A networking device may provide several security services
and protocols like SSL, SSH, IPSec/IKE etc. which need
identities in the form of X509 certificates. The device
uses these certificates (called identity certificates) to
authenticate itself to various clients communicating with
the device using these protocols and also to provide other
protection for the communication like confidentiality,
integrity and non-repudiation. In addition, the device may
need to authenticate the clients which involves, among
other things, verifying the certificates presented by the
clients (peer certificates) during the protocol exchanges.
The certificate verification, in turn, involves the
certificate revocation status checking and the certificate
signature verification. This MIB applies to the public key
infrastructure (PKI) participation feature which enables a
networking device to participate in one or more PKI
services (also called Certificate Authorities) enabling
it to obtain one or more X509 identity certificates for
its own use as well as to verify peer certificates.
This MIB organizes the various certificates, key-pairs and
Certificate Authority related information into the tables:
the trustpoint table for certificate and CA information
and a key-pair table for the key-pair information for each
type of key-pair such as RSA, DSA etc. An entry in the
trustpoint table corresponds to a trusted CA for obtaining
an identity certificate from and also for verifying the
peer certificates issued by that CA. The entry contains
information about the CA certificate, the identity
certificate - if obtained - from the CA, the corresponding
key-pair from a key-pair table (for which the identity
certificate was obtained) and the information needed for
revocation checking of certitifates issued by the CA.
For each type (RSA, DSA etc.) of key-pair supported by the
device, a key-pair table is present and contains an entry
for each key-pair of that type present in the device. This
allows future expansion of the MIB to support additional
key-pair types (currently only RSA key-pair is supported).
As seen above, a key-pair entry from a key-pair table can
be associated to an entry in the trustpoint table. A key-
pair entry can be associated to multiple trustpoint table
entries but not vice versa.
This MIB supports the certificate work-flow operations,
generally used for generating the key-pairs and obtaining
the certificates for them from various CAs. The following
are the steps in one typical work-flow:
1. create a trustpoint (an entry in trustpoint table) in
the device.
2. Authenticate a CA (this involves manually verifying the
CA certificate/chain fingerprints and then inputing the
CA certificate/chain into the trustpoint).
3. Generate a key-pair (an entry in key-pair table).
4. Associate the key-pair to the trustpoint.
5. Generate a pkcs#10 Certificate Signing Request (CSR) in
the trustpoint.
7. Submit CSR to the CA and get the identity certificate.
9. Input the identity certificate into the trustpoint.
In another typical certificate work-flow, the key-pair and
the corresponding identity certificate are allowed to be
generated/obtained outside the device by whatever means
and then input to the device in the pkcs#12 form.
This MIB does not support the configuration of individual
security services like SSL, SSH, IPsec/IKE etc. to use
particular trustpoints or certificates and key-pairs in
them. Instead the security services certificate usage
configuration is supported in the respective feature MIBs.
Glossary of the terms used in this MIB:
key-pair -
A pair of public-key cryptographic keys in which one is
public and the other private.
RSA key-pair -
A key-pair belonging to the RSA public-key cryptography
algorithm.
Certificate Authority (CA) -
A service which issues X509 certificates to certify the
identity (name) and public-key of end entities.
X509 -
A standard for certificates and CRLs.
Reference: RFC 2459.
CA certificate -
The self-signed certificate of a CA certifying its own
identity and public-key.
CA certificate chain -
If a CA is certified by another CA which, in turn, was
certified by a third CA and so on, ending in a CA which
is self-certified, the original CA is said to be a
subordinate CA and its CA certificate is a chain which
is the set of CA certificates of all CAs involved.
Identity certificate -
The certificate of a device issued by a CA in which the
device identity and public-key are certified.
Trustpoint -
The various information about a CA (including its CA
certificate/chain), which the device wants to trust so
that it can use it to enroll with the CA to g et an
identity certificate and/or use it to verify the peer
certificates issed by the CA.
Certificate fingerptint -
The digest of a certificate computed using MD5 or SHA
hash algorithm.
CA authentication -
The process of configuring the CA certificate/chain for
a trustpoint. The process involves calculating the
fingerprints of the CA certificates and verifying them
against the same already published by the CAs.
Enrollment -
The process of creating a Certificate Signing Request in
a trustpoint, submitting it to corresponding CA, getting
back the identity certificate and inputing it into the
trustpoint.
Certificate verification -
The process of verifying the signature on a certificate
to see if it was really signed by the CA who issued it.
This verification process uses the CA certificate/chain.
The certificate verification also involves verifying the
validity of certificate with respect to current time by
checking against the validity interval given in the
certificate and the revocation status of the certificate
as maintained by the CA.
Certificate Signing Request (CSR) -
A request to a CA for signing a certificate of an entity.
The request contains the public key, the name and other
attributes of the entity.
pkcs#10 -
A standard syntax for the CSR, Reference: RFC 2986.
pkcs#12 -
A standard for exporting and importing a certificate
along with associated key-pair and CA certificate/chain.
Reference: PKCS #12 v1.0: Personal Information Exchange
Syntax Standard, RSA Laboratories, June 24, 1999
CRL -
Certificate Revocation List, a list of certificates that
are revoked, as maintained by a CA.
OCSP -
Online Certificate Staus Protocol, a protocol for online
checking of the revocation status of certificates.
PEM format -
A printable text encoding format for certificates,
key-pairs and CRLs, as employed by the Privacy Enhanced
Mail standard. Reference: RFCs 1421-1424.
Parsed from file CISCO-PKI-PARTICIPATION-MIB.mib
Module: CISCO-PKI-PARTICIPATION-MIB
A networking device may provide several security services
and protocols like SSL, SSH, IPSec/IKE etc. which need
identities in the form of X509 certificates. The device
uses these certificates (called identity certificates) to
authenticate itself to various clients communicating with
the device using these protocols and also to provide other
protection for the communication like confidentiality,
integrity and non-repudiation. In addition, the device may
need to authenticate the clients which involves, among
other things, verifying the certificates presented by the
clients (peer certificates) during the protocol exchanges.
