustpoint or proxy services from the list, then click OK.
•Select a certificate and click Remove to remove a certificate from the export list.
Select the Format in which you want to export the certificate. You can export the certificates in X.509 PEM format or PKCS#12 format.
If you have selected X.509 PEM format, specify the following:
Field
|
Description
|
Encryption
|
The following are the encryption options:
3DES
|
Passphrase
|
Enter the passphrase.
|
Confirm Passphrase
|
Re-enter the passphrase to confirm.
|
Select the check box against Export CA Certificates in certificate chains to enable the export of the CA certificates in certificate chains.
If you have selected PKCS#12, specify the following:
Field
|
Description
|
Passphrase
|
Enter the passphrase.
|
Confirm Passphrase
|
Re-enter the passphrase to confirm.
|
Adding Certificates and Trustpoints for exporting
To add certificates and trustpoints to the export list:
Step 1 Click Setup in the CVDM-SSLSM task bar.The Setup page appears
Step 2 Click Wizards in the left-most pane. The Setup Wizards information appears in the content area.
Step 3 Select Export Certificates and Private Keys, then click Launch the Selected Task. The Certificate Export Wizard appears.
Step 4 Click Add. A popup window appears with the list of Trustpoints and Proxy Services.
Step 5 Click the tabs to select Trustpoint or Proxy Services.
Step 6 Select the Trustpoint or Proxy Service from the list.
Step 7 If you select Trustpoint, the following fields appear:
Field
|
Description
|
Trustpoint Name
|
The name of the Trustpoint.
|
Subject Name
|
The name of the subject.
|
Issuer Name (CA)
|
The name of the issuer.
|
Step 8 Select a Trustpoint Name and click OK to add or click Cancel to close the window.
Step 9 If you select Proxy Services, the following fields appear:
Field
|
Description
|
Proxy Service Name
|
The name of the proxy service.
|
Subject Name
|
The name of the subject.
|
Issuer name (CA)
|
The name of the issuer.
|
Step 10 Select a Proxy Service Name and click OK to add or click Cancel to close the window.
Specifying the Destination (PEM)
You can select any one of the following destination for theX.509 Format:
•Local Hard Disk—To export the certificate and private key to this client machine.
•Copy and Paste—To export the certificates and private key using copy and paste method.
•Remote System—To export the certificates and private keys to a remote server using TFTP, FTP, SCP, or RCP.
•Redundant SSLSM—To export the certificates and private keys to a redundant SSL services module.
Note Copy and Paste and Remote System options will be disabled if you select more than one certificate.
Specify Destination Details (PEM - Local Hard Disk)
You can specify the destination details using this page.
The following fields are displayed:
Fields
|
Description
|
Directory
|
Click the Browse button and browse to the directory where you want the certificate to be exported.
|
Trustpoint
|
Displays the name of the trustpoint.
|
CA Certificate File
|
Displays the CA certificate chain names.
|
SSL Certificate File
|
Displays the SSL certificate chain names.
|
Private Key File
|
Displays the Private Key option file names.
|
If you have selected the Export CA Certificate in Certificate Chains in the step 1 then the CA Certificates in Certificate Chains table with the following details are displayed.
Fields
|
Description
|
Certificate Authority (CA) Name
|
Displays the chain of certificate authority names.
|
CA Certificate File
|
Displays the chain of CA certificate file names.
|
Click Next to continue.
Specify Destination Details (Copy and Paste)
This page is enabled only when exporting a single Trustpoint. Once the export is completed, exported certificates and privates keys are displayed. You can copy and paste the certificate and save the file.
Specify Destination Details (PEM - Remote System)
Specify the details of the Remote system where you want the certificates and private keys to be exported.
The following fields are displayed:
Fields
|
Description
|
File Server
|
Protocol
|
Select from options:
•FTP
•RCP
•SCP
•TFTP
|
Server IP Address
|
Enter the IP address of the system.
|
Username
|
Enter the user name
|
Password
|
Enter the password.
|
Files
|
Directory
|
Enter the path or location of the files.
|
Trustpoint
|
Displays the name of the Trustpoint.
|
CA Certificate File
|
Displays the name of the CA Certificate files.
|
SSL Certificate File
|
Displays the name of the SSL Certificate files.
|
Private Key File
|
Displays the name of the Private key files.
|
To edit the CA certificate, SSL certificate, and, Private Key, select the Trustpoint name in the table and click Edit.
