1-- ********************************************************************* 2-- CISCO-PKI-PARTICIPATION-MIB.my: Cisco Public Key Infrastructure 3-- Participation MIB 4-- 5-- May 2005, Ramachandran V R 6-- 7-- Copyright (c) 2005 by cisco Systems, Inc. 8-- All rights reserved. 9-- 10-- ********************************************************************* 11 12CISCO-PKI-PARTICIPATION-MIB DEFINITIONS ::= BEGIN 13 14IMPORTS 15 MODULE-IDENTITY, 16 OBJECT-TYPE, 17 Unsigned32 18 FROM SNMPv2-SMI 19 MODULE-COMPLIANCE, 20 OBJECT-GROUP 21 FROM SNMPv2-CONF 22 TEXTUAL-CONVENTION, 23 DateAndTime, TruthValue, StorageType, RowStatus 24 FROM SNMPv2-TC 25 SnmpAdminString 26 FROM SNMP-FRAMEWORK-MIB 27 ciscoMgmt 28 FROM CISCO-SMI; 29 30cpkiMIB MODULE-IDENTITY 31 LAST-UPDATED "200510220000Z" 32 ORGANIZATION "Cisco Systems, Inc." 33 CONTACT-INFO 34 " Cisco Systems 35 Network Management Technology Group 36 37 Postal: 170 W Tasman Drive 38 San Jose, CA 95134 39 USA 40 41 Tel: +1 800 553-NETS 42 43 E-mail: cs-san@cisco.com" 44 DESCRIPTION 45 "A networking device may provide several security services 46 and protocols like SSL, SSH, IPSec/IKE etc. which need 47 identities in the form of X509 certificates. The device 48 uses these certificates (called identity certificates) to 49 authenticate itself to various clients communicating with 50 the device using these protocols and also to provide other 51 protection for the communication like confidentiality, 52 integrity and non-repudiation. In addition, the device may 53 need to authenticate the clients which involves, among 54 other things, verifying the certificates presented by the 55 clients (peer certificates) during the protocol exchanges. 56 The certificate verification, in turn, involves the 57 certificate revocation status checking and the certificate 58 signature verification. This MIB applies to the public key 59 infrastructure (PKI) participation feature which enables a 60 networking device to participate in one or more PKI 61 services (also called Certificate Authorities) enabling 62 it to obtain one or more X509 identity certificates for 63 its own use as well as to verify peer certificates. 64 65 This MIB organizes the various certificates, key-pairs and 66 Certificate Authority related information into the tables: 67 the trustpoint table for certificate and CA information 68 and a key-pair table for the key-pair information for each 69 type of key-pair such as RSA, DSA etc. An entry in the 70 trustpoint table corresponds to a trusted CA for obtaining 71 an identity certificate from and also for verifying the 72 peer certificates issued by that CA. The entry contains 73 information about the CA certificate, the identity 74 certificate - if obtained - from the CA, the corresponding 75 key-pair from a key-pair table (for which the identity 76 certificate was obtained) and the information needed for 77 revocation checking of certitifates issued by the CA. 78 79 For each type (RSA, DSA etc.) of key-pair supported by the 80 device, a key-pair table is present and contains an entry 81 for each key-pair of that type present in the device. This 82 allows future expansion of the MIB to support additional 83 key-pair types (currently only RSA key-pair is supported). 84 85 As seen above, a key-pair entry from a key-pair table can 86 be associated to an entry in the trustpoint table. A key- 87 pair entry can be associated to multiple trustpoint table 88 entries but not vice versa. 89 90 This MIB supports the certificate work-flow operations, 91 generally used for generating the key-pairs and obtaining 92 the certificates for them from various CAs. The following 93 are the steps in one typical work-flow: 94 95 1. create a trustpoint (an entry in trustpoint table) in 96 the device. 97 2. Authenticate a CA (this involves manually verifying the 98 CA certificate/chain fingerprints and then inputing the 99 CA certificate/chain into the trustpoint). 100 3. Generate a key-pair (an entry in key-pair table). 101 4. Associate the key-pair to the trustpoint. 102 5. Generate a pkcs#10 Certificate Signing Request (CSR) in 103 the trustpoint. 104 7. Submit CSR to the CA and get the identity certificate. 105 9. Input the identity certificate into the trustpoint. 106 107 In another typical certificate work-flow, the key-pair and 108 the corresponding identity certificate are allowed to be 109 generated/obtained outside the device by whatever means 110 and then input to the device in the pkcs#12 form. 111 112 This MIB does not support the configuration of individual 113 security services like SSL, SSH, IPsec/IKE etc. to use 114 particular trustpoints or certificates and key-pairs in 115 them. Instead the security services certificate usage 116 configuration is supported in the respective feature MIBs. 117 118 119 Glossary of the terms used in this MIB: 120 -------------------------------------- 121 key-pair - 122 A pair of public-key cryptographic keys in which one is 123 public and the other private. 124 RSA key-pair - 125 A key-pair belonging to the RSA public-key cryptography 126 algorithm. 127 Certificate Authority (CA) - 128 A service which issues X509 certificates to certify the 129 identity (name) and public-key of end entities. 130 X509 - 131 A standard for certificates and CRLs. 132 Reference: RFC 2459. 133 CA certificate - 134 The self-signed certificate of a CA certifying its own 135 identity and public-key. 136 CA certificate chain - 137 If a CA is certified by another CA which, in turn, was 138 certified by a third CA and so on, ending in a CA which 139 is self-certified, the original CA is said to be a 140 subordinate CA and its CA certificate is a chain which 141 is the set of CA certificates of all CAs involved. 