The certificate verification, in turn, involves the
certificate revocation status checking and the certificate
signature verification. This MIB applies to the public key
infrastructure (PKI) participation feature which enables a
networking device to participate in one or more PKI
services (also called Certificate Authorities) enabling
it to obtain one or more X509 identity certificates for
its own use as well as to verify peer certificates.
This MIB organizes the various certificates, key-pairs and
Certificate Authority related information into the tables:
the trustpoint table for certificate and CA information
and a key-pair table for the key-pair information for each
type of key-pair such as RSA, DSA etc. An entry in the
trustpoint table corresponds to a trusted CA for obtaining
an identity certificate from and also for verifying the
peer certificates issued by that CA. The entry contains
information about the CA certificate, the identity
certificate - if obtained - from the CA, the corresponding
key-pair from a key-pair table (for which the identity
certificate was obtained) and the information needed for
revocation checking of certitifates issued by the CA.
For each type (RSA, DSA etc.) of key-pair supported by the
device, a key-pair table is present and contains an entry
for each key-pair of that type present in the device. This
allows future expansion of the MIB to support additional
key-pair types (currently only RSA key-pair is supported).
As seen above, a key-pair entry from a key-pair table can
be associated to an entry in the trustpoint table. A key-
pair entry can be associated to multiple trustpoint table
entries but not vice versa.
This MIB supports the certificate work-flow operations,
generally used for generating the key-pairs and obtaining
the certificates for them from various CAs. The following
are the steps in one typical work-flow:
1. create a trustpoint (an entry in trustpoint table) in
the device.
2. Authenticate a CA (this involves manually verifying the
CA certificate/chain fingerprints and then inputing the
CA certificate/chain into the trustpoint).
3. Generate a key-pair (an entry in key-pair table).
4. Associate the key-pair to the trustpoint.
5. Generate a pkcs#10 Certificate Signing Request (CSR) in
the trustpoint.
7. Submit CSR to the CA and get the identity certificate.
9. Input the identity certificate into the trustpoint.
In another typical certificate work-flow, the key-pair and
the corresponding identity certificate are allowed to be
generated/obtained outside the device by whatever means
and then input to the device in the pkcs#12 form.
This MIB does not support the configuration of individual
security services like SSL, SSH, IPsec/IKE etc. to use
particular trustpoints or certificates and key-pairs in
them. Instead the security services certificate usage
configuration is supported in the respective feature MIBs.
Glossary of the terms used in this MIB:
key-pair -
A pair of public-key cryptographic keys in which one is
public and the other private.
RSA key-pair -
A key-pair belonging to the RSA public-key cryptography
algorithm.
Certificate Authority (CA) -
A service which issues X509 certificates to certify the
identity (name) and public-key of end entities.
X509 -
A standard for certificates and CRLs.
Reference: RFC 2459.
CA certificate -
The self-signed certificate of a CA certifying its own
identity and public-key.
CA certificate chain -
If a CA is certified by another CA which, in turn, was
certified by a third CA and so on, ending in a CA which
is self-certified, the original CA is said to be a
subordinate CA and its CA certificate is a chain which
is the set of CA certificates of all CAs involved.
Identity certificate -
The certificate of a device issued by a CA in which the
device identity and public-key are certified.
Trustpoint -
The various information about a CA (including its CA
certificate/chain), which the device wants to trust so
that it can use it to enroll with the CA to g et an
identity certificate and/or use it to verify the peer
certificates issed by the CA.
Certificate fingerptint -
The digest of a certificate computed using MD5 or SHA
hash algorithm.
CA authentication -
The process of configuring the CA certificate/chain for
a trustpoint. The process involves calculating the
fingerprints of the CA certificates and verifying them
against the same already published by the CAs.
Enrollment -
The process of creating a Certificate Signing Request in
a trustpoint, submitting it to corresponding CA, getting
back the identity certificate and inputing it into the
trustpoint.
Certificate verification -
The process of verifying the signature on a certificate
to see if it was really signed by the CA who issued it.
This verification process uses the CA certificate/chain.
The certificate verification also involves verifying the
validity of certificate with respect to current time by
checking against the validity interval given in the
certificate and the revocation status of the certificate
as maintained by the CA.
Certificate Signing Request (CSR) -
A request to a CA for signing a certificate of an entity.
The request contains the public key, the name and other
attributes of the entity.
pkcs#10 -
A standard syntax for the CSR, Reference: RFC 2986.
pkcs#12 -
A standard for exporting and importing a certificate
along with associated key-pair and CA certificate/chain.
Reference: PKCS #12 v1.0: Personal Information Exchange
Syntax Standard, RSA Laboratories, June 24, 1999
CRL -
Certificate Revocation List, a list of certificates that
are revoked, as maintained by a CA.
OCSP -
Online Certificate Staus Protocol, a protocol for online
checking of the revocation status of certificates.
PEM format -
A printable text encoding format for certificates,
key-pairs and CRLs, as employed by the Privacy Enhanced
Mail standard. Reference: RFCs 1421-1424.
Parsed from file CISCO-PKI-PARTICIPATION-MIB.my.txt
Company: None
Module: CISCO-PKI-PARTICIPATION-MIB
A networking device may provide several security services
and protocols like SSL, SSH, IPSec/IKE etc. which need
identities in the form of X509 certificates. The device
uses these certificates (called identity certificates) to
authenticate itself to various clients communicating with
the device using these protocols and also to provide other
protection for the communication like confidentiality,
integrity and non-repudiation. In addition, the device may
need to authenticate the clients which involves, among
other things, verifying the certificates presented by the
clients (peer certificates) during the protocol exchanges.