Click Next to continue.
Specify Destination Details (PEM - Redundant SSLSM)
You can export certificates to a redundant SSLSM. The Wizards will use the same Trustpoint name as the selected Trustpoint on the redundant SSLSM. You can edit the names if required.
Note Do not specify a Trustpoint name that already exists in the redundant SSLSM. If the Trustpoint name is already present, the export will fail.
The following fields are displayed:
Field
|
Description
|
Redundant SSLSM
|
IP Address
|
Enter the IP address of the redundant SSLSM.
|
User Name
|
Enter the user name.
|
Password
|
Enter password.
|
Enable Username
|
Re-enter the user name to enable the user
|
Enable Password
|
Re-enter the password to confirm.
|
Trustpoints
|
SSL Certificate Subject
|
Displays the list of SSL certificates.
|
Redundant SSLSM Trustpoint
|
Displays the list of redundant trustpoints of SSLSM
|
To edit the redundant SSLSM Trustpoint Name select the row in the table and click Edit.
If you have selected the Export CA Certificate in Certificate Chains in the step 1 then the CA Certificates in Certificate Chains table with the following details are displayed.
Fields
|
Description
|
Certificate Authority (CA) Name
|
Displays the chain of certificate authority names.
|
Redundant SSLSM Trustpoint
|
Displays the list of redundant trustpoints of SSLSM
|
CRL Verification
|
Select the CRL verification from the given options.
|
To edit the redundant SSLSM Trustpoint Name select the row in the table and click Edit.
Click Next to continue.
Specifying the Destination (PKCS#12)
You can select any one of the following destination for theX.509 Format:
•Remote System—To export the certificates and private keys to a remote server using TFTP, FTP, SCP, or RCP.
•Redundant SSLSM—To export the certificates and private keys to a redundant SSL services module.
Specify Destination Details (PKCS#12 - Remote System)
Specify the details of the Remote system where you want the certificates and private keys to be exported.
The following fields are displayed:
Fields
|
Description
|
File Server
|
Protocol
|
Select from options:
•FTP
•RCP
•SCP
•TFTP
|
Server IP Address
|
IP address of the system.
|
Username
|
Enter the user name
|
Password
|
Enter the password.
|
Files
|
Directory
|
Enter the path or location of the files.
|
SSL Certificate Subject
|
Displays the list of SSL Certificate Subject.
|
PKCS#12 File
|
Displays the list of PKCS#12 Files.
|
To edit the PKCS#12 files, select the row in the table and click Edit.
Click Next to continue.
Specify Destination Details (PKCS#12 - Redundant SSLSM)
You can export certificates to a redundant SSLSM. The Wizards will use the same Trustpoint name as the selected Trustpoint on the redundant SSLSM. You can edit the names if required.
You need to specify a staging area. The certificates are exported to the staging area and then imported to the redundant SSLSM from the staging area.
Note Do not specify a Trustpoint name that already exists in the redundant SSLSM. If the Trustpoint name is already present, the export will fail.
Field
|
Description
|
Redundant SSLSM
|
IP Address
|
Enter the IP address.
|
Username
|
Enter the user name.
|
Password
|
Enter the password.
|
Enable Username
|
Re-enter the user name to confirm the user.
|
Enable Password
|
re-enter password to confirm.
|
Remote File Server
|
Protocol
|
Select from the options below:
•FTP
•RCP
•SCP
•TFTP
|
Server IP Address
|
Enter the server IP address.
|
Username
|
Enter the user name.
|
Password
|
Enter the password.
|
Files and Trustpoints
|
Directory
|
Enter the path or location of the files.
|
SSL Certificate Subject
|
Displays the list of SSL certificate subject names.
|
PKCS#12 File
|
Displays the list of PKCS#12 files.
|
Redundant SSLSM Trustpoint
|
Displays the list of SSLSM trustpoints that are redundant.
|
To edit the PKCS#12 files and Redundant SSLSM Trustpoints, select the SSL Certificate Subject in the table and click Edit.
