Managing Certificates

Overview

The Certificate Management module handles all the certificate requirements for IKE and IPSec. A certificate binds a person or entity to a public key using a digital signature. Certificates provide confidence in the public key.

IKE and IPSec use certificates only to authenticate remote peers. IKE does not use the public keys in the certificates for Diffie-Hellman calculations.

Terminology

This document uses the following terminology.

Automatic Enrollment

The process of applying for and receiving certificates online. This implementation does not support automatic enrollment.

Base-64

Base-64 is one of the methods used to encode certificate requests and certificates before they are sent to or from the CA. Some CAs call this encoding PEM. See also DER.

CA

Certificate Authority. A person or organization that creates certificates.

CA Certificate

Also called a root certificate, a CA certificate verifies certificates that the CA issues. A CA certificate contains the CA's public key, and the CA also signs the CA certificate with its public key.

CPS

Certificate Practice Statement. Each CA has a CPS

CRL

Certificate Revocation List. CRLs contain certificates that have become invalid prior to their expiration date.

DER

Distinguished Encoding Rules as defined in X.509. DER is one of the methods used to encode certificate requests and certificates before they are sent to or from the CA. See also Base-64.

DSA/SHA1

Digital Signature Algorithm/Secure Hash Algorithm-1 (SHA)-1. The certificate management software uses DSA/SHA1 to sign certificate requests. Public and private keys that the Certificate Management software generates are for use with DSA.

Manual Enrollment

Applying for and receiving certificates manually means you need to copy certificate requests from the router and send them to a CA. You also need to retrieve certificates and CRLs from the CA and copy them to the router. This implementation supports only manual enrollment.

PKCS#10

Syntax used to send a certificate request from the router to the CA. Certificate requests are encoded with DER or Base-64.

PKCS#7

Syntax used to send a certificate from the CA to the router. Certificates are encoded with DER or Base-64.

Root Certificate

A certificate authority's certificate. Root certificates are used to verify other certificates.

SA

Security Association

RA

Registration Authority

Automatic Enrollment	The process of applying for and receiving certificates online. This implementation does not support automatic enrollment.
Base-64	Base-64 is one of the methods used to encode certificate requests and certificates before they are sent to or from the CA. Some CAs call this encoding PEM. See also DER.
CA	Certificate Authority. A person or organization that creates certificates.
CA Certificate	Also called a root certificate, a CA certificate verifies certificates that the CA issues. A CA certificate contains the CA's public key, and the CA also signs the CA certificate with its public key.
CPS	Certificate Practice Statement. Each CA has a CPS
CRL	Certificate Revocation List. CRLs contain certificates that have become invalid prior to their expiration date.
DER	Distinguished Encoding Rules as defined in X.509. DER is one of the methods used to encode certificate requests and certificates before they are sent to or from the CA. See also Base-64.
DSA/SHA1	Digital Signature Algorithm/Secure Hash Algorithm-1 (SHA)-1. The certificate management software uses DSA/SHA1 to sign certificate requests. Public and private keys that the Certificate Management software generates are for use with DSA.
Manual Enrollment	Applying for and receiving certificates manually means you need to copy certificate requests from the router and send them to a CA. You also need to retrieve certificates and CRLs from the CA and copy them to the router. This implementation supports only manual enrollment.
PKCS#10	Syntax used to send a certificate request from the router to the CA. Certificate requests are encoded with DER or Base-64.
PKCS#7	Syntax used to send a certificate from the CA to the router. Certificates are encoded with DER or Base-64.
Root Certificate	A certificate authority's certificate. Root certificates are used to verify other certificates.
SA	Security Association
RA	Registration Authority

Compatibility and RFCs Supported

The OpenROUTE Certificate Management feature supports X.509 v3 certificates for signatures. It is 100% compatible with existing CA products from Entrust, Verisign, and Checkpoint.

Certificate Management implements the following RFCs:

RFC 2314, PKCS #10: Certification Request Syntax Version 1.5
RFC 2315, PKCS #7: Cryptographic Message Syntax Version 1.5

How Certificate Management Works

This implementation supports Manual Enrollment for sending certificate requests to a CA and receiving certificates and CRLs from a CA.

Here is a brief overview of the certificate management process.