The certificate verification, in turn, involves the
certificate revocation status checking and the certificate
signature verification. This MIB applies to the public key
infrastructure (PKI) participation feature which enables a
networking device to participate in one or more PKI
services (also called Certificate Authorities) enabling
it to obtain one or more X509 identity certificates for
its own use as well as to verify peer certificates.
This MIB organizes the various certificates, key-pairs and
Certificate Authority related information into the tables:
the trustpoint table for certificate and CA information
and a key-pair table for the key-pair information for each
type of key-pair such as RSA, DSA etc. An entry in the
trustpoint table corresponds to a trusted CA for obtaining
an identity certificate from and also for verifying the
peer certificates issued by that CA. The entry contains
information about the CA certificate, the identity
certificate - if obtained - from the CA, the corresponding
key-pair from a key-pair table (for which the identity
certificate was obtained) and the information needed for
revocation checking of certitifates issued by the CA.
For each type (RSA, DSA etc.) of key-pair supported by the
device, a key-pair table is present and contains an entry
for each key-pair of that type present in the device. This
allows future expansion of the MIB to support additional
key-pair types (currently only RSA key-pair is supported).
As seen above, a key-pair entry from a key-pair table can
be associated to an entry in the trustpoint table. A key-
pair entry can be associated to multiple trustpoint table
entries but not vice versa.
This MIB supports the certificate work-flow operations,
generally used for generating the key-pairs and obtaining
the certificates for them from various CAs. The following
are the steps in one typical work-flow:
1. create a trustpoint (an entry in trustpoint table) in
the device.
2. Authenticate a CA (this involves manually verifying the
CA certificate/chain fingerprints and then inputing the
CA certificate/chain into the trustpoint).
3. Generate a key-pair (an entry in key-pair table).
4. Associate the key-pair to the trustpoint.
5. Generate a pkcs#10 Certificate Signing Request (CSR) in
the trustpoint.
7. Submit CSR to the CA and get the identity certificate.
9. Input the identity certificate into the trustpoint.
In another typical certificate work-flow, the key-pair and
the corresponding identity certificate are allowed to be
generated/obtained outside the device by whatever means
and then input to the device in the pkcs#12 form.
This MIB does not support the configuration of individual
security services like SSL, SSH, IPsec/IKE etc. to use
particular trustpoints or certificates and key-pairs in
them. Instead the security services certificate usage
configuration is supported in the respective feature MIBs.
Glossary of the terms used in this MIB:
key-pair -
A pair of public-key cryptographic keys in which one is
public and the other private.
RSA key-pair -
A key-pair belonging to the RSA public-key cryptography
algorithm.
Certificate Authority (CA) -
A service which issues X509 certificates to certify the
identity (name) and public-key of end entities.
X509 -
A standard for certificates and CRLs.
Reference: RFC 2459.
CA certificate -
The self-signed certificate of a CA certifying its own
identity and public-key.
CA certificate chain -
If a CA is certified by another CA which, in turn, was
certified by a third CA and so on, ending in a CA which
is self-certified, the original CA is said to be a
subordinate CA and its CA certificate is a chain which
is the set of CA certificates of all CAs involved.
Identity certificate -
The certificate of a device issued by a CA in which the
device identity and public-key are certified.
Trustpoint -
The various information about a CA (including its CA
certificate/chain), which the device wants to trust so
that it can use it to enroll with the CA to g et an
identity certificate and/or use it to verify the peer
certificates issed by the CA.
Certificate fingerptint -
The digest of a certificate computed using MD5 or SHA
hash algorithm.
CA authentication -
The process of configuring the CA certificate/chain for
a trustpoint. The process involves calculating the
fingerprints of the CA certificates and verifying them
against the same already published by the CAs.
Enrollment -
The process of creating a Certificate Signing Request in
a trustpoint, submitting it to corresponding CA, getting
back the identity certificate and inputing it into the
trustpoint.
Certificate verification -
The process of verifying the signature on a certificate
to see if it was really signed by the CA who issued it.
This verification process uses the CA certificate/chain.
The certificate verification also involves verifying the
validity of certificate with respect to current time by
checking against the validity interval given in the
certificate and the revocation status of the certificate
as maintained by the CA.
Certificate Signing Request (CSR) -
A request to a CA for signing a certificate of an entity.
The request contains the public key, the name and other
attributes of the entity.
pkcs#10 -
A standard syntax for the CSR, Reference: RFC 2986.
pkcs#12 -
A standard for exporting and importing a certificate
along with associated key-pair and CA certificate/chain.
Reference: PKCS #12 v1.0: Personal Information Exchange
Syntax Standard, RSA Laboratories, June 24, 1999
CRL -
Certificate Revocation List, a list of certificates that
are revoked, as maintained by a CA.
OCSP -
Online Certificate Staus Protocol, a protocol for online
checking of the revocation status of certificates.
PEM format -
A printable text encoding format for certificates,
key-pairs and CRLs, as employed by the Privacy Enhanced
Mail standard. Reference: RFCs 1421-1424.