Click Next to continue.
Viewing Certificate Trustpoints
The Certificate Trustpoint page shows all certificate Trustpoints configured on the SSL Services Module.
Figure 3-2 Public Key Infrastructure Page
To view all Trustpoints:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector.
The following information is displayed for Trustpoints:
Field
|
Description
|
Trustpoints
|
Trustpoint Name
|
The name of the trustpoint associated with the key pair.
|
CA Name
|
Certificate Authority associated with the Trustpoint.
|
Subject Name
|
Subject name in the SSL certificate associated with the Trustpoint
|
Expiry Date
|
The expiry date of SSL certificate or CA certificate which ever expires earlier
|
Status
|
Status of the associated CA certificate.
A  icon indicates that the certificate is valid.
A  icon indicates that the certificate invalid.
A  icon indicates that the certificate is valid only for less than 10 days.
A  icon indicates that the certificate is valid only for less than 20 days.
A  icon indicates that the certificate is valid only for less than 30 days.
Status will be displayed only for Trustpoints with Certificates.
|
Select a Trustpoint name from the table to view the following Trustpoint status details.
Field
|
Description
|
Trustpoint
|
The trust point name. Click on the link to view details on the trustpoint.
|
CA Certificate
|
Status
|
Status of the CA certificate.
A icon indicates that the certificate is valid.
A icon indicates that the certificate invalid.
A icon indicates that the certificate is valid only for less than 10 days.
A icon indicates that the certificate is valid only for less than 20 days.
A icon indicates that the certificate is valid only for less than 30 days.
|
CA Name
|
Subject of the CA Certificate.
|
SSL Certificate
|
Status
|
Status of the SSL certificate.
|
Subject Name
|
Subject of the SSL certificate.
|
Keypair Name
|
Key pair to which the trustpoint is associated.
|
Certificate Chain
|
Status
|
Status of the certificate chain.
|
Chain Length
|
Number of certificates in a chain.
|
You can launch wizards to configure a Trustpoint. To launch the wizard, click Setup Wizard, then select one of the following options:
•Configure a Certificate Trustpoint...
•Import Certificates from External PKI...
Select a Trustpoint, then click Delete to delete a trustpoint.
Certificate Trustpoint Grouper
You can group Trustpoints based on different common parameters.
To group the Trustpoints:
Step 1 Select one of the options:
•Group by Enrollment Status—to group Trustpoints based on the enrollment status. The Trustpoints are displayed under the following groups.
–SSL Certificates—all Trustpoints that have an SSL Certificate.
–Enrollment Pending—all Trustpoints that have a CA certificate and key pair configured but do not have an SSL certificate.
–CA Certificates—all Trustpoints that have a CA certificate configured but the key pair is not configured. All the CA Trustpoints will be grouped under this group.
–No Certificates—all Trustpoints that do not have any certificate associated with it.
•Group by Expiry—to group Trustpoints based on the expiry date. The Trustpoints are displayed under groups starting with the Trustpoints expiring this month, then next month and so on.
•Group by CA—to group Trustpoints by CA.
•No Grouping—to list all Trustpoints without any group.
Based on your selection, Trustpoints are grouped under the Trustpoints node in the object Selector.
Certificate Trustpoint Details
You can view the configuration and certificate details of a selected Trustpoint.
Figure 3-3 Public Key Infrastructure Details
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the Truspoints using Trustpoint Grouper. For more on Certificate Trustpoint Grouper, see Certificate Trustpoint Grouper.
Step 3 Click Configuration Tab.
The following fields are displayed:
Field
|
Description
|
Trustpoint Name
|
The name of the Trustpoint.
|
Key Pair Name
|
The key pair associated with the trustpoint.
|
Certificate
|
Subject
|
The subject of the certificate.
|
IP Address
|
The IP address of the module.
|
Certificate Purpose
|
The purpose of the certificate.
|
Include SSL Serial Number in Subject Name
|
Select this option to include the SSLSM serial number in the subject name.
|
Enrollment
|
Enrollment Method
|
The enrollment method for the certificate.