142 Identity certificate - 143 The certificate of a device issued by a CA in which the 144 device identity and public-key are certified. 145 Trustpoint - 146 The various information about a CA (including its CA 147 certificate/chain), which the device wants to trust so 148 that it can use it to enroll with the CA to g et an 149 identity certificate and/or use it to verify the peer 150 certificates issed by the CA. 151 Certificate fingerptint - 152 The digest of a certificate computed using MD5 or SHA 153 hash algorithm. 154 CA authentication - 155 The process of configuring the CA certificate/chain for 156 a trustpoint. The process involves calculating the 157 fingerprints of the CA certificates and verifying them 158 against the same already published by the CAs. 159 Enrollment - 160 The process of creating a Certificate Signing Request in 161 a trustpoint, submitting it to corresponding CA, getting 162 back the identity certificate and inputing it into the 163 trustpoint. 164 Certificate verification - 165 The process of verifying the signature on a certificate 166 to see if it was really signed by the CA who issued it. 167 This verification process uses the CA certificate/chain. 168 The certificate verification also involves verifying the 169 validity of certificate with respect to current time by 170 checking against the validity interval given in the 171 certificate and the revocation status of the certificate 172 as maintained by the CA. 173 Certificate Signing Request (CSR) - 174 A request to a CA for signing a certificate of an entity. 175 The request contains the public key, the name and other 176 attributes of the entity. 177 pkcs#10 - 178 A standard syntax for the CSR, Reference: RFC 2986. 179 pkcs#12 - 180 A standard for exporting and importing a certificate 181 along with associated key-pair and CA certificate/chain. 182 Reference: PKCS #12 v1.0: Personal Information Exchange 183 Syntax Standard, RSA Laboratories, June 24, 1999 184 CRL - 185 Certificate Revocation List, a list of certificates that 186 are revoked, as maintained by a CA. 187 OCSP - 188 Online Certificate Staus Protocol, a protocol for online 189 checking of the revocation status of certificates. 190 PEM format - 191 A printable text encoding format for certificates, 192 key-pairs and CRLs, as employed by the Privacy Enhanced 193 Mail standard. Reference: RFCs 1421-1424. 194 " 195 196 REVISION "200510220000Z" 197 DESCRIPTION 198 "Initial version." 199 200 ::= { ciscoMgmt 505 } 201 202-- 203-- Objects, Notifications & Conformances 204-- 205 206cpkiMIBNotifs OBJECT IDENTIFIER 207 ::= { cpkiMIB 0 } 208cpkiMIBObjects OBJECT IDENTIFIER 209 ::= { cpkiMIB 1 } 210cpkiMIBConform OBJECT IDENTIFIER 211 ::= { cpkiMIB 2 } 212cpkiConfig OBJECT IDENTIFIER 213 ::= { cpkiMIBObjects 1 } 214 215-- 216-- Textual Conventions 217-- 218CiscoPkiAction ::= TEXTUAL-CONVENTION 219 STATUS current 220 DESCRIPTION 221 "The PKI Support Actions for performing the certificate 222 work-flow operations. 223 224 'noop' - No operation 225 226 'caauth' - Certificate Authority (CA) authentication. 227 This operation is provided to authenticate 228 a CA and install its CA certificate/chain 229 in a trustpoint This action needs to be 230 followed up with the 'certconfirm' or 231 'certnoconfirm' action explained below. 232 233 234 'cadelete' - CA Certificate/chain deletion. This 235 operation is provided to delete the CA 236 certificate/chain from a trustpoint. 237 238 'certreq' - Identity certificate Request creation. This 239 operation is provided to generate a pkcs#10 240 format certificate request needed to obtain 241 an identity certificate from a CA. 242 243 'certimport' - Identity certificate import. This 244 operation is provided to install an 245 identity certificate obtained from a CA 246 for an earlier certificate request, in 247 a trustpoint. 248 249 'certdelete' - Identity certificate deletion. This 250 operation is provided to delete the 251 identity certificate from a trustpoint. 252 If the certificate is the only generic 253 certificate in the device, delete is not 254 allowed; 'forcecertdelete' operation needs 255 to be used to force the delete. 256 257 'pkcs12import' - This operation is provided to facilitate 258 the importing of the identity 259 certificate, corresponding key-pair and 260 CA certificate/chain in pkcs#12 format 261 into a trustpoint. 262 263 'pkcs12export' - This operation is provided to facilitate 264 the exporting of the key-pair, identity 265 certificate and the CA certificate in 266 pkcs#12format from a trustpoint. 267 268 'certconfirm' - This operation is provided to confirm the 269 acceptability of a certificate after 270 manual verification of its fingerprint 271 subsequent to the action 'caauth', there 272 by completing that action and installing 273 the certificate in the trustpoint. 274 275 'certnoconfirm' - This operation is provided to confirm 276 the unacceptability of a certificate 277 after the manual verification of its 278 fingerprint subsequent to the action 279 'caauth', there by rejecting the 280 certificate and completing that action. 281 282 'forcecertdelete' - Same as 'certdelete' except it forces 283 the delete. 284 285 'crlimport' - CRL import. This operation is provided to 286 import a CRL into a trustpoint. 