cpkiMIB MODULE-IDENTITY LAST-UPDATED "200510220000Z" ORGANIZATION "Cisco Systems, Inc." CONTACT-INFO " Cisco Systems Network Management Technology Group Postal: 170 W Tasman Drive San Jose, CA 95134 USA Tel: +1 800 553-NETS E-mail: [email protected]" DESCRIPTION "A networking device may provide several security services and protocols like SSL, SSH, IPSec/IKE etc. which need identities in the form of X509 certificates. The device uses these certificates (called identity certificates) to authenticate itself to various clients communicating with the device using these protocols and also to provide other protection for the communication like confidentiality, integrity and non-repudiation. In addition, the device may need to authenticate the clients which involves, among other things, verifying the certificates presented by the clients (peer certificates) during the protocol exchanges. The certificate verification, in turn, involves the certificate revocation status checking and the certificate signature verification. This MIB applies to the public key infrastructure (PKI) participation feature which enables a networking device to participate in one or more PKI services (also called Certificate Authorities) enabling it to obtain one or more X509 identity certificates for its own use as well as to verify peer certificates. This MIB organizes the various certificates, key-pairs and Certificate Authority related information into the tables: the trustpoint table for certificate and CA information and a key-pair table for the key-pair information for each type of key-pair such as RSA, DSA etc. An entry in the trustpoint table corresponds to a trusted CA for obtaining an identity certificate from and also for verifying the peer certificates issued by that CA. The entry contains information about the CA certificate, the identity certificate - if obtained - from the CA, the corresponding key-pair from a key-pair table (for which the identity certificate was obtained) and the information needed for revocation checking of certitifates issued by the CA. For each type (RSA, DSA etc.) of key-pair supported by the device, a key-pair table is present and contains an entry for each key-pair of that type present in the device. This allows future expansion of the MIB to support additional key-pair types (currently only RSA key-pair is supported). As seen above, a key-pair entry from a key-pair table can be associated to an entry in the trustpoint table. A key- pair entry can be associated to multiple trustpoint table entries but not vice versa. This MIB supports the certificate work-flow operations, generally used for generating the key-pairs and obtaining the certificates for them from various CAs. The following are the steps in one typical work-flow: 1. create a trustpoint (an entry in trustpoint table) in the device. 2. Authenticate a CA (this involves manually verifying the CA certificate/chain fingerprints and then inputing the CA certificate/chain into the trustpoint). 3. Generate a key-pair (an entry in key-pair table). 4. Associate the key-pair to the trustpoint. 5. Generate a pkcs#10 Certificate Signing Request (CSR) in the trustpoint. 7. Submit CSR to the CA and get the identity certificate. 9. Input the identity certificate into the trustpoint. In another typical certificate work-flow, the key-pair and the corresponding identity certificate are allowed to be generated/obtained outside the device by whatever means and then input to the device in the pkcs#12 form. This MIB does not support the configuration of individual security services like SSL, SSH, IPsec/IKE etc. to use particular trustpoints or certificates and key-pairs in them. Instead the security services certificate usage configuration is supported in the respective feature MIBs. Glossary of the terms used in this MIB: key-pair - A pair of public-key cryptographic keys in which one is public and the other private. RSA key-pair - A key-pair belonging to the RSA public-key cryptography algorithm. Certificate Authority (CA) - A service which issues X509 certificates to certify the identity (name) and public-key of end entities. X509 - A standard for certificates and CRLs. Reference: RFC 2459. CA certificate - The self-signed certificate of a CA certifying its own identity and public-key. CA certificate chain - If a CA is certified by another CA which, in turn, was certified by a third CA and so on, ending in a CA which is self-certified, the original CA is said to be a subordinate CA and its CA certificate is a chain which is the set of CA certificates of all CAs involved. Identity certificate - The certificate of a device issued by a CA in which the device identity and public-key are certified. Trustpoint - The various information about a CA (including its CA certificate/chain), which the device wants to trust so that it can use it to enroll with the CA to g et an identity certificate and/or use it to verify the peer certificates issed by the CA. Certificate fingerptint - The digest of a certificate computed using MD5 or SHA hash algorithm. CA authentication - The process of configuring the CA certificate/chain for a trustpoint. The process involves calculating the fingerprints of the CA certificates and verifying them against the same already published by the CAs. Enrollment - The process of creating a Certificate Signing Request in a trustpoint, submitting it to corresponding CA, getting back the identity certificate and inputing it into the trustpoint. Certificate verification - The process of verifying the signature on a certificate to see if it was really signed by the CA who issued it. This verification process uses the CA certificate/chain. The certificate verification also involves verifying the validity of certificate with respect to current time by checking against the validity interval given in the certificate and the revocation status of the certificate as maintained by the CA. Certificate Signing Request (CSR) - A request to a CA for signing a certificate of an entity. The request contains the public key, the name and other attributes of the entity. pkcs#10 - A standard syntax for the CSR, Reference: RFC 2986. pkcs#12 - A standard for exporting and importing a certificate along with associated key-pair and CA certificate/chain. Reference: PKCS #12 v1.0: Personal Information Exchange Syntax Standard, RSA Laboratories, June 24, 1999 CRL - Certificate Revocation List, a list of certificates that are revoked, as maintained by a CA. OCSP - Online Certificate Staus Protocol, a protocol for online checking of the revocation status of certificates. PEM format - A printable text encoding format for certificates, key-pairs and CRLs, as employed by the Privacy Enhanced Mail standard. Reference: RFCs 1421-1424. " REVISION "200510220000Z" DESCRIPTION "Initial version." ::= { ciscoMgmt 505 }
cpkiMIB OBJECT IDENTIFIER ::= { ciscoMgmt 505 }
Vendor: Cisco
Module: CISCO-PKI-PARTICIPATION-MIB
[Automatically extracted from oidview.com]