Example: copy-and-paste.
|
CA Server URL
|
The URL of the CA server.
|
Retry Count
|
Specifies how many time CVDM should try to enroll the certificate with the module.
|
Retry Period (min)
|
Duration between retries, in minutes.
|
Enable Auto-enrollment
|
Indicates whether auto-enrollment is enabled for the certificate.
|
Regenerate keys on auto enrollment
|
Indicates whether the certificate regenerates keys on autoenrollment.
|
CRL
|
x 500 CDP Information
|
x500 CDP information for the certificate trustpoint.
|
CRL Validation
|
Effectiveness with which the CRL has to be validated.
Values are:
•Default—If the trustpoint has been selected to validate a certificate. If the CRL is not in the database or has expired, the SSL module dowloads a CRL and saves it to the database for later use. If the CRL download fails, the SSL module rejects the certificate being validated.
•Optional— If the SSL module finds a CRL in the database and has not expired, then the SSL module performs a CRL lookup. If the SSL module does not find CRL, the SSL module accepts the certificate. The SSL module makes no attempt to download a CRL.
•Best-effort—If the SSL module finds a CRL in the database and has not expired, then the SSL module performs a CRL lookup. If the SSL module does not find CRL, the SSL module attempts to download a CRL. However, if the CRL download fails, the SSL module accepts the certificate.
|
Certificate ACL
|
Certificate ACL
|
The name of the Certificate ACL associated with the Trustpoint.
|
To view SSL certificate details, click SSL Certificate Tab.
To view CA Certificate details, click CA Certificate Tab.
To view Certificate chain details, click Certificate Chain Tab. The certificate chain is displayed in tree format. Each node displays the subject of the certificate.
You can view the details of each certificate on the chain. The following fields are displayed:
Field
|
Description
|
Status
|
Indicates the status of the selected certificate chain.
A  icon indicates that the certificate chain is complete.
A  icon indicates that the certificate chain is incomplete.
Example: Certificate chain
is complete - CA certificate
is the Root.
|
Certificate Details
|
Certificate
|
Shows the details of the certificate including the details on how long the certificate is valid.
Other details include:
•Version and serial number
•Issuer
•Subject
•Subject Public Key Information
|
Associated Trustpoint
|
Click on the link to view the Trustpoint details.
|
Trustpoint name
|
The name of the trustpoint associated with the certificate.
|
Click Operations and select any one of the following Trustpoint operations:
Trustpoint Operation
|
Description
|
Authenticate
|
Select this option to authenticate a CA certificate.You must configure the enrollment method for the Trustpoint to perform this operation.
For more information on authenticating a Trustpoint, see Authenticating Trustpoints
|
Enroll
|
Select this option to create a certificate request. You must configure the enrollment method and key pair to perform this operation.
For manual enrollment methods (Copy and Paste/TFTP) a certificate request will be created. For SCEP enrollment, the certificate request will be sent to the CA server.
For SCEP enrollment, you must configure a Challenge Password. If password is not configured, a challenge password dialog box will appear.
For more information on authenticating a Trustpoint, see Enrolling Trustpoints
|
Authenticate and Enroll
|
Select this option to authenticate a CA certificate and create a certificate request. For manual enrollment (Copy and Paste/TFTP) a certificate request will be created. For SCEP enrollment, the certificate request will be sent to the CA server.
You must configure enrollment method and key pair for the Trustpoint to perform this operation.
For SCEP enrollment, you must configure a Challenge Password. If password is not configured, a challenge password dialog box will appear.
For more information on authenticating a Trustpoint, see Authenticating and Enrolling Trustpoints
|
Import SSL Certificate
|
Select this option to import an SSL certificate issued by the CA for manual enrollment (Copy and Paste/TFTP).
For more information on authenticating a Trustpoint, see Importing SSL Certificate Trustpoints
|
Renew
|
Select this option to create a new certificate request. You can optionally regenerate the keys when creating the certificate request.