: 1. You get a CA's self-signed certificate and copy it to the router.
: 2. Using information that you provide, Certificate Management generates a private/public key pair and a certificate request ready to send to a CA.
: 3. You copy the certificate request from the router and send it to a CA.
: 4. The CA then generates and signs a public-key certificate and sends it back to you.
: 5. You copy the certificate to the router and use the certificate management software to retrieve the certificate so that it is ready for use.

Certificate Requests

A certificate request has three parts:

certificate request information, which consists of the requestor's name, public key, and a set of attributes that identify those using the certificate.
a signature algorithm identifier.
a digital signature on the certificate request information. This implementation uses DSA/SHA1 to sign the request.

To create a certificate, you enter the attributes for a certificate request. The router takes the information that you enter and generates a certificate request, which you then send to a CA. The CA verifies the signature on the request and then creates an X.509 certificate using the information in the request.

CA Certificates

A CA certificate, also called a root certificate, is a self-signed certificate that you receive from a CA. The certificate management software displays Root as the owner of CA certificates.

The router uses the CA certificate to verify the router's own certificate when it receives the certificate from the CA. It also uses the CA certificate to verify certificates received from a remote device.

Note: Both the local router and the remote IPSec device must use the same certificate authority.

You must import the CA certificate into the router before adding the certificates themselves. Failure to do so results in an ELS message and causes the router to reject the certificates.

For instructions on importing the CA certificate into the router, see Putting CA Certificates Into the Router.

Getting the Remote Device's Certificates

The remote device, in most cases, is an IPSec device, such as a security router. The router requests the remote device's certificate during IKE phase 1 negotiations.

The router validates the signature of all remote device certificates using the CA's public key. If a CRL exists, the software checks the CRL for the remote device's certificate. The router rejects invalid remote device certificates and generates an ELS message.

Certificate Revocation Lists

Certificate Revocation Lists (CRLs) contain certificates that were revoked prior to their expiration date. Certificates are revoked due to changes in relationships, such as an employee who ends employment with a company, or due to a private key being compromised.

Certificate Management compares certificates of remote devices and CAs against the CRL as part of certificate verification.

The issuing CA regularly updates the CRL. You need to promptly import the new CRL the router. (See Putting CRLs Into the Router.) The time between CRL issuances is defined in the CA's Certificate Practice Statement.

The list crl command shows the expiration date and time of a CRL, and the date and time when the next update will be available. You can also view information regarding the expiration of a certificate using the list certificate command.

Because you need to manually update CRLs, the Certificate Management module generates ELS messages every hour to remind you when a CRL has expired and you should load the next CRL.

When you display the certificate management prompts, the router checks for expired CRLS and displays the following message if one exists.

CRL 'mycrl' has expired.

You will experience a slight delay when you display the certificate prompts while the router checks CRLs.

Interface to IKE

IKE uses certificates in its operations. In the IKE software, you enter the name of the certificate the router uses in transactions with each remote device. There are instances where IKE needs the router's certificate. There are other cases where IKE needs Certificate Management to validate a certificate received from a remote device.

The default name for a certificate request is default. This name coincides with the default certificate name used in the IKE configuration. If you use a certificate name other than default, make sure you also enter that name in your IPSec peer definition. Use the my_certificate option with either the add peer or set peer IPSec commands.

Entering Certificate Management Commands

You can enter certificate management commands at either the configuration or monitoring prompts. You can perform any operation at both prompts, and there is no reason to use one prompt over the other. All commands are dynamic, that is, they take affect when you enter them. You do not need to restart the router.

To display the Certificate Management configuration prompt (CertMgmt Config>), enter certificates at the Config> prompt.

To display the Certificate Management monitoring prompt (CertMgmt>), enter certificates at the + prompt.

Using the Certificate Management Software

This section shows how to use the Certificate Management software. It has the following sections.

: 1. Before You Begin
: 2. Putting CA Certificates Into the Router
: 3. Requesting Certificates
: 4. Putting Certificates Into the Router
: 5. Putting CRLs Into the Router
: 6. Managing the IBD
: 7. Clearing Your Configuration
: 8. Revoking Certificates

Before You Begin

Before using the Certificate Management software, you need to

add a user that has administrative access to the router software. To do this, enter add user at the Config> prompt.
set the time on the router. See Setting the Time on the Router.