cpkiMIB MODULE-IDENTITY LAST-UPDATED "200510220000Z" ORGANIZATION "Cisco Systems, Inc." CONTACT-INFO " Cisco Systems Network Management Technology Group Postal: 170 W Tasman Drive San Jose, CA 95134 USA Tel: +1 800 553-NETS E-mail: [email protected]" DESCRIPTION "A networking device may provide several security services and protocols like SSL, SSH, IPSec/IKE etc. which need identities in the form of X509 certificates. The device uses these certificates (called identity certificates) to authenticate itself to various clients communicating with the device using these protocols and also to provide other protection for the communication like confidentiality, integrity and non-repudiation. In addition, the device may need to authenticate the clients which involves, among other things, verifying the certificates presented by the clients (peer certificates) during the protocol exchanges. The certificate verification, in turn, involves the certificate revocation status checking and the certificate signature verification. This MIB applies to the public key infrastructure (PKI) participation feature which enables a networking device to participate in one or more PKI services (also called Certificate Authorities) enabling it to obtain one or more X509 identity certificates for its own use as well as to verify peer certificates. This MIB organizes the various certificates, key-pairs and Certificate Authority related information into the tables: the trustpoint table for certificate and CA information and a key-pair table for the key-pair information for each type of key-pair such as RSA, DSA etc. An entry in the trustpoint table corresponds to a trusted CA for obtaining an identity certificate from and also for verifying the peer certificates issued by that CA. The entry contains information about the CA certificate, the identity certificate - if obtained - from the CA, the corresponding key-pair from a key-pair table (for which the identity certificate was obtained) and the information needed for revocation checking of certitifates issued by the CA. For each type (RSA, DSA etc.) of key-pair supported by the device, a key-pair table is present and contains an entry for each key-pair of that type present in the device. This allows future expansion of the MIB to support additional key-pair types (currently only RSA key-pair is supported). As seen above, a key-pair entry from a key-pair table can be associated to an entry in the trustpoint table. A key- pair entry can be associated to multiple trustpoint table entries but not vice versa. This MIB supports the certificate work-flow operations, generally used for generating the key-pairs and obtaining the certificates for them from various CAs. The following are the steps in one typical work-flow: 1. create a trustpoint (an entry in trustpoint table) in the device. 2. Authenticate a CA (this involves manually verifying the CA certificate/chain fingerprints and then inputing the CA certificate/chain into the trustpoint). 3. Generate a key-pair (an entry in key-pair table). 4. Associate the key-pair to the trustpoint. 5. Generate a pkcs#10 Certificate Signing Request (CSR) in the trustpoint. 7. Submit CSR to the CA and get the identity certificate. 9. Input the identity certificate into the trustpoint. In another typical certificate work-flow, the key-pair and the corresponding identity certificate are allowed to be generated/obtained outside the device by whatever means and then input to the device in the pkcs#12 form. This MIB does not support the configuration of individual security services like SSL, SSH, IPsec/IKE etc. to use particular trustpoints or certificates and key-pairs in them. Instead the security services certificate usage configuration is supported in the respective feature MIBs. Glossary of the terms used in this MIB: key-pair - A pair of public-key cryptographic keys in which one is public and the other private. RSA key-pair - A key-pair belonging to the RSA public-key cryptography algorithm. Certificate Authority (CA) - A service which issues X509 certificates to certify the identity (name) and public-key of end entities. X509 - A standard for certificates and CRLs. Reference: RFC 2459. CA certificate - The self-signed certificate of a CA certifying its own identity and public-key. CA certificate chain - If a CA is certified by another CA which, in turn, was certified by a third CA and so on, ending in a CA which is self-certified, the original CA is said to be a subordinate CA and its CA certificate is a chain which is the set of CA certificates of all CAs involved. Identity certificate - The certificate of a device issued by a CA in which the device identity and public-key are certified. Trustpoint - The various information about a CA (including its CA certificate/chain), which the device wants to trust so that it can use it to enroll with the CA to g et an identity certificate and/or use it to verify the peer certificates issed by the CA. Certificate fingerptint - The digest of a certificate computed using MD5 or SHA hash algorithm. CA authentication - The process of configuring the CA certificate/chain for a trustpoint. The process involves calculating the fingerprints of the CA certificates and verifying them against the same already published by the CAs. Enrollment - The process of creating a Certificate Signing Request in a trustpoint, submitting it to corresponding CA, getting back the identity certificate and inputing it into the trustpoint. Certificate verification - The process of verifying the signature on a certificate to see if it was really signed by the CA who issued it. This verification process uses the CA certificate/chain. The certificate verification also involves verifying the validity of certificate with respect to current time by checking against the validity interval given in the certificate and the revocation status of the certificate as maintained by the CA. Certificate Signing Request (CSR) - A request to a CA for signing a certificate of an entity. The request contains the public key, the name and other attributes of the entity. pkcs#10 - A standard syntax for the CSR, Reference: RFC 2986. pkcs#12 - A standard for exporting and importing a certificate along with associated key-pair and CA certificate/chain. Reference: PKCS #12 v1.0: Personal Information Exchange Syntax Standard, RSA Laboratories, June 24, 1999 CRL - Certificate Revocation List, a list of certificates that are revoked, as maintained by a CA. OCSP - Online Certificate Staus Protocol, a protocol for online checking of the revocation status of certificates. PEM format - A printable text encoding format for certificates, key-pairs and CRLs, as employed by the Privacy Enhanced Mail standard. Reference: RFCs 1421-1424. " REVISION "200510220000Z" DESCRIPTION "Initial version." ::= { ciscoMgmt 505 }