287 288 'crldelete' - CRL delete. This operation is provided to 289 delete the CRL from a trustpoint. 290 291 " 292 293 SYNTAX INTEGER { 294 noop (1), 295 caauth (2), 296 cadelete (3), 297 certreq (4), 298 certimport (5), 299 certdelete (6), 300 pkcs12import (7), 301 pkcs12export (8), 302 certconfirm (9), 303 certnoconfirm (10), 304 forcecertdelete (11), 305 crlimport (12), 306 crldelete (13) 307 308 } 309 310CiscoPkiActionResult ::= TEXTUAL-CONVENTION 311 STATUS current 312 DESCRIPTION 313 "Result of the PKI Support action performed. An instance 314 of this TC corresponds to an instance of the TC 315 CpkiAction. 316 317 'none' - No action was performed yet. 318 319 'success' - Execution of the action triggered is 320 completed successfully. 321 322 'failed' - Execution of the action triggered has 323 failed. 324 325 'inProgress' - Execution of the action triggered is 326 in progress. 327 328 'needConfirm' - Further continuation of execution of 329 the action triggered requires 330 confirmation from the user. 331 " 332 SYNTAX INTEGER { 333 none (1), 334 success (2), 335 failed (3), 336 inProgress (4), 337 needConfirm (5) 338 } 339 340-- 341-- The RSA key-pair entries 342-- 343 344cpkiRSAKeyPairTable OBJECT-TYPE 345 SYNTAX SEQUENCE OF CpkiRSAKeyPairEntry 346 MAX-ACCESS not-accessible 347 STATUS current 348 DESCRIPTION 349 "A list of RSA key-pair entries." 350 ::= { cpkiConfig 1 } 351 352cpkiRSAKeyPairEntry OBJECT-TYPE 353 SYNTAX CpkiRSAKeyPairEntry 354 MAX-ACCESS not-accessible 355 STATUS current 356 DESCRIPTION 357 "The RSA key-pair entry. The entry specifies the key-pair 358 name, size, whether it is exportable and the filename 359 where the key-pair is stored. Each entry corresponds 360 to a RSA key-pair generated internally in the device or 361 imported from outside. When a new entry is created, a 362 new RSA key-pair is generated in the device and stored 363 in a corresponding file. When an entry is deleted through 364 row deletion, the corresponding key-pair is destroyed. The 365 entry is not allowed to be modified after creation as a 366 key-pair is not modifiable after its generation. 367 " 368 INDEX { cpkiRSAKeyPairName } 369 ::= { cpkiRSAKeyPairTable 1 } 370 371CpkiRSAKeyPairEntry ::= 372 SEQUENCE { 373 cpkiRSAKeyPairName SnmpAdminString, 374 cpkiRSAKeyPairId Unsigned32, 375 cpkiRSAKeyPairSize INTEGER, 376 cpkiRSAPvtKeyFileName SnmpAdminString, 377 cpkiRSAKeyPairExportable TruthValue, 378 cpkiRSAKeyPairStorageType StorageType, 379 cpkiRSAKeyPairConfigRowStatus RowStatus 380 } 381 382cpkiRSAKeyPairName OBJECT-TYPE 383 SYNTAX SnmpAdminString (SIZE (1..64)) 384 MAX-ACCESS not-accessible 385 STATUS current 386 DESCRIPTION 387 "The unique name or label of key-pair." 388 ::= { cpkiRSAKeyPairEntry 1 } 389 390cpkiRSAKeyPairId OBJECT-TYPE 391 SYNTAX Unsigned32 392 MAX-ACCESS read-only 393 STATUS current 394 DESCRIPTION 395 "A unique identification nubmer of the RSA key-pair. 396 This is included to support ordered lists of RSA 397 key-pairs when needed. One such scenario where such 398 ordered list may be needed is for per application 399 configuration of key-pairs." 400 ::= { cpkiRSAKeyPairEntry 2 } 401 402cpkiRSAKeyPairSize OBJECT-TYPE 403 SYNTAX INTEGER { 404 rsa512 (1), -- 512-bit RSA key 405 rsa768 (2), -- 768-bit RSA key 406 rsa1024 (3), -- 1024-bit RSA key 407 rsa1536 (4), -- 1536-bit RSA key 408 rsa2048 (5) -- 2048-bit RSA key 409 } 410 MAX-ACCESS read-create 411 STATUS current 412 DESCRIPTION 413 "The size of the key. 414 415 The following modulus sizes are defined: 416 512-bit, 768-bit, 1024-bit, 1536-bit and 2048-bit. 417 Once created, the size cannot be changed. After 418 key-pair has been deleted through row deletion, 419 the entry can be created again with another size. 420 " 421 DEFVAL { rsa512 } 422 ::= { cpkiRSAKeyPairEntry 3 } 423 424cpkiRSAPvtKeyFileName OBJECT-TYPE 425 SYNTAX SnmpAdminString (SIZE (0..255)) 426 MAX-ACCESS read-only 427 STATUS current 428 DESCRIPTION 429 "The name of the file storing the RSA private key. 430 This filename is automatically generated from the 431 key-pair name. It is a unix style '/' seperated string 432 representing the absolute path of the file in the 433 file system of the device" 434 ::= { cpkiRSAKeyPairEntry 4 } 435 436cpkiRSAKeyPairExportable OBJECT-TYPE 437 SYNTAX TruthValue 438 MAX-ACCESS read-create 439 STATUS current 440 DESCRIPTION 441 "The key-pair is exportable through the 'exportpkcs12' 442 PKI support action. Once created, the exportable flag 443 value cannot be changed. After key-pair has been 444 deleted through row deletion, the entry can be created 445 again with another value for the exportable flag" 446 DEFVAL { true } 447 ::= { cpkiRSAKeyPairEntry 5 } 448 449cpkiRSAKeyPairStorageType OBJECT-TYPE 450 SYNTAX StorageType 451 MAX-ACCESS read-create 452 STATUS current 453 DESCRIPTION 454 "The storage type for this conceptual row." 455 DEFVAL { nonVolatile } 456 ::= { cpkiRSAKeyPairEntry 6 } 457 458cpkiRSAKeyPairConfigRowStatus OBJECT-TYPE 459 SYNTAX RowStatus 460 MAX-ACCESS read-create 461 STATUS current 462 DESCRIPTION 463 "The conceptual row status of the key-pair entry. 464 Deleting an entry through row delete will fail if the 465 entry is being pointed to from an instance from 466 cpkiTrustPointTable. 467 468 The objects in the entry may not be modified while 469 the value of this object is active(1). 470 471 An attempt to set these objects while the value of 472 cpkiRSAKeyPairConfigRowStatus is active(1) will 473 result in an inconsistentValue error." 