Setting the Time on the Router

You must set the correct time of day and offset from Greenwich Mean Time (GMT) on the router before you set up certificates.

Certificates have a not valid before time, which is the time the certificate was created, and a not valid after time. If the time is not set correctly on the router, and you try to retrieve a certificate into the certificate management module, the router may not accept the certificate.

To check the time set on the router, enter time list at the Config> prompt.

To set the time, enter the following commands at the Config> prompt.

To set the time of day, enter time set.
To set the offset from GMT, enter time offset.

Using FTP or TFTP

You can use FTP or TFTP to move certificate requests, certificates, and CRLs to or from the router.

The router contains an FTP server implementation. To use FTP, you run FTP client software on a PC or workstation to your router's FTP server. You can then use FTP commands such as put or delete.

The router can also act as a TFTP client. The remote host is any device (for example, router, workstation, PC) running IP and acting as a TFTP server. To use the router's TFTP commands, display the Boot config> prompt. You can then use the router's tftp put and tftp get commands.

Config>boot
TFTP Boot/dump configuration
Boot config>tftp get
Enter local filename [CONFIG]?

Enter remote host's IP address or name in host table?

Putting CA Certificates Into the Router

This section shows how to get CA Certificates from the CA into the Certificate Management software. CAs provide a certificate that validates other certificates you receive from the CA or from a remote device.

For certificates that need a chain of certificate authorities, you may need to add several CA certificates.

1. In the router software, add a name for the CA.

CertMgmt Config> add ca entr

2. Copy this CA's certificate from the CA. You can do this using your browser software.

3. Use FTP or TFTP to put the CA's certificate into the router IBD.

You can view the contents of the router's IBD file system. In this example, cert4entr in bank 25 is the name of the CA certificate.

Config>boot
Boot config>list ibd
Banks 1-24 contain load "gtx.ldc" which uses 1508186 bytes
     Loaded using TFTP over IP
     Filename gtx.ldc
     Host 0.0.0.0
Bank 25 contains load "cert4entr" which uses 1469 bytes
     Loaded using TFTP over IP
     Filename
     Host 170.170.170.170
Bank 26-60 have been erased

4. In the router software, retrieve the CA's certificate. This makes the CA certificate available to the certificate management software.

Enter the retrieve ca command followed by the CA name and then the CA certificate file name in the router IBD.

CertMgmt Config> retrieve Ca entr cert4entr

Requesting Certificates

This section shows how to create a certificate request and send it to your CA.

1. In the router software, add a certificate request. Include the name of the request with this command. The name of the certificate request and the name of the CA must be the same. This example uses the name HQ.

You must define at least two of the following fields in a request: name, department, or company. Your CA may require that you include other information in a request. Each CA has a Certificate Policy Statement that specifies what must be in a request.

You also specify how the router encodes the request and the key type it uses to sign the request. See add request for all the options you can use with this command.

CertMgmt Config> add Request HQ name = Westboro department = Engineering company = "OpenROUTE Networks, Inc." state = MA country = US key_type = dsa/sha1 key_length = 1024 format = DER

At any time in the process you can view the status of a request.

CertMgmt Config> list status hq
Request:                 hq
Subject:                 "Westboro", "Engineering","OpenROUTE Networks, Inc.","MA","US"
Key Type/Len:            DSA/SHA1 / 1024
Format:                  DER
Status:                  Not submitted

2. In the router software, submit the request. You must include a file name for the request. In this example the name is hq.req.

CertMgmt Config> submit request hq manual hq.req
This command will overwrite your current private/public keys
thus invalidating any certificates you may have for this request.
Do you wish to proceed? (Yes or [No]):  [no]? yes 
Please wait. This may take a while..............
 Certificate Request in IBD/entrreq

The router generates a certificate request and saves it in the router's IBD. You can view the contents of the router's IBD file system.

Config>boot
TFTP Boot/dump configuration
Boot config>list ibd
Banks 1-24 contain load "gtx.rap" which uses 1508186 bytes
Loaded using TFTP over IP
Filename gtx.ldc
Host 0.0.0.0

Bank 25 contains load "hq.req" which uses 1362 bytes
Loaded using TFTP over IP
Filename
Host 0.0.0.0
Banks 26-60 have been erased

3. You can now send the certificate request to the CA. Use FTP or TFTP to get the certificate request from the router to your PC or workstation. This example uses tftp put at the Boot config> prompt.