cpkiMIB MODULE-IDENTITY LAST-UPDATED "200510220000Z" ORGANIZATION "Cisco Systems, Inc." CONTACT-INFO " Cisco Systems Network Management Technology Group Postal: 170 W Tasman Drive San Jose, CA 95134 USA Tel: +1 800 553-NETS E-mail: [email protected]" DESCRIPTION "A networking device may provide several security services and protocols like SSL, SSH, IPSec/IKE etc. which need identities in the form of X509 certificates. The device uses these certificates (called identity certificates) to authenticate itself to various clients communicating with the device using these protocols and also to provide other protection for the communication like confidentiality, integrity and non-repudiation. In addition, the device may need to authenticate the clients which involves, among other things, verifying the certificates presented by the clients (peer certificates) during the protocol exchanges. The certificate verification, in turn, involves the certificate revocation status checking and the certificate signature verification. This MIB applies to the public key infrastructure (PKI) participation feature which enables a networking device to participate in one or more PKI services (also called Certificate Authorities) enabling it to obtain one or more X509 identity certificates for its own use as well as to verify peer certificates. This MIB organizes the various certificates, key-pairs and Certificate Authority related information into the tables: the trustpoint table for certificate and CA information and a key-pair table for the key-pair information for each type of key-pair such as RSA, DSA etc. An entry in the trustpoint table corresponds to a trusted CA for obtaining an identity certificate from and also for verifying the peer certificates issued by that CA. The entry contains information about the CA certificate, the identity certificate - if obtained - from the CA, the corresponding key-pair from a key-pair table (for which the identity certificate was obtained) and the information needed for revocation checking of certitifates issued by the CA. For each type (RSA, DSA etc.) of key-pair supported by the device, a key-pair table is present and contains an entry for each key-pair of that type present in the device. This allows future expansion of the MIB to support additional key-pair types (currently only RSA key-pair is supported). As seen above, a key-pair entry from a key-pair table can be associated to an entry in the trustpoint table. A key- pair entry can be associated to multiple trustpoint table entries but not vice versa. This MIB supports the certificate work-flow operations, generally used for generating the key-pairs and obtaining the certificates for them from various CAs. The following are the steps in one typical work-flow: 1. create a trustpoint (an entry in trustpoint table) in the device. 2. Authenticate a CA (this involves manually verifying the CA certificate/chain fingerprints and then inputing the CA certificate/chain into the trustpoint). 3. Generate a key-pair (an entry in key-pair table). 4. Associate the key-pair to the trustpoint. 5. Generate a pkcs#10 Certificate Signing Request (CSR) in the trustpoint. 7. Submit CSR to the CA and get the identity certificate. 9. Input the identity certificate into the trustpoint. In another typical certificate work-flow, the key-pair and the corresponding identity certificate are allowed to be generated/obtained outside the device by whatever means and then input to the device in the pkcs#12 form. This MIB does not support the configuration of individual security services like SSL, SSH, IPsec/IKE etc. to use particular trustpoints or certificates and key-pairs in them. Instead the security services certificate usage configuration is supported in the respective feature MIBs. Glossary of the terms used in this MIB: key-pair - A pair of public-key cryptographic keys in which one is public and the other private. RSA key-pair - A key-pair belonging to the RSA public-key cryptography algorithm. Certificate Authority (CA) - A service which issues X509 certificates to certify the identity (name) and public-key of end entities. X509 - A standard for certificates and CRLs. Reference: RFC 2459. CA certificate - The self-signed certificate of a CA certifying its own identity and public-key. CA certificate chain - If a CA is certified by another CA which, in turn, was certified by a third CA and so on, ending in a CA which is self-certified, the original CA is said to be a subordinate CA and its CA certificate is a chain which is the set of CA certificates of all CAs involved. Identity certificate - The certificate of a device issued by a CA in which the device identity and public-key are certified. Trustpoint - The various information about a CA (including its CA certificate/chain), which the device wants to trust so that it can use it to enroll with the CA to g et an identity certificate and/or use it to verify the peer certificates issed by the CA. Certificate fingerptint - The digest of a certificate computed using MD5 or SHA hash algorithm. CA authentication - The process of configuring the CA certificate/chain for a trustpoint. The process involves calculating the fingerprints of the CA certificates and verifying them against the same already published by the CAs. Enrollment - The process of creating a Certificate Signing Request in a trustpoint, submitting it to corresponding CA, getting back the identity certificate and inputing it into the trustpoint. Certificate verification - The process of verifying the signature on a certificate to see if it was really signed by the CA who issued it. This verification process uses the CA certificate/chain. The certificate verification also involves verifying the validity of certificate with respect to current time by checking against the validity interval given in the certificate and the revocation status of the certificate as maintained by the CA. Certificate Signing Request (CSR) - A request to a CA for signing a certificate of an entity. The request contains the public key, the name and other attributes of the entity. pkcs#10 - A standard syntax for the CSR, Reference: RFC 2986. pkcs#12 - A standard for exporting and importing a certificate along with associated key-pair and CA certificate/chain. Reference: PKCS #12 v1.0: Personal Information Exchange Syntax Standard, RSA Laboratories, June 24, 1999 CRL - Certificate Revocation List, a list of certificates that are revoked, as maintained by a CA. OCSP - Online Certificate Staus Protocol, a protocol for online checking of the revocation status of certificates. PEM format - A printable text encoding format for certificates, key-pairs and CRLs, as employed by the Privacy Enhanced Mail standard. Reference: RFCs 1421-1424. " REVISION "200510220000Z" DESCRIPTION "Initial version." ::= { ciscoMgmt 505 }
| OID | Name | Sub children | Sub Nodes Total | Description |
|---|---|---|---|---|
| 1.3.6.1.4.1.9.9.505.0 | cpkiMIBNotifs | 0 | 0 | None |
| 1.3.6.1.4.1.9.9.505.1 | cpkiMIBObjects | 1 | 37 | None |
| 1.3.6.1.4.1.9.9.505.2 | cpkiMIBConform | 2 | 4 | None |
To many brothers! Only 100 nearest brothers are shown.