For manual enrollment methods, a certificate request will be created. For SCEP enrollment, the certificate request will be sent to the CA server.
This option is enabled only for Trustpoints with SSL certificate.
For more information on authenticating a Trustpoint, see Renewing Trustpoints
|
Export
|
Select this option to export the certificate and private key associated with the Trustpoint. You can export the certificate only if the private key is exportable.
For more information on authenticating a Trustpoint, see Exporting Trustpoints
|
To edit the Trustpoint configuration, click Edit. For more information on editing Trustpoints, see Editing Trustpoint Configuration
Authenticating Trustpoints
The Trustpoint Authentication dialog box provides the authentication details and the status.
To authenticate a truspoint, do the following:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the Truspoints using Trustpoint Grouper. The Truspoint details dialog box appears with the configuration information.
Step 3 Click Operations, then select Authenticate. The Authentication dialog box appears.
Enrolling Trustpoints
To enroll a certificate truspoint, do the following:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the Certificate Truspoints using Grouper. The Truspoint details dialog box appears with the Configuration information.
Step 3 Click Operations, then select Enroll.
Authenticating and Enrolling Trustpoints
To authenticate and enroll a certificate truspoint, do the following:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the Certificate Truspoints using Grouper. The Truspoint details dialog box appears with the Configuration information.
Step 3 Click Operations, then select Authenticate and Enroll.
Importing SSL Certificate Trustpoints
To import a SSL Certificate, do the following:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the Certificate Truspoints using Grouper. The Truspoint details dialog box appears with the Configuration information.
Step 3 Click Operations, then select Import SSL Certificate.
Renewing Trustpoints
To renew a certificate trustpoint, do the following:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the Certificate Truspoints using Grouper. The Truspoint details dialog box appears with the Configuration information.
Step 3 Click Operations, then select Renew. The Trustpoint Operation - Renew popup dialog box appears with the following fields:
Field
|
Description
|
Regenerate
|
Select the check box to regenerate the certificate.
|
Keypair Name
|
Name of the key pair.
|
Usage
|
Describes the use of the key.
Example: General Purpose.
|
Key Size (bits)
|
Size of the key in bits.
|
Exportable
|
Indicates whether you can export the key.
|
Step 4 Click OK to make changes.
Exporting Trustpoints
To export a SSL Certificate, do the following:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. You can group the Certificate Truspoints using Grouper. The Truspoint details dialog box appears with the Configuration information.
Step 3 Click Operations, then select Export SSL Certificate.
Editing Trustpoint Configuration
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector.
Step 2 Select a Trustpoint from the table, then click Edit. The Trustpoint Edit dialog box appears with the following fields:
Field
|
Action/Description
|
General
|
Trustpoint Name
|
Name of the Trustpoint.
|
Key Pair Name
|
Name of the key pair associated with the Trustpoint.
Click  and select one of the following:
•Create and use a new Key Pair
•Select an existing Key Pair
•Regenerate Key Pair
•Clear the Key Pair
|
Certificate Purpose
|
Select the purpose of the certificate from the list:
•ssl-client
•ssl-server
|
Enrollment Configuration
|
Enrollment Method
|
Select one of the following certificate enrollment method:
•SCEP
•TFTP
•Copy and Paste
|
CA Server URL
|
Enter the enrollment URL of the certification authority server.
|
Retry Count
|
Enter the number of retries.
|
Retry Period
|
Enter the interval between the retries.
|
HTTP Proxy
|
Enter the IP address of the HTTP proxy.
|
Port
|
Enter the port number for the HTTP proxy.
|
Auto Renewal and Enrollment
|
Select the checkbox to enable auto renewal and enrollment.
|
Renewal Percentage (%)
|
Enter the percentage of renewal. Default is 100%.
|
Challenge Password
|
Enter the Challenge Password.
Click  and select one of the following options:
•Configure a Challenge Password
•Clear Challenge Password
|
Regenerate Keys on Re-enrollment
|
Select this checkbox to regenerate key on re-enrollment.
|
CRL Configuration
|
x.500 CDP Information
|
Enter the X.500 CDP information.