Boot config>tftp put ibd/hq.req 192.168.1.3 /gw/gmd/hq.req
TFTP transfer complete, status: OK

4. Send the certificate request to the CA. You can do this using your browser software.

Putting Certificates Into the Router

When the CA receives your certificate request, it generates a certificate and sends it to you. This section shows how to get the certificate into the certificate management software.

1. Use FTP or TFTP to move the certificate to the router's IBD. This example uses tftp put at the Boot config> prompt.

Boot config>tftp get ibd/hq.cert 192.168.1.3 /gw/gmd/hq.cert
TFTP transfer complete, status: OK

Boot config>list ibd
Banks 1-24 contain load "gtx.rap" which uses 1508186 bytes
Loaded using TFTP over IP
Filename gtx.ldc
Host 0.0.0.0

Bank 25 contains load "hq.req" which uses 1362 bytes
Loaded using TFTP over IP
Filename
Host 0.0.0.0
Bank 26 contains load "hq.cert" which uses 911 bytes
Loaded using TFTP over IP
Banks 27-60 have been erased

2. In the router software, retrieve the certificate from the IBD.

In this example, default is the name of the certificate and entcertif is the certificate file name in the router's IBD.

CertMgmt Config> retrieve Certificate hq hq.cert

The certificate is now ready for IKE to use. You can view the status.

CertMgmt Config> list Status hq
Request:                hq
Subject:                "Westboro", "Engineering", "OpenROUTE
Networks, Inc.","MA", "US"
Key Type/Len:           DSA/SHA1 / 1024
Format:                 Base-64
Status:                  Certificate received for this request
Cert. File:             hq.cert

Putting CRLs Into the Router

This section shows how to get Certificate Revocation Lists from your CA into the router.

1. In the router software, add a name for the CRL.

CertMgmt Config> add crl entr_crl

2. Copy the CA's CRL from the CA. You can do this using your browser software.

3. Use FTP or TFTP to put the CRL into the router IBD.

4. In the router software, retrieve the CRL. This makes the CRL available to the certificate management software.

Enter the retrieve CRL command followed by the name of the CRL and then the CRL file name in the router IBD.

CertMgmt Config> retrieve CRL entr_crl Oct12crl

Managing the IBD

Certificate Management uses the router's Integrated Boot Device (IBD) to import and export certificates, certificate requests, and CRLs. It also stores CRLs in the IBD.

The router's IBD stores files in non-volatile flash memory in a series of banks. The number of banks and the size of each bank depends on your router platform. If a file fills more than one bank, you need enough adjacent banks available to hold the file.

Certificate Management requires at least one available bank for each CA plus one additional bank for copying certificates and certificate request. If all IBD banks are in use, the submit and retrieve commands fail.

In most cases, you need to use a bank only for a short period of time. To make sure there is enough space available, you should delete items you no longer need. The following are recommended guidelines:

Once you send a certificate request to a CA, delete the request from the IBD.
Once you retrieve a certificate from the IBD, delete the certificate from the IBD.

IBD Commands

You enter commands to manage the IBD at the Boot config> prompt. To display this prompt, enter boot at the Config> prompt.

Config>boot
TFTP Boot/dump configuration
Boot config>

To View the Contents of the IBD

Boot config>list ibd
Banks 1-24 contain load "gtx.ldc" which uses 1508186 bytes     Loaded using TFTP over IP
     Filename gtx.ldc
     Host 0.0.0.0
Bank 25 contains load "entcacert2" which uses 1469 bytes
     Loaded using TFTP over IP
     Filename
     Host 170.170.170.170
Bank 26-60 have been erased

To Delete a File From the IBD

Boot config>deleteLoadname or Bank Number:entcacert2Erasing flash please wait ...

Clearing Your Configuration

Clearing the configuration on a router clears the local certificate, as well as the private/public key pair. Without the private key, the certificate containing the related public key is no longer usable. In such a situation, you should revoke certificates before clearing your configuration.

Revoking Certificates

This implementation does not support the ability to revoke one of its own certificates. To revoke certificates, you must contact the CA by telephone.

Certificate Management Commands

Table 1 describes the Certificate Management commands.

Press Space twice after you type a command to display the available parameters for each command. Enter help for information about using the command line interface.