| OID | Name | Sub children | Sub Nodes Total | Description |
|---|---|---|---|---|
| ... | ||||
| 1.3.6.1.4.1.9.9.455 | ciscoImageTc | 0 | 0 | This MIB module defines the textual conventions used in the enhanced image MIB. Glossary: Base Image Essential part of the operatin… |
| 1.3.6.1.4.1.9.9.456 | ciscoDot11WidsMIB | 3 | 50 | This MIB is intended to be implemented on the following IOS based network entities for the purpose of providing network managemen… |
| 1.3.6.1.4.1.9.9.457 | ciscoWdsIdsMIB | 2 | 18 | This MIB is intended to be implemented on all IOS based network entities that provide Wireless Domain Services, for the purpose o… |
| 1.3.6.1.4.1.9.9.458 | ciscoApplianceRedundancyMIB | 3 | 47 | This mib defines the SNMP objects to report the status of High Availability (HA) functionality in Cisco network management applia… |
| 1.3.6.1.4.1.9.9.459 | ciscoBitsClockMIB | 3 | 21 | This MIB provides information on Building Integrated Timing Supply(BITS) clocking sources and modes of operations. It is used to… |
| 1.3.6.1.4.1.9.9.460 | ciscoTpcMIB | 3 | 24 | The MIB module for Third Party Copy(TPC): Third Party Copy derives its name from the fact that there are three entities involved … |
| 1.3.6.1.4.1.9.9.461 | ciscoEtherCfmMIB | 3 | 39 | This MIB module defines the managed objects and notifications for Ethernet Connectivity Fault Management (CFM). CFM is an end-to-e… |
| 1.3.6.1.4.1.9.9.463 | ciscoSanTapMIB | 3 | 30 | MIB module to provide information about the SanTap service configuration. SanTap is a fibre channel switch based capability that p… |
| 1.3.6.1.4.1.9.9.466 | ciscoEthernetAccessMIB | 2 | 20 | The tables defined by this MIB module contain a collection of managed objects that are general in nature and apply to an edge dev… |
| 1.3.6.1.4.1.9.9.467 | ciscoCryptoAcceleratorMIB | 3 | 107 | The MIB module for monitoring the identity, status, activity and faults of crypto accelerator (CA) modules used in devices implem… |
| 1.3.6.1.4.1.9.9.468 | ciscoContextMappingMIB | 2 | 35 | A single SNMP agent sometimes needs to support multiple instances of the same MIB module, and does so through the use of multiple… |
| 1.3.6.1.4.1.9.9.470 | ciscoEnhancedSlbMIB | 3 | 106 | The MIB for managing Server Load Balancing Manager(s), and products supporting Server Load Balancing(SLB) features. This MIB exten… |
| 1.3.6.1.4.1.9.9.471 | ciscoFlexLinksMIB | 3 | 36 | This MIB module is for configuration and status query of Flex Links feature on the Cisco device. Flex Links are a pair of Layer 2… |
| 1.3.6.1.4.1.9.9.472 | ciscoModuleVirtualizationMIB | 3 | 35 | This MIB provides a way to create virtual contexts, and managing them. A virtual context is logical partition of a physical devi… |
| 1.3.6.1.4.1.9.9.473 | ciscoCcaMIB | 3 | 200 | The Cisco Contact Center Applications (CCCA) Management Information Base (MIB) module defines management instrumentation for appl… |
| 1.3.6.1.4.1.9.9.474 | ciscoFilterGroupMIB | 3 | 55 | The MIB module is for creating and configuring object groups to support packet filtering and access control on IP and other proto… |
| 1.3.6.1.4.1.9.9.479 | ciscoCableWidebandMIB | 3 | 77 | This is the MIB module for the support of Channel Bonding Protocol for the Cable Modem Termination System (CMTS). Wideband DOCSIS… |
| 1.3.6.1.4.1.9.9.480 | ciscoL4L7moduleResourceLimitMIB | 4 | 100 | The MIB module for managing resource classes and configuring limits(max/min) to different resources. The resource referenced in … |
| 1.3.6.1.4.1.9.9.482 | ciscoInterfaceTopNExtMIB | 3 | 16 | This MIB module is an extension to INTERFACETOPN-MIB. It provides additional management information for sorting device interfaces. |
| 1.3.6.1.4.1.9.9.483 | ciscoIpRanBackHaulMIB | 3 | 248 | This MIB provides information on the IP-RAN traffic from cell site to aggregation site in the following situations. In an GSM en… |
| 1.3.6.1.4.1.9.9.484 | ciscoNacNadMIB | 3 | 157 | This MIB module is for the configuration of a Network Access Device (NAD) on the Cisco Network Admission Control (NAC) system. End… |
| 1.3.6.1.4.1.9.9.485 | ciscoRttMonTCMIB | 0 | 0 | This MIB contains textual conventions used by CISCO-RTTMON-MIB, CISCO-RTTMON-RTP-MIB and CISCO-RTTMON-ICMP-MIB, but they are not … |
| 1.3.6.1.4.1.9.9.486 | ciscoRttMonIcmpMIB | 3 | 7 | An extension to the CISCO-RTTMON-MIB for ICMP operations. The ICMP Jitter operation provides capability to measure metrics such a… |
| 1.3.6.1.4.1.9.9.487 | ciscoRttMonRtpMIB | 3 | 8 | An extension to the CISCO-RTTMON-MIB for Cisco IP SLA RTP operation, Real-Time Transport Protocol(RFC 1889). This operation provi… |
| 1.3.6.1.4.1.9.9.488 | ciscoFirewallTc | 0 | 0 | This MIB module defines textual conventions that are commonly used in modeling management information pertaining to configuration… |
| 1.3.6.1.4.1.9.9.490 | ciscoNetintMIB | 3 | 11 | This MIB module is for Network Interrupt information on Cisco device. |
| 1.3.6.1.4.1.9.9.491 | ciscoUnifiedFirewallMIB | 3 | 235 | Overview of Cisco Firewall MIB ============================== This MIB Module models status and performance statistics pertaining … |
| 1.3.6.1.4.1.9.9.492 | ciscoCefMIB | 3 | 192 | Cisco Express Forwarding (CEF) describes a high speed switching mechanism that a router uses to forward packets from the inbound … |
| 1.3.6.1.4.1.9.9.493 | ciscoCefTextualConventions | 0 | 0 | ciscoCeftextualConventions |
| 1.3.6.1.4.1.9.9.494 | ciscoEntityRedunTcMIB | 0 | 0 | This module defines the textual conventions used within Cisco Entity Redundancy MIBs. |