You can enter the hostname and port if the CDP is in X.500 DN format. The query takes the information in the following form: ldap://hostname:[port]
For example, if a certificate being validated has the following:
•The X.500 DN is configured with CN=CRL,O=Cisco,C=US
•The associated trustpoint is configured with crl query ldap://10.1.1.1
then the two parts are combined to form the complete URL as follows:
ldap://10.1.1.1/CN=CRL,O=Cisco,C=US.
Note The trustpoint should be associated with the issuer certificate authority certificate of the certificate being validated. If there is no such trustpoint in the database, the complete URL cannot be formed, and CRL download cannot be performed.
|
CRL Validation
|
Select the type of CRL validation to be used for the certificate:
•Default—If the trustpoint has been selected to validate a certificate. If the CRL is not in the database or has expired, the SSL module downloads a CRL and saves it to the database for later use. If the CRL download fails, the SSL module rejects the certificate being validated.
•Optional— If the SSL module finds a CRL in the database and has not expired, then the SSL module performs a CRL lookup. If the SSL module does not find CRL, the SSL module accepts the certificate. The SSL module makes no attempt to download a CRL.
•Best-effort—If the SSL module finds a CRL in the database and has not expired, then the SSL module performs a CRL lookup. If the SSL module does not find CRL, the SSL module attempts to download a CRL. However, if the CRL download fails, the SSL module accepts the certificate.
|
Certificate ACL
|
Certificate ACL
|
Enter the Certificate ACL information.
|
Step 3 Modify the values, then click OK.
Selecting Available ACLs
The following information appears:
Field
|
Action/Description
|
Certificate ACLs
|
The name of the certificate ACL.
|
Select ACLs from the table, then click OK.
Selecting Available Key Pairs
The following information appears:
Field
|
Action/Description
|
Key Pair Name
|
The name of the key pair.
|
Key Size
|
The size of the key pair.
|
Select key pairs from the table, then click OK.
Certificate Hierarchy
Certificate Hierarchy helps you to browse through the certificates imported on the SSLSM and visualize the certificate hierarchy. You can also see the validity status and the certificate chain status in the certificate tree.
In the Associated Trustpoints table, you have the hyperlinks to the associated Trustpoints. You can view and configure the trustpoints by clicking the hyperlink.
To view the Certificate Hierarchy:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Hierarchy from the object Selector. The certificate tree appears in the content pane.
Step 2 Select a certificate from the certificate hierarchy tree. The details of the selected certificate is displayed in the Certificate Details box and the associated Trustpoint names appears in the Associated Trustpoint box.
Figure 3-4 PKI > Certificate Hierarchy Page
Deleting Certificates
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints from the object Selector.
Step 2 Select a Trustpoint from the table.
Step 3 Click Delete.
Challenge Password
Challenge password is required for SCEP enrollment. If you have not configured a challenge password, challenge password dialog will be prompted.
This password is necessary in the event that you ever need to revoke your certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.
The Challenge Password dialog box has got two fields. Challenge Password and Confirm Password. Enter the password and confirm it. Click OK to continue.
How Do I...
This section describes on how to achieve a task. The following questions are answered:
• How Do I Import an SSL Certificate and Private Key to SSLSM?
• How do I Import a CA Certificate Chain on the SSLSM?
• How do I generate a Certificate Signing Request (CSR)?
• How do I import the SSL certificate obtained using CSR?
• How Do I Export Certificates and Private Keys from SSLSM?
• How Do I Renew an SSL Certificate?
How Do I Import an SSL Certificate and Private Key to SSLSM?
The Certificate Import Wizard helps you to import the SSL certificate and the private key on the SSLSM. If you are importing the SSL certificate and private key from your client machine, you could also import the associated CA certificate chain.
Step 1 Click Setup in the CVDM-SSLSM task bar.The Setup page appears
Step 2 Click Wizards in the left-most pane. The Setup Wizard page appears.
Step 3 Select Import Certificates and Private key, then click Launch the Selected Task. The Certificate Import Wizard appears.