474 ::= { cpkiRSAKeyPairEntry 7 } 475 476-- 477-- The trustpoint entries 478-- 479 480cpkiTrustPointTable OBJECT-TYPE 481 SYNTAX SEQUENCE OF CpkiTrustPointEntry 482 MAX-ACCESS not-accessible 483 STATUS current 484 DESCRIPTION 485 "A list of trustpoint, associated key-pair, 486 certificates and revocation checking 487 configuration entries. 488 489 The table also provides control, actions, current 490 operating state information and last action result 491 information for the certificate work-flow if being 492 carried out using the PKI support actions." 493 ::= { cpkiConfig 2 } 494 495cpkiTrustPointEntry OBJECT-TYPE 496 SYNTAX CpkiTrustPointEntry 497 MAX-ACCESS not-accessible 498 STATUS current 499 DESCRIPTION 500 "The trustpoint configuration entry. This entry 501 specifies the trustpoint name, the associated key-pair 502 index, the identity certificate filename, some important 503 attributes in the identity certificate and the issuer 504 (CA) certificate filename and important attributes in the 505 issuer certificate. 506 507 The entry also specifies the certificate revocation 508 checking methods and OCSP URL configuration. 509 " 510 INDEX { cpkiTrustPointName } 511 ::= { cpkiTrustPointTable 1 } 512 513CpkiTrustPointEntry ::= 514 SEQUENCE { 515 cpkiTrustPointName SnmpAdminString, 516 cpkiTrustPointId Unsigned32, 517 cpkiKeyPairName SnmpAdminString, 518 cpkiIdCertFileName SnmpAdminString, 519 cpkiIdCertSubjectName SnmpAdminString, 520 cpkiIdCertSerialNum SnmpAdminString, 521 cpkiIdCertStartDate DateAndTime, 522 cpkiIdCertEndDate DateAndTime, 523 cpkiIdCertFingerPrint SnmpAdminString, 524 cpkiIssuerCertFileName SnmpAdminString, 525 cpkiIssuerCertSubjectName SnmpAdminString, 526 cpkiIssuerCertSerialNum SnmpAdminString, 527 cpkiIssuerCertStartDate DateAndTime, 528 cpkiIssuerCertEndDate DateAndTime, 529 cpkiIssuerCertFingerPrint SnmpAdminString, 530 cpkiRevokeCheckMethods OCTET STRING, 531 cpkiOCSPurl SnmpAdminString, 532 cpkiAction CiscoPkiAction, 533 cpkiActionUrl SnmpAdminString, 534 cpkiActionPassword SnmpAdminString, 535 cpkiLastAction CiscoPkiAction, 536 cpkiLastActionResult CiscoPkiActionResult, 537 cpkiLastActionFailureReason SnmpAdminString, 538 cpkiTrustPointStorageType StorageType, 539 cpkiTrustPointConfigRowStatus RowStatus 540 } 541 542cpkiTrustPointName OBJECT-TYPE 543 SYNTAX SnmpAdminString (SIZE (1..64)) 544 MAX-ACCESS not-accessible 545 STATUS current 546 DESCRIPTION 547 "The unique name or label of a trustpoint." 548 ::= { cpkiTrustPointEntry 1 } 549 550cpkiTrustPointId OBJECT-TYPE 551 SYNTAX Unsigned32 552 MAX-ACCESS read-only 553 STATUS current 554 DESCRIPTION 555 "A unique identification number of the trustpoint. 556 This is included to support ordered lists of trustpoints 557 when needed. One such scenario where such ordered list 558 may be needed is for per application configuration of 559 trustpoints for certificate selection" 560 ::= { cpkiTrustPointEntry 2 } 561 562cpkiKeyPairName OBJECT-TYPE 563 SYNTAX SnmpAdminString (SIZE (0..64)) 564 MAX-ACCESS read-create 565 STATUS current 566 DESCRIPTION 567 "The name of the associated key-pair from a key-pair 568 table. If a key-pair is not yet associated, the value 569 of this object will be a zero length string. 570 571 If a key-pair is already associated, it can be modified 572 only if the identity certificate is absent as indicated 573 by a non-zero length string value of the object 574 cpkiIssuerCertFileName. This is because of the fact that 575 the identity certificate is certifying this key-pair." 576 ::= { cpkiTrustPointEntry 3 } 577 578cpkiIdCertFileName OBJECT-TYPE 579 SYNTAX SnmpAdminString (SIZE (0..255)) 580 MAX-ACCESS read-only 581 STATUS current 582 DESCRIPTION 583 "The name of the file storing the identity 584 certificate. It is a unix style '/' seperated string 585 representing the absolute path of the file in the 586 file system of the device. If there is no identity 587 certificate obtained as yet, the value of this object 588 will be a zero length string. 589 590 This object gets its non-zero length string value 591 after a successful 'certimport' or 'pkcs12import' 592 PKI support action triggered on the object cpkiAction. 593 594 This object gets set to zero length string when the 595 identity certificate is deleted through a successful 596 'certdelete' action triggered on the object 597 cpkiAction." 598 ::= { cpkiTrustPointEntry 4 } 599 600cpkiIdCertSubjectName OBJECT-TYPE 601 SYNTAX SnmpAdminString (SIZE (0..255)) 602 MAX-ACCESS read-only 603 STATUS current 604 DESCRIPTION 605 "The subject name of the identity certificate. 606 If there is no certificate (as indicated by a zero 607 length string value of the object cpkiIdCertFileName) 608 or no subject name in the certificate, the value of 609 this object will be a zero length string." 610 REFERENCE 611 "RFC 2459, Internet X.509 Public Key Infrastructure 612 Certificate and CRL Profile, Section 4.1.2.6" 613 ::= { cpkiTrustPointEntry 5 } 614 615cpkiIdCertSerialNum OBJECT-TYPE 616 SYNTAX SnmpAdminString (SIZE (0..255)) 617 MAX-ACCESS read-only 618 STATUS current 619 DESCRIPTION 620 "The serial number of the identity certificate. 621 If there is no certificate (as indicated by a zero 622 length string value of the object cpkiIdCertFileName), 623 the value of this object will be a zero length string." 624 REFERENCE 625 "RFC 2459, Internet X.509 Public Key Infrastructure 626 Certificate and CRL Profile, Section 4.1.2.2" 627 ::= { cpkiTrustPointEntry 6 } 628 629cpkiIdCertStartDate OBJECT-TYPE 630 SYNTAX DateAndTime 631 MAX-ACCESS read-only 632 STATUS current 633 DESCRIPTION 634 "The time when the identity certificate starts to be 635 valid, corresponding to the notBefore field in the 636 certificate. 