[C] means the command is available at the CertMgmt Config> prompt.

[M] means the command is available at the CertMgmt> prompt.

Table 1 Certificate Management Commands

Command Description

Add CA [C] [M] Adds a CA name to your configuration.

Add Request [C] [M] Adds and defines certificate requests.

Add CRL [C] [M] Adds the name of a Certificate Revocation List request.

Delete [C] [M] Deletes CAs, certificate requests, certificates, CRLs, or keys

List [C] [M] Displays your configuration, as well as the current status of certificate requests.

Retrieve [C] [M] Retrieves certificates and CRLs from the router's IBD.

Set CA [C] [M] Changes the definition of a CA.

Set Request [C] [M] Changes the definition of a certificate request.

Submit Request [C] [M] Submits certificate requests to the IBD.

Table 1 Certificate Management Commands
Command	Description
Add CA [C] [M]	Adds a CA name to your configuration.
Add Request [C] [M]	Adds and defines certificate requests.
Add CRL [C] [M]	Adds the name of a Certificate Revocation List request.
Delete [C] [M]	Deletes CAs, certificate requests, certificates, CRLs, or keys
List [C] [M]	Displays your configuration, as well as the current status of certificate requests.
Retrieve [C] [M]	Retrieves certificates and CRLs from the router's IBD.
Set CA [C] [M]	Changes the definition of a CA.
Set Request [C] [M]	Changes the definition of a certificate request.
Submit Request [C] [M]	Submits certificate requests to the IBD.

Add CA [C] [M]

Adds a Certificate Authority to your configuration, and specifies whether the CA provides manual or automatic certificate enrollment. Currently, OpenROUTE software supports only manual enrollment.

Notes:

Both the local router and the remote IPSec device must use the same certificate authority.
You must assign the same name to the CA certificate as you do to the certificate request that you use with this CA. To differentiate between the two certificates, the software displays the owner of CA certificates as Root, and the owner of other certificates as Local.

Syntax: add ca name mode =

manual

Example: add ca entr mode = manual

Add Request [C] [M]

Adds and defines certificate requests. Each CA has a Certificate Policy Statement that specifies what information you must include in a request.

Notes:

The fields name, department, company, state, and country are all optional and you can enter them in any order. However, you must fill in two of either name, department, or company.
While you can submit a certificate request to a CA with just two fields filled in, the CA may not allow issuance of a certificate with such limited information.
The default name for a request is default. This name coincides with the default certificate name used in the IKE configuration. If you use a name other than default, make sure you enter that name in your IPSec peer definition. Use the my_certificate option with either the add peer or set peer IPSec commands.
You must assign the same name to the certificate request as you do to the CA certificate that you use with this certificate. To differentiate between the two certificates, the software displays the owner of CA certificates as Root, and the owner of other certificates as Local.
To use more than a one word name in your request fields, put quotation marks around the name.

The following section describes each of the certificate request parameters. You can change these parameters later using the set request command.

Syntax: add request name

Example: add request default

key_type

Sets the public key algorithm used to sign this certificate request. Currently, OpenROUTE software supports only DSA/SHA1.

Syntax: key_type =

dsa/sha1


Entry	Description
dsa/sha1	Digital Signature Algorithm/Secure Hash Algorithm-1 (SHA)-1.

Example: add request default key_type = dsa/sha1


Entry	Description
der	Distinguished Encoding Rules (DER) as defined in X.509.
Base-64

Example: add request default format = pem

Add CRL [C] [M]

Adds the name of a Certificate Revocation List request. After you add a CRL name, you copy the CRL into the router's IBD and then use the retrieve crl to move the CRL into the Certificate Management module.

Syntax: add crl

Example: add crl entrCRL

Delete [C] [M]

Deletes a CA, specific certificate requests, certificates, and CRLs.

Syntax: delete

ca
request
certificate
crl
keys

ca

Deletes a CA from your configuration.

Syntax: delete ca name

Example: delete ca entr

request

Deletes a certificate request from your configuration.

This command is useful if you decide not to request a certificate with the configured information. This command is also useful to delete certificate requests for certificates that your have already received.

Syntax: delete request name

Example: delete request default

certificate

Deletes a certificate, including public/private key pairs associated with the certificate.