You can import files in any of the following format:
•PKCS#12
•X.509 PEM
•X.509 DER
•PKCS#7
Note When creating a PKCS#12 file, include the entire certificate chain, from server certificate to root certificate, and public and private keys. You can also generate a PKCS#12 file from the module and export it.
Note If you are using SSH, we recommend using SCP when importing or exporting a PKCS#12 file. SCP authenticates the host and encrypts the transfer session.
For details on Certificate Import Wizard, see Import Certificates and Private Key.
How do I Import a CA Certificate Chain on the SSLSM?
The Certificate Trustpoint Setup Wizard helps you to Import a CA certificate chain.
To configure a certificate Trustpoint:
Step 1 Click Setup in the task bar. The Setup page appears.
Step 2 Click Wizard in the left-most pane. The Wizards information page appears.
Step 3 Click the Certificate Wizards. The Certificate Wizards page appears.
Step 4 Select Configure a Certificate Trustpoint, then click Launch the Selected Task to launch the wizard.
You could Import a CA certificate chain using CA certificates in X.509 Privacy Enhanced Mail (PEM) format or PKCS#7 format.
Importing a CA certificate chain in PEM format
To import a CA certificate chain using CA certificates in PEM format, you need to perform the following tasks:
Step 1 Specify a Trustpoint name prefix. When importing a certificate chain, a CA certificate Trustpoint is setup for each of the CA certificates in the certificate chain. Select the CA Trustpoint.
Step 2 Select X.509 PEM from the format options, select the source from which you wish to import the CA certificates and select the Import a CA Certificate Chain option.
Step 3 Specify the CA certificates in the certificate chain. You must specify the CA certificates starting from the root CA certificate (self-signed certificate) to your subordinate CA. A Trustpoint name is automatically generated for the CA Trustpoints based on the prefix specified in Step 1. You can edit the Trustpoint names using the CA Trustpoints tab.Importing a CA certificate chain in PKCS#7 format
Review the summary and click Finish. A status dialog will be launched displaying the status of the certificate Trustpoint setup.
To import a CA certificate chain in PKCS#7 format, perform the following tasks:
Step 1 Specify a Trustpoint name prefix. When importing a certificate chain, a CA certificate Trustpoint will be setup for each of the CA certificates in the certificate chain. Select the CA Trustpoint.
Step 2 Select PKCS#7 from the format options. To import a PKCS#7 file from your client machine select the Local Hard Disk option and specify the PKCS#7 file. The wizard will decode the PKCS#7 file and list all the CA certificates in the file. A default Trustpoint name is automatically generated for each of the CA certificates based on the Trustpoint name prefix specified in Step 1. You can double-click on the row to edit the Trustpoint name.
Step 3 Specify the CA certificates in the certificate chain. You must specify the CA certificates starting from the root CA certificate (self-signed certificate) to your subordinate CA. A Trustpoint name will be automatically generated for the CA Trustpoints based on the prefix specified in Step 1. You can edit the Trustpoint names using the CA Trustpoints tab.
Review the summary and click Finish. A status dialog will be launched displaying the status of the certificate Trustpoint setup.
How do I generate a Certificate Signing Request (CSR)?
To generate a Certificate Signing Request (CSR), do the following tasks:
•If the Certificate Authority (CA) issuing your SSL certificate is a subordinate CA, import all the CA certificates in the certification path. If your CA is a root CA (self-signed CA certificate), you can skip this task.
•Configure a certificate Trustpoint, authenticate the CA certificate corresponding to the issuer of your SSL certificate, and generate a CSR.
The Certificate Trustpoint Setup Wizard helps you perform the above tasks.
Importing a CA certificate chain
Note If the issuing CA certificate is a self-signed certificate, you can skip this step.
For more details, see How do I Import a CA Certificate Chain on the SSLSM?
Configuring a Certificate Trustpoint
To configure a certificate Trustpoint:
Step 1 Click Setup in the task bar. The Setup page appears.
Step 2 Click Wizard in the left-most pane. The Wizards information page appears.
Step 3 Click the Certificate Wizards. The Certificate Wizards page appears.
Step 4 Select Configure a Certificate Trustpoint, then click Launch the Selected Task to launch the wizard.