637 638 If there is no certificate (as indicated by a zero 639 length string value of the object cpkiIdCertFileName), 640 the value of this object will be a zero length string." 641 REFERENCE 642 "RFC 2459, Internet X.509 Public Key Infrastructure 643 Certificate and CRL Profile, Section 4.1.2.5" 644 ::= { cpkiTrustPointEntry 7 } 645 646cpkiIdCertEndDate OBJECT-TYPE 647 SYNTAX DateAndTime 648 MAX-ACCESS read-only 649 STATUS current 650 DESCRIPTION 651 "The time when the identity certificate validity ends, 652 corresponding to the notAfter field in the 653 certificate. 654 655 If there is no certificate (as indicated by the zero 656 length string value of the object cpkiIdCertFileName), 657 the value of this object will be a zero length string." 658 REFERENCE 659 "RFC 2459, Internet X.509 Public Key Infrastructure 660 Certificate and CRL Profile, Section 4.1.2.5" 661 ::= { cpkiTrustPointEntry 8 } 662 663cpkiIdCertFingerPrint OBJECT-TYPE 664 SYNTAX SnmpAdminString (SIZE (0..255)) 665 MAX-ACCESS read-only 666 STATUS current 667 DESCRIPTION 668 "The MD5 fingerprint of the identity certificate in 669 HEX string format. 670 671 If there is no certificate (as indicated by a zero 672 length string value of the object cpkiIdCertFileName), 673 the value of this object will be a zero length string." 674 ::= { cpkiTrustPointEntry 9 } 675 676cpkiIssuerCertFileName OBJECT-TYPE 677 SYNTAX SnmpAdminString (SIZE (0..255)) 678 MAX-ACCESS read-only 679 STATUS current 680 DESCRIPTION 681 "The name of the file storing the issuer certificate. 682 It is a unix style '/' seperated string representing 683 the absolute path of the file in the file system of 684 the device. If there is no issuer certificate obtained 685 yet, the value of this object will be a zero length 686 string. 687 688 This object gets its non-zero length string value 689 after a successful 'caauth' PKI support action 690 triggered on the object cpkiAction. 691 692 This object gets set to zero length string when the 693 issuer certificate is deleted through a successful 694 'cadelete' action triggered on the object 695 cpkiAction." 696 ::= { cpkiTrustPointEntry 10 } 697 698cpkiIssuerCertSubjectName OBJECT-TYPE 699 SYNTAX SnmpAdminString (SIZE (0..255)) 700 MAX-ACCESS read-only 701 STATUS current 702 DESCRIPTION 703 "The issuer name (subject name in issuer certificate 704 which will be the same as the issuer name in the 705 identity certificate if present). 706 707 If there is no certificate (as indicated by a zero 708 length string value of the object cpkiIssuerCertFileName), 709 the value will be a zero length string." 710 REFERENCE 711 "1. RFC 2459, Internet X.509 Public Key Infrastructure 712 Certificate and CRL Profile, Section 4.1.2.6 713 2. RFC 2459, Internet X.509 Public Key Infrastructure 714 Certificate and CRL Profile, Section 5.1.2.3" 715 ::= { cpkiTrustPointEntry 11 } 716 717cpkiIssuerCertSerialNum OBJECT-TYPE 718 SYNTAX SnmpAdminString (SIZE (0..255)) 719 MAX-ACCESS read-only 720 STATUS current 721 DESCRIPTION 722 "The serial number of the issuer certificate. 723 724 If there is no certificate (as indicated by a zero 725 length string value of the object 726 cpkiIssuerCertFileName), the value will be a zero 727 length string." 728 REFERENCE 729 "RFC 2459, Internet X.509 Public Key Infrastructure 730 Certificate and CRL Profile, Section 4.1.2.2" 731 ::= { cpkiTrustPointEntry 12 } 732 733cpkiIssuerCertStartDate OBJECT-TYPE 734 SYNTAX DateAndTime 735 MAX-ACCESS read-only 736 STATUS current 737 DESCRIPTION 738 "The time when the issuer certificate starts to be 739 valid, corresponding to the notBefore field in the 740 certificate. 741 742 If there is no certificate (as indicated by a zero 743 length string value of the object 744 cpkiIssuerCertFileName), the value will be a zero 745 length string." 746 REFERENCE 747 "RFC 2459, Internet X.509 Public Key Infrastructure 748 Certificate and CRL Profile, Section 4.1.2.5" 749 ::= { cpkiTrustPointEntry 13 } 750 751cpkiIssuerCertEndDate OBJECT-TYPE 752 SYNTAX DateAndTime 753 MAX-ACCESS read-only 754 STATUS current 755 DESCRIPTION 756 "The time when the issuer certificate validity ends, 757 corresponding to the notAfter field on in the 758 certificate. 759 760 If there is no certificate (as indicated by a zero 761 length string value of the object 762 cpkiIssuerCertFileName), the value will be a zero 763 length string." 764 REFERENCE 765 "RFC 2459, Internet X.509 Public Key Infrastructure 766 Certificate and CRL Profile, Section 4.1.2.5" 767 ::= { cpkiTrustPointEntry 14 } 768 769cpkiIssuerCertFingerPrint OBJECT-TYPE 770 SYNTAX SnmpAdminString (SIZE (0..255)) 771 MAX-ACCESS read-only 772 STATUS current 773 DESCRIPTION 774 "The MD5 fingerprint of the issuer's certificate in 775 HEX string format. 776 777 If there is no certificate (as indicated by a 778 zero length string value of cpkiIssuerCertFileName), 779 the value of this object will be a zero length string." 780 ::= { cpkiTrustPointEntry 15 } 781 782cpkiRevokeCheckMethods OBJECT-TYPE 783 SYNTAX OCTET STRING (SIZE (16)) 784 MAX-ACCESS read-create 785 STATUS current 786 DESCRIPTION 787 "Revocation checking methods list which is an ordered 788 list of certificate revocation checking methods to be 789 employed while verifying peer certificates issued by 790 the CA corresponding to this trust point entry. 