Syntax: delete certificate name

Example: delete certificate boston

 This command will delete this certificate and its private/public keys.
 You will never be able to use this certificate again.
 Do you wish to proceed? (Yes or [No]):  [no]?

crl

Deletes a Certificate Revocation List (CRL).

Syntax: delete crl name

Example: delete crl entr_crl

keys

This command lets you delete obsolete private/public key pairs from the router.

Syntax: delete keys

Example: delete keys boston

This command will delete this private/public key pair.
You will never be able to use the certificate for these keys again.
Do you wish to proceed? (Yes or [No]):[no]? yes

List [C] [M]

Displays your Certificate Management settings, as well as current certificates and CRLs. You can also display the status of your certificate requests.

Syntax: list

ca
all
request
certificate
crl
status
keys

ca

Shows certificate authorities configured on the router.

Example: list ca

CA Name         Root            Mode
entr            No              Manual

all

Shows your certificate configuration and lists valid certificates, CRLs, and keys.

Example: list all

CA Name         Mode
hq            Manual

Request        Subject (name, department, company, state, country)
hq             "Westboro", "Engineering", "OpenROUTE Networks, Inc.",
"MA", "US"

Cert    Owner Issuer          Length  Type      Valid From   Valid To
entr    Root  Entrust         1024     DSA      Sep 25,1999  Sep 25,2019
default Local Entrust         1024     DSA      Oct  8,1999  Dec  8,1999


CRL             Issuer          Valid From      Valid To  Filename
entr_crl        No CRL

Key     Length Type Public Key                                       
boston  1024   DSA 
245AC3ECAB76FCC6B445DC4ECEC3E418DF104BA85CEF8E0A3FB9ACF7D5C5A814BE3B968
20FAF41A1D6DEBEF27D744E22BC8DD8AFE42BC4D1E6ECBA5F25EF87D6AADFA4DC093C6D
DD6A46239E990A1A2603BA05453067AEDF1BE3A252DA60A4582FCB640AD1264DF3D56FE
295C787D4C54AFF1596570514691FCD9893A7721A97

request

Gives a brief list of all configured certificate requests. To see if a request was submitted to the CA and if a certificate was received from the CA, use the list status command.

Example: list request

Request        Subject (name, department, company, state, country)
hq             "Westboro", "Engineering", "OpenROUTE Networks, Inc.","MA", "US"

certificate

Lists the certificates added for this local device, as well as certificates the device has learned. This display indicates the issuer of the certificate and the length of the public key bound to that certificate.

Example: list certificate

Cert    Owner Issuer           Length  Type    Valid From   Valid To
entr    Root   Entrust          1024     DSA     Sep 25,1998  Sep 25,2018
default Local  Entrust          1024      DSA     Oct  8,1999  Dec  8,1999

crl

Lists information about retrieved CRLs.

Example: list crl

Name		          Issuer     Valid From          Valid To
hq-CRL        hq-ca      July 7, 1999 1200   July 7, 1999 1300

status

Lists the details and status of certificate requests, including any certificate requests that were sent to the CA and returned in error.

Example: list status hq

Request:                 hq
Subject:                 "Westboro", "Engineering", "OpenROUTE Networks, Inc.","MA", "US"
Key Type/Len:            DSA/SHA1 / 1024
Format:                  Base-64
Status:                  Not submitted

keys

Displays the keys in your certificate configuration.

Example: list keys

Key     Length Type Public Key                                        
boston  1024   DSA 
245AC3ECAB76FCC6B445DC4ECEC3E418DF104BA85CEF8E0A3FB9ACF7D5C5A814BE3B968
20FAF41A1D6DEBEF27D744E22BC8DD8AFE42BC4D1E6ECBA5F25EF87D6AADFA4DC093C6D
DD6A46239E990A1A2603BA05453067AEDF1BE3A252DA60A4582FCB640AD1264DF3D56FE
295C787D4C54AFF1596570514691FCD9893A7721A97

gmd     1024   DSA 
7A5AE1BE9392D849E28E1844179DCD6D9DC4FBDEE6313EAA1B0822CA0E98108CAA4E387
37A404EC6FDB4EA8BED840A1131AA8999BB73D054399089EFB7EB5AA0A3012681BAEA8B
5763FBB57A2B43D00190CAF5E958BE4CF32ED9A53273065B3E2368105BCD2AF887CCED9
15C428F9F31C2901E90423DE1D3E0030EB202A43DB9