Step 5 Specify a Trustpoint name and select the Proxy Service Trustpoint option. By default, a new RSA key pair will be generated with the same name as the Trustpoint. Specify the key size. If you already have the RSA key pair on the SSLSM, select the Use an Existing Key Pair option and specify the key pair name.
Step 6 Specify the certificate attributes - subject Distinguished Name (DN), unstructured name, unstructured IP address and, certificate purpose. These attributes are optional.
Step 7 Specify the enrollment method. SSLSM supports three methods of certificate enrollment.
•Automatic Enrollment using Simple Certificate Enrollment Protocol (SCEP)
If SCEP is used, SSLSM sends the certificate request (CSR) to the specified SCEP server. The SSL certificate issued by the CA is automatically imported.
• Manual Enrollment using TFTP
In this method, you must specify a filename on your TFTP server.
For example,
tftp://10.77.241.10/certs/mycert
SSLSM adds file extensions to the filename as follows:
–.ca when downloading the CA certificate from the TFTP server.
For example mycert.ca
–.req when copying the generated CSR to the TFTP server.
For example mycert.req
–.crt when downloading the SSL certificate from the TFTP server.
For example mycert.crt
•Manual Enrollment using Copy-and-Paste
In this method, the CSR is displayed to you. You can copy the CSR and submit it to your CA.
If certificate Trustpoints exists on the SSLSM, and are enrolled with CAs, the CA field lists the corresponding CA names. If you select a CA, the corresponding enrollment configuration is applied to the new Trustpoint.
Step 8 Specify the CA certificate
This step applies only to Copy-and-Paste method. When using the copy-and-paste method, you must specify the certificate of your CA issuing the SSL certificate.
For TFTP method, the SSLSM will download the CA certificate from the TFTP server.
Step 9 Select Authenticate the CA and Generate a CSR option from the setup task options and click Next.
Review the summary and click Finish. A status dialog will be launched displaying the status of the certificate Trustpoint setup.
When authenticating the CA certificate, the MD5 fingerprint of the CA certificate will be displayed. You need to manually verify the fingerprint and accept the certificate. For copy-and-paste method, the CSR will be displayed. For TFTP method, the CSR will be copied to the TFTP server.
How do I import the SSL certificate obtained using CSR?
Importing SSL Certificate using Certificate Trustpoint Setup Wizard
If you are using TFTP enrollment method, copy the SSL certificate obtained using the CSR to the TFTP server. You must use the filename configured in the Trustpoint with a.crt file extension.
Step 1 Specify the name of the certificate Trustpoint that you setup to generate the CSR.
Step 2 Skip this step.
Step 3 Skip this step.
Step 4 Select Import SSL Certificate from the setup task option.
Step 5 This step applies only if you are using copy-and-paste enrollment method. Copy and paste the SSL certificate in PEM format.
Review the summary and click Finish. A wizard status dialog will be launched displaying the status of the SSL certificate import.
Importing SSL Certificate from Trustpoint Details Screen
To import a SSL Certificate, do the following:
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Certificate Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint object from the logical group. The Truspoint details screen appears with the Configuration information.
Step 3 Click Operations, then select Import SSL Certificate.
Review the summary and click Finish. A wizard status dialog will be launched displaying the status of the SSL certificate import.
How Do I Export Certificates and Private Keys from SSLSM?
The Certificate Export Wizard helps you to export the SSL certificate and the private key from the SSLSM. If you are exporting the SSL certificate and private key to your client machine, you could also export the associated CA certificate chain.
For details of Certificate Export Wizard, see Export Certificates and Private Keys.
How Do I Renew an SSL Certificate?
You can renew Certificates and Key pairs.
Step 1 Click Setup at the top of the window, click PKI in the left-most pane, and select Trustpoints from the object Selector. The Trustpoint page appears.
Step 2 Select a Trustpoint node from the logical group. You can group the Truspoints using Trustpoint Grouper.
Step 3 Select a Trustpoint from the list.
Step 4 Click Operations, then select Renew from the popup menu.
Review the summary and click Finish. A status dialog will be launched displaying the status of the certificate Trustpoint setup.