791 792 The value of this object is a ordered list of one or 793 more 1-octet values, where each 1-octet value 794 corresponds to a method in the revocation checking method 795 enumeration: 796 797 none (1) - No revocation status checking needed; 798 instead consider the certificate as 799 not revoked. 800 801 crl (2) - Use CRL for checking the revocation 802 status of certificates. 803 804 ocsp (3) - Use OCSP for checking the revocation 805 status of certificates. 806 807 If 'none' occures in the list, it should be the last value. 808 The octets after the last value in the ordered list 809 should be zero octets. 810 811 The order in which the revocation checking methods 812 occur within the value of this object determines 813 the order the revocation checking methods are attempted 814 during the verification of a peer certificate. 815 816 The default value of this object (after row creation) 817 contains only the revocation checking method 'crl'." 818 819 DEFVAL { '02000000000000000000000000000000'H } 820 ::= { cpkiTrustPointEntry 16 } 821 822cpkiOCSPurl OBJECT-TYPE 823 SYNTAX SnmpAdminString (SIZE (0..255)) 824 MAX-ACCESS read-create 825 STATUS current 826 DESCRIPTION 827 "The contact http url of the external OCSP server for 828 certificate revocation checking using OCSP protocol. 829 830 The default value of this object (after row creation) 831 is a zero length string" 832 DEFVAL { ''H } 833 ::= { cpkiTrustPointEntry 17 } 834 835cpkiAction OBJECT-TYPE 836 SYNTAX CiscoPkiAction 837 MAX-ACCESS read-create 838 STATUS current 839 DESCRIPTION 840 "The PKI support action to be triggered for this 841 trustpoint entry. 842 843 The PKI support actions are steps in the certificate 844 work-flow used to facilitate the configuration of the 845 RSAkey-pair, identity certificate and CA certificates 846 in a trustpoint. A PKI support action is triggered by 847 setting this object to the corresponding value as defined 848 in TC CiscoPkiAction. The value of this object and the 849 values of the objects cpkiActionUrl and cpkiActionPassword 850 are interpreted and applied together as single action 851 trigger. All thease actions operate over the trustpoint 852 and modify appropriate columns in the entry. 853 854 An attempt to set this object when the value of the 855 object cpkiActionResult is 'inProgress' will result in an 856 inconsistentValue error. 857 858 The work-flow nature of certificate operations requires 859 that the trustpoint entry already exists. Some of the 860 operation requires that some other previous operations 861 are already performed successfully, as seen below. 862 863 The following is a brief of each action semantics, its 864 parameters and the result: 865 866 'caauth' - This action is used to authenticate a CA and 867 configure its CA certificate/chain in this trustpoint. This 868 is generally the first step in a certificate work-flow. 869 It requires the parameter objects cpkiActionUrl and 870 cpkiActionPassword set with appropriate values. The CA 871 certificate/chain being installed should be available in 872 PEM fromat in a file on bootflash. The filename is 873 specified as 'bootflash:<filename>' as the value of the 874 object cpkiActionUrl. On successful completion of the 875 operation, the CA certificate fingerprint will be 876 available as the value of the object 877 cpkiIssuerCertFingerPrint and the value of the object 878 cpkiLastActionResult will be 'needConfirm'. This action 879 is to be followed up with a subsequent 'certconfirm' or 880 'certnoconfirm' as explained later, to complete the CA 881 authentication process. 882 883 'cadelete' - This action is used to delete the CA 884 certificate/chain from this trustpoint. On successful 885 completion of the operation, the values of all issuer 886 certificate related objects (cpkiIssuerCertFileName 887 etc.) in this trustpoint entry will zero length strings. 888 For this action to succeed, a CA certificate/chain should 889 have been already configured through the 'caauth' action. 890 891 'certreq' - This action is used to generate a pkcs#10 892 certificate signing request (CSR) needed to obtain an 893 identity certificate from the CA corresponding to this 894 trustpoint entry. This entry should have a key-pair 895 already associated (as indicated by non-zero value of 896 cpkiKeyPairIndex in the entry). Also the CA certificate/ 897 chain should have been already configured through the 898 'caauth' action. This action requires the parameter 899 object cpkiActionPassword to be set with a password string 900 which will be used as the 'challenge password' attribute 901 in the CSR being created (the password being opional, it 902 should be a zero length string if no password is being 903 specified). On successful completion of the operation, the 904 value of the object cpkiActionUrl will contain a file name 905 string in the format 'bootflash:<filename>' which will 906 contain the CSR generated in PEM format. This CSR has to be 907 submitted to the CA to get the identity certificate. The 908 process of submitting CSR to the CA and getting the identity 909 certificate is a step not supported by this MIB currently. 