hq      1024   DSA 
93C952A0C5D0BAA787ABC74F10F6C2B45E4223AB6ADB07DE0E5EC354932BFAC2F6DCB0C
D3BC072AE0521E24860C7EBB831034584DA4DC6C90FB13D8E26B1EF5E0B19287B2AD92A
5FD5C9127B6FCA7D36A27521D4BDEF406CA45146A37D21D165F89A20C7CB98AF06D0D4F
E2222592A38F94F4FD4BE27DA90DF6CC0E3D7599701

Retrieve [C] [M]

Retrieves CA certificates, local certificates, or CRLs from the router's IBD into the certificate management module.

Syntax: retrieve

ca
certificate
crl

ca

Retrieves a Certificate Authority's certificate from the IBD, decodes the certificate, and makes it available to the Certificate Management software.

When you receive a CA certificate from the CA, you copy the certificate to the router's IBD and then use this command to retrieve the certificate. For the complete process, see Putting CA Certificates Into the Router.

Upon retrieving the certificate, you can view it with the list certificates command.

When you enter the retrieve ca command, you include the name of the CA you assigned with the add ca command followed by the name of the CA certificate file in the IBD.

Syntax: retrieve ca

CA name
IBD file name

Example: retrieve CA entr entcacert2

certificate

Retrieves a certificate from the IBD, decodes the certificate, validates the certificate using the CA certificate, and makes it available to the Certificate Management software. You can view valid certificates with the list certificates command.

When you receive a certificate from the CA, you copy the certificate to the router's IBD and then use this command to retrieve the certificate. For the complete process, see Requesting Certificates and Putting Certificates Into the Router.

When you enter the retrieve certificate command, you include the name of the certificate you assigned with the add request command followed by the name of the certificate file in the IBD.

Syntax: retrieve certificate

certficate name
file name

Example: retrieve Certificate default entcertif

crl

Retrieves a Certificate Revocation List (CRL) from the IBD and makes it available to the Certificate Management software.

When you receive a CRL from the CA, you copy the CRL to the router's IBD and then use this command to retrieve the CRL.

Note: CRLs are rather large. As soon as you retrieve a CRL from the IBD, you should delete the CRL from the IBD.

When you enter the retrieve crl command, you include the name of the CRL you assigned with the add crl command followed by the name of the CRL file in the IBD.

Syntax: retrieve crl

CRL name
filename

Example: retrieve crl hqCRL hqCRL23

Set CA [C] [M]

Sets whether certificate enrollment to a CA is automatic or manual. Currently, OpenROUTE software supports only manual enrollment.

Syntax: set ca ca name

mode = manual

Example: set ca hq-ca mode = manual

Set Request [C] [M]

Sets or modifies parameters of a certificate request that you previously created.

Once you submit a request, you should not change the request and submit it again. If you do, the router generates a new pair of public/private keys. This means that when the router receives a certificate that was generated from the first request, the keys do not match and the router rejects the certificate.

The same options are available for both the add request and the set request commands. For information on the options, see the add request command.

Example: set request hq format = Base-64

Submit Request [C] [M]

Using the information you provided with the add request or set request commands, the router creates a certificate request in the format ready to send to your CA. It saves the certificate request in the router's IBD.

CAUTION:
Make sure you do not submit the same request more than once. If you do, the router generates a new pair of public/private keys. This means that when the router receives a certificate that was generated from the request, the keys will not match and the router will reject the certificate.

You need to use FTP or TFTP to get the certificate request from the router. You then need to send the certificate request to the CA. You can do this using your browser software.

When the router creates the request, it generates a public/private key pair. The private key never leaves the router. The public key is included in the certificate request, which is sent to the CA.

Notes:

Once you submit a certificate request, you can delete the request from your configuration.
Currently, OpenROUTE software supports only manual certificate requests.

Syntax: submit request

name
manual
file name

Example: submit Request hq manual hq.req

This command will overwrite your current private/public keys
thus invalidating any certificates you may have for this request.
Do you wish to proceed? (Yes or [No]):  [no]? yes 
Please wait. This may take a while..............
 Certificate Request in IBD/hq.req

docs@openroute.com