| 1.3.6.1.4.1.9.9.495 | ciscoPsdClientMIB | 3 | 44 | This MIB module manages the client side functionality of the Persistent Storage Device(PSD). This MIB instrumentation is for conf… |
| 1.3.6.1.4.1.9.9.497 | cGgsnSAMIB | 3 | 247 | This MIB module manages the service-aware feature of Gateway GPRS Support Node (GGSN). This MIB is an enhancement of the CISCO-GG… |
| 1.3.6.1.4.1.9.9.498 | ciscoEntityRedunMIB | 3 | 93 | This management information module supports configuration, control and monitoring of redundancy protection for various kinds of c… |
| 1.3.6.1.4.1.9.9.500 | ciscoStackWiseMIB | 3 | 111 | This MIB module contain a collection of managed objects that apply to network devices supporting the Cisco StackWise(TM) technolo… |
| 1.3.6.1.4.1.9.9.504 | ciscoSwitchMulticastMIB | 3 | 108 | This MIB module defines management objects for the Multicast Switching features on Cisco Layer 2/3 devices. Definition of some of … |
| 1.3.6.1.4.1.9.9.507 | ciscoPolicyGroupMIB | 3 | 35 | The MIB module is for configuration of policy and policy group. A policy group can be described as a set of entities identified b… |
| 1.3.6.1.4.1.9.9.508 | ciscoSlbHealthMonMIB | 3 | 62 | An extension to the CISCO-SLB-EXT-MIB for SLB health monitoring probes. SLB: Server Load Balancing. Server load balancing provides… |
| 1.3.6.1.4.1.9.9.509 | ciscoWdsInfoMIB | 3 | 141 | This MIB is intended to be implemented on all Cisco network entities that provide Wireless Domain Services (WDS). The WDS provide… |
| 1.3.6.1.4.1.9.9.510 | ciscoErmMIB, ciscoVoiceLmrMIB | 3 | 176 | This MIB module provides management of voice tone signal as static injected tone for Land Mobile Radio The tone signal includes … |
| 1.3.6.1.4.1.9.9.511 | ciscoCbpTargetTCMIB | 0 | 0 | This MIB module defines Textual Conventions for representing targets which have class based policy mappings. A target can be any … |
| 1.3.6.1.4.1.9.9.512 | ciscoLwappWlanMIB | 3 | 249 | This MIB is intended to be implemented on all those devices operating as Central Controllers (CC) that terminate the Light Weigh… |
| 1.3.6.1.4.1.9.9.513 | ciscoLwappApMIB | 4 | 386 | This MIB is intended to be implemented on all those devices operating as Central Controllers (CC) that terminate the Light Weight… |
| 1.3.6.1.4.1.9.9.514 | ciscoLwappTextualConventions | 0 | 0 | This module defines textual conventions used throughout the Cisco enterprise MIBs designed for implementation on Central Controlle… |
| 1.3.6.1.4.1.9.9.515 | ciscoLwappWebAuthMIB | 4 | 43 | This MIB is intended to be implemented on all those devices operating as Central controllers, that terminate the Light Weight Acc… |
| 1.3.6.1.4.1.9.9.516 | ciscoLwappLinkTestMIB | 3 | 57 | This MIB is intended to be implemented on all those devices operating as Central controllers, that terminate the Light Weight Acc… |
| 1.3.6.1.4.1.9.9.517 | ciscoLwappReapMIB | 3 | 63 | This MIB is intended to be implemented on all those devices operating as Central Controllers (CC) that terminate the Light Weight… |
| 1.3.6.1.4.1.9.9.518 | ciscoLwappMfpMIB | 4 | 64 | This MIB is intended to be implemented on all those devices operating as Central Controllers (CC) that terminate the Light Weight… |
| 1.3.6.1.4.1.9.9.519 | ciscoLwappIdsMIB | 3 | 28 | This MIB is intended to be implemented on all those devices operating as Central Controllers (CC) that terminate the Light Weight… |
| 1.3.6.1.4.1.9.9.520 | ciscoLwappCcxRmMIB | 3 | 45 | This MIB is intended to be implemented on all those devices operating as Central controllers, that terminate the Light Weight Acc… |
| 1.3.6.1.4.1.9.9.521 | ciscoLwappWlanSecurityMIB | 3 | 51 | This MIB is intended to be implemented on all those devices operating as Central controllers, that terminate the Light Weight Acc… |
| 1.3.6.1.4.1.9.9.522 | ciscoLwappDot11ClientCalibMIB | 3 | 50 | This MIB is intended to be implemented on all those devices operating as Central controllers, that terminate the Light Weight Acc… |
| 1.3.6.1.4.1.9.9.523 | ciscoLwappClRoamMIB | 3 | 61 | This MIB is intended to be implemented on all those devices operating as Central controllers, that terminate the Light Weight Acc… |
| 1.3.6.1.4.1.9.9.524 | ciscoLwappQosMIB | 3 | 119 | This MIB is intended to be implemented on all those devices operating as Central controllers, that terminate the Light Weight Acc… |
| 1.3.6.1.4.1.9.9.525 | ciscoLwappTsmMIB | 3 | 57 | This MIB is intended to be implemented on all those devices operating as Central controllers, that terminate the Light Weight Acc… |
| 1.3.6.1.4.1.9.9.529 | ciscoItpMsuRatesMIB | 3 | 61 | This MIB provides information used to manage the number of MTP3 MSUs transmitted and received per processor. Many of the higher … |
| 1.3.6.1.4.1.9.9.530 | ciscoNacTcMIB | 0 | 0 | This module defines the textual conventions for Cisco Network Admission Control(NAC) system. The Cisco Network Admission Control … |
| 1.3.6.1.4.1.9.9.532 | ciscoNATExtMIB | 3 | 13 | This MIB is an extension to the NAT-MIB. This MIB module includes objects for providing the NAT related statistics. Acronyms: NAT… |
| 1.3.6.1.4.1.9.9.533 | ciscoCbpTargetMIB | 3 | 25 | This MIB module defines the managed objects for representing targets which have class-based policy mappings. A target can be any… |
| 1.3.6.1.4.1.9.9.543 | ciscoLicenseMgmtMIB | 3 | 131 | The MIB module for managing licenses on the system. The licensing mechanism provides flexibility to enforce licensing for various… |
| 1.3.6.1.4.1.9.9.548 | ciscoErrDisableMIB | 3 | 43 | This MIB module provides the ability for a Network Management Station (NMS) to configure and monitor the error-disable feature vi… |
| ... | ||||