910 Once the identity certificate is obtained, it has to be 911 installed in this trustpoint with a subsequent 'certimport' 912 action explained next. 913 914 'certimport' - This action is used to import in this 915 trustpoint, an idenetity certificate obtained from the 916 corresponding CA for an earlier CSR generated (previous 917 operation 'certreq'). It requires that the identity 918 certificate being installed be available in PEM fromat in a 919 file on bootflash. The filename is specified as 920 'bootflash:<filename>' as the value of the object 921 cpkiActionUrl. On successful completion of the operation, 922 the values of all identity certificate related objects 923 (cpkiIdCertFileName etc.) in this entry will get filled 924 with the appropriate strings as per the corresponding 925 attributes in the identity certificate. 926 927 'certdelete' - This action is used to delete the identity 928 certificate from this trustpoint. On successful completion 929 of the operation, the values of all identity certificate 930 related objects (cpkiIdCertFileName etc.) in this entry 931 will become zero length strings. 932 933 'pkcs12import' - This action is used to import the 934 key-pair, identity certificate and the CA certificate/chain 935 in pkcs#12 format into this trustpoint. It requires 936 that the file containing the import data be 937 available on bootflash and whose filename be specified as 938 'bootflash:<filename>' as the value of the object 939 cpkiActionUrl. It also requires that the parameter 940 object cpkiActionPassword to be set with a password 941 string to be used for decoding the pkcs#12 data. On 942 successful completion of the operation, an entry in the 943 cpkiRSAKeyPairTable will be created corresponding to the 944 imported key-pair and it will be named using the trustpoint 945 name specified. Secondly, the values of all identity 946 certificate related objects (cpkiIdCertFileName etc.) 947 and the values of all issuer certificate related objects 948 (cpkiIssuerCertFileName etc.)in this entry will get filled 949 with the appropriate strings as per the corresponding 950 attributes in the identity and CA certificates 951 respectively. 952 953 'pkcs12export' - This action is used to export the 954 key-pair, identity certificate and the CA certificate/chain 955 in pkcs#12 format from this trustpoint. It requires that 956 the filename to contain the exported data be specified as 957 'bootflash:<filename>' as the value of the object 958 cpkiActionUrl. It also requires that the parameter 959 object cpkiActionPassword to be set with a password string 960 to be used for encoding the pkcs#12 data. On successful 961 completion of the operation, the exported data will be 962 available on bootflash in the specified file. 963 964 'certconfirm' - This action is used to confirm as 965 acceptable, the certificate fingerprint for the action 966 'caauth' in this trustpoint As mentioned earlier, the 967 certificate fingerprint is available as the value of the 968 object cpkiIssuerCertFingerPrint and the value of the 969 object cpkiActionResult will be 'needConfirm' after a 970 successfull 'caauth' action on a trustpoint. On successful 971 completion of the 'certconfirm' operation, values of all 972 issuer certificate related objects (cpkiIssuerCertFileName 973 etc.) in this entry get filled with the appropriate strings 974 as per the attributes in the CA certificate. 975 976 'certnoconfirm' - This action is used to confirm as not 977 acceptable, the certificate fingerprint for the action 978 'caauth. As mentioned earlier, the certificate fingerprint 979 is available as the value of the object 980 cpkiIssuerCertFingerPrint and the value of the object 981 cpkiActionResult will be 'needConfirm' after a successfull 982 'caauth' action on a trustpoint. On successful completion 983 of the 'certnoconfirm' action subsequent to a 'caauth' 984 action, the import pending CA certificate/chain will be 985 rejected. 986 987 'forcecertdelete' - Same as 'certdelete' but the operation 988 is forced even if the certificate being deleted is the 989 last-most one. 990 991 'crlimport' - This action is used to import in this 992 trustpoint, the CRL obtained from the corresponding CA. 993 It requires that the CRL being imported be available in 994 PEM fromat in a file on bootflash. The filename is specified 995 as 'bootflash:<filename>' as the value of the object 996 cpkiActionUrl. On successful completion of the operation, 997 the CRL will be installed in the trustpoint. For this 998 action to succeed, a CA certificate/chain should 999 have been already configured through the 'caauth' action. 1000 1001 'crldelete' - This action is used to delete the CRL from a 1002 trustpoint. This action does not require any parameters. 1003 1004 On successful completion of any of the above actions, the 1005 result object cpkiActionResult will have the value 1006 'success'. on any error during the execution of the action, 1007 the object cpkiActionResult will be set with the value 1008 'failed' and the object cpkiActionFailureReason will have 1009 the appropriate failure message string. 1010 1011 An attempt to set this object with a value other than 1012 'certconfirm' or 'certnoconfirm', when the value of the 1013 object cpkiActionResult is 'needConfirm', will result in 1014 an inconsistentValue error. 1015 1016 All Actions are done on existing entry, action trigger is 1017 not allowed as part of row creation. 1018 1019 Retrieving the value of this object via SNMP will always 1020 return 'noop'. 1021 " 1022 DEFVAL { noop } 1023 ::= { cpkiTrustPointEntry 18 } 1024 1025cpkiActionUrl OBJECT-TYPE 1026 SYNTAX SnmpAdminString 1027 MAX-ACCESS read-create 1028 STATUS current 1029 DESCRIPTION 1030 "The value of this object indicates the filename 1031 containig the input or output certificate data needed 1032 for the PKI support action being triggered on this entry. 1033 The filename should pe specified as 'bootflash:<filename>' 1034 and it should be available on bootflash or get created on 1035 bootflash depending upon the action being triggered. 1036 " 1037 ::= { cpkiTrustPointEntry 19 } 1038 1039cpkiActionPassword OBJECT-TYPE 1040 SYNTAX SnmpAdminString (SIZE (0..64)) 1041 MAX-ACCESS read-create 1042 STATUS current 1043 DESCRIPTION 1044 "The value of this object indicates the password 1045 required to perform the PKI support action being 1046 triggered. This password is required to be 1047 specified only for 'certreq', 'importpkcs12' and 1048 'exportpkcs12' actions. 1049 1050 For security reasons, the value of this object, whenever 1051 it is retrieved by the management prototcol, is always 1052 the zero length string. 1053 " 1054 DEFVAL { ''H } 1055 ::= { cpkiTrustPointEntry 20 } 1056 1057cpkiLastAction OBJECT-TYPE 1058 SYNTAX CiscoPkiAction 1059 MAX-ACCESS read-only 1060 STATUS current 1061 DESCRIPTION 1062 "The PKI support action attempted last. In otherwords, 1063 the value attempted to be set for cpkiAction object 1064 last. If no action has been triggered for the trustpoint 1065 after its creation, then retrieving the value of this 1066 object will return 'noop'." 1067 ::= { cpkiTrustPointEntry 21 } 1068 1069cpkiLastActionResult OBJECT-TYPE 1070 SYNTAX CiscoPkiActionResult 1071 MAX-ACCESS read-only 1072 STATUS current 1073 DESCRIPTION 1074 "The result of the execution of the last PKI support 1075 action (represented by the value of cpkiLastAction). 1076 When the value of this object is 'inProgress', an 1077 attempt to set the value of cpkiAction object will 1078 return inConsistentError. 1079 " 1080 ::= { cpkiTrustPointEntry 22 } 1081 1082cpkiLastActionFailureReason OBJECT-TYPE 1083 SYNTAX SnmpAdminString 1084 MAX-ACCESS read-only 1085 STATUS current 1086 DESCRIPTION 1087 "The failure reason description for the failed 1088 execution of PKI support action. If the object 1089 cpkiActionResult has the value 'failed', then 1090 this object contains the reason string as to why 1091 it failed. Otherwise, the value of this object is 1092 a zero length string. 1093 " 1094 ::= { cpkiTrustPointEntry 23 } 1095 1096cpkiTrustPointStorageType OBJECT-TYPE 1097 SYNTAX StorageType 1098 MAX-ACCESS read-create 1099 STATUS current 1100 DESCRIPTION 1101 "The storage type for this conceptual row." 1102 DEFVAL { nonVolatile } 1103 ::= { cpkiTrustPointEntry 24 } 1104 1105cpkiTrustPointConfigRowStatus OBJECT-TYPE 1106 SYNTAX RowStatus 1107 MAX-ACCESS read-create 1108 STATUS current 1109 DESCRIPTION 1110 "The conceptual row status of the trustpoint entry. 1111 1112 After row creation, the value of this object will 1113 become active(1) as there is no prerequisite of certain 1114 objects to be set to make this object active. 1115 1116 The various read-only objects of the row can be 1117 populated only by means of the various PKI support 1118 actions attempted by setting the cpkiAction object 1119 with appropriate value. 1120 1121 Except the read-only objects mentioned, all other 1122 objects of the entry can be modified when the row 1123 is active subject to the restrictions, if any, 1124 specified for each" 1125 ::= { cpkiTrustPointEntry 25 } 1126 1127-- 1128-- Conformance 1129-- 1130 1131cpkiMIBCompliances OBJECT IDENTIFIER 1132 ::= { cpkiMIBConform 1 } 1133cpkiMIBGroups OBJECT IDENTIFIER 1134 ::= { cpkiMIBConform 2 } 1135 1136cpkiMIBCompliance MODULE-COMPLIANCE 1137 STATUS current 1138 DESCRIPTION 1139 "The compliance statement for entities which implement the 1140 CISCO-PKI-PARTICIPATION-MIB.my. 1141 " 1142 MODULE 1143 MANDATORY-GROUPS { 1144 cpkiConfigGroup 1145 } 1146 1147 OBJECT cpkiRSAKeyPairStorageType 1148 MIN-ACCESS read-only 1149 DESCRIPTION 1150 "Only read-only needs to be supported" 1151 1152 OBJECT cpkiTrustPointStorageType 1153 MIN-ACCESS read-only 1154 DESCRIPTION 1155 "Only read-only needs to be supported" 1156 1157 OBJECT cpkiRSAKeyPairConfigRowStatus 1158 SYNTAX INTEGER { 1159 active (1), 1160 createAndGo (4), 1161 destroy (6) 1162 } 1163 DESCRIPTION 1164 "Only 'createAndGo', 'destroy' and 'active' need to be 1165 supported." 1166 1167 OBJECT cpkiTrustPointConfigRowStatus 1168 SYNTAX INTEGER { 1169 active (1), 1170 createAndGo (4), 1171 destroy (6) 1172 } 1173 DESCRIPTION 1174 "Only 'createAndGo', 'destroy' and 'active' need to be 1175 supported." 1176 1177 ::= { cpkiMIBCompliances 1 } 1178 1179-- 1180-- Units of Conformance 1181-- 1182 1183cpkiConfigGroup OBJECT-GROUP 1184 OBJECTS { 1185 cpkiRSAKeyPairId, 1186 cpkiRSAKeyPairSize, 1187 cpkiRSAPvtKeyFileName, 1188 cpkiRSAKeyPairExportable, 1189 cpkiRSAKeyPairStorageType, 1190 cpkiRSAKeyPairConfigRowStatus, 1191 cpkiTrustPointId, 1192 cpkiKeyPairName, 1193 cpkiIdCertFileName, 1194 cpkiIdCertSubjectName, 1195 cpkiIdCertSerialNum, 1196 cpkiIdCertStartDate, 1197 cpkiIdCertEndDate, 1198 cpkiIdCertFingerPrint, 1199 cpkiIssuerCertFileName, 1200 cpkiIssuerCertSubjectName, 1201 cpkiIssuerCertSerialNum, 1202 cpkiIssuerCertStartDate, 1203 cpkiIssuerCertEndDate, 1204 cpkiIssuerCertFingerPrint, 1205 cpkiRevokeCheckMethods, 1206 cpkiOCSPurl, 1207 cpkiAction, 1208 cpkiActionUrl, 1209 cpkiActionPassword, 1210 cpkiLastAction, 1211 cpkiLastActionResult, 1212 cpkiLastActionFailureReason, 1213 cpkiTrustPointStorageType, 1214 cpkiTrustPointConfigRowStatus 1215 } 1216 STATUS current 1217 DESCRIPTION 1218 "A collection of objects for configurations of the PKI support 1219 " 1220 ::= { cpkiMIBGroups 1 } 1221 1222END 1223