CISCO-PKI-PARTICIPATION-MIB

A networking device may provide several security services
        and  protocols  like SSL, SSH, IPSec/IKE  etc. which  need
        identities  in the form of  X509 certificates. The  device
        uses these  certificates (called identity certificates) to
        authenticate itself to various  clients communicating with
        the device using these protocols and also to provide other
        protection  for  the  communication  like confidentiality,
        integrity and non-repudiation. In addition, the device may
        need to  authenticate the  clients  which involves,  among
        other things, verifying  the certificates presented by the
        clients (peer certificates) during the protocol exchanges.
        The  certificate   verification,  in  turn,  involves  the
        certificate revocation status checking and the certificate
        signature verification. This MIB applies to the public key
        infrastructure (PKI) participation feature which enables a
        networking  device  to  participate in  one  or  more  PKI
        services  (also called  Certificate Authorities)  enabling
        it to  obtain one or more  X509 identity certificates  for
        its own use as well as to verify peer certificates.
        
        This MIB organizes the various certificates, key-pairs and
        Certificate Authority related information into the tables:
        the trustpoint  table for  certificate and  CA information
        and a key-pair table for the key-pair information for each
        type of key-pair  such as RSA, DSA  etc. An  entry in  the
        trustpoint table corresponds to a trusted CA for obtaining
        an  identity  certificate from and also for  verifying the
        peer certificates  issued by  that CA. The entry  contains
        information   about  the   CA  certificate,  the  identity
        certificate - if obtained - from the CA, the corresponding
        key-pair  from  a key-pair table   (for which the identity
        certificate was obtained) and the  information needed  for
        revocation checking of certitifates issued by  the CA.
        
        For each type (RSA, DSA etc.) of key-pair supported by the
        device, a key-pair table is present and contains an  entry
        for each key-pair of that type present in the device. This
        allows future expansion of the MIB  to support  additional
        key-pair types (currently only RSA key-pair is supported).
        
        As seen above, a key-pair entry from a key-pair table  can
        be associated to an entry in the trustpoint table. A  key-
        pair entry can be associated to multiple trustpoint  table
        entries but not vice versa.
        
        This MIB  supports  the certificate  work-flow operations,
        generally used for generating the key-pairs and  obtaining
        the certificates for them from various CAs. The  following
        are the steps in one typical work-flow:
        
        1. create a trustpoint  (an entry in  trustpoint table) in
           the device.
        2. Authenticate a CA (this involves manually verifying the
           CA certificate/chain fingerprints and then inputing the
           CA certificate/chain into the trustpoint).
        3. Generate a key-pair (an entry in key-pair table).
        4. Associate the key-pair to the trustpoint.
        5. Generate a pkcs#10 Certificate Signing Request (CSR) in
           the trustpoint.
        7. Submit CSR to the CA and get the identity certificate.
        9. Input the identity certificate into the trustpoint.
        
        In another typical certificate work-flow, the key-pair and
        the  corresponding  identity certificate are allowed to be
        generated/obtained  outside  the device by  whatever means
        and then input to the device in the pkcs#12 form.
        
        This MIB does  not support the configuration of individual
        security  services  like SSL, SSH, IPsec/IKE  etc. to  use
        particular trustpoints or  certificates  and key-pairs  in
        them. Instead  the  security  services  certificate  usage
        configuration is supported in the respective feature MIBs.
        
        
        Glossary of the terms used in this MIB:
         --------------------------------------
        key-pair -
           A pair of public-key cryptographic keys in which one is
           public and the other private.
        RSA key-pair - 
           A key-pair belonging to the RSA public-key cryptography
           algorithm.
        Certificate Authority (CA) -
           A service which issues X509 certificates to certify the
           identity (name) and public-key of end entities.
        X509 -
           A standard for certificates and CRLs.
           Reference: RFC 2459.
        CA certificate - 
           The self-signed certificate of a CA certifying its  own
           identity and public-key.
        CA certificate chain -
           If a CA is certified by another CA which,  in turn, was
           certified by a third CA and so on, ending in a CA which
           is  self-certified,  the  original  CA is  said to be a
           subordinate CA and its CA certificate is a chain  which
           is the set of CA certificates of all CAs involved.
        Identity certificate -
          The certificate of a device issued by a CA in  which the
          device identity and public-key are certified. 
        Trustpoint -
           The various  information  about a CA  (including its CA
           certificate/chain), which the device wants to trust  so
           that it  can use it  to enroll with  the CA to g et  an
           identity certificate and/or  use it to verify the  peer
           certificates issed by the CA.
        Certificate fingerptint -
           The digest of a  certificate computed using MD5 or SHA
           hash algorithm.
        CA authentication -
          The process of configuring  the CA certificate/chain for
          a  trustpoint. The  process  involves   calculating  the
          fingerprints of the CA  certificates  and verifying them
          against the same already published by the CAs.
        Enrollment -
          The process of creating a Certificate Signing Request in
          a trustpoint, submitting it to corresponding CA, getting
          back the identity certificate and  inputing it into  the
          trustpoint.
        Certificate verification -
          The process of verifying the signature on a  certificate
          to see if it was really  signed by the CA who issued it.
          This verification process uses the CA certificate/chain.
          The certificate verification also involves verifying the
          validity of certificate with respect to current  time by
          checking against the  validity  interval  given  in  the
          certificate and the revocation status of the certificate
          as maintained by the CA.
        Certificate Signing Request (CSR) -
          A request to a CA for signing a certificate of an entity.
          The request contains the public key, the name and  other
          attributes of the entity.
        pkcs#10 -
          A standard syntax for the CSR, Reference: RFC 2986.
        pkcs#12 -
          A standard  for  exporting  and  importing a certificate
          along with associated key-pair and CA certificate/chain.
          Reference: PKCS #12 v1.0: Personal Information Exchange
          Syntax Standard, RSA Laboratories, June 24, 1999
        CRL -
          Certificate Revocation List, a list of certificates that
          are revoked, as maintained by a CA.
        OCSP -
          Online Certificate Staus Protocol, a protocol for online
          checking of the revocation status of certificates.
        PEM format -
          A printable text encoding  format for  certificates,
          key-pairs and CRLs, as employed by the Privacy Enhanced
          Mail standard. Reference: RFCs 1421-1424.

Imported Objects

ciscoMgmtCISCO-SMI
SnmpAdminStringSNMP-FRAMEWORK-MIB
MODULE-COMPLIANCE, OBJECT-GROUPSNMPv2-CONF
MODULE-IDENTITY, OBJECT-TYPE, Unsigned32SNMPv2-SMI
TEXTUAL-CONVENTION, DateAndTime, TruthValue, StorageType, RowStatusSNMPv2-TC
cpkiMIB .1.3.6.1.4.1.9.9.505
cpkiMIBNotifs .1.3.6.1.4.1.9.9.505.0
cpkiMIBObjects .1.3.6.1.4.1.9.9.505.1
cpkiConfig .1.3.6.1.4.1.9.9.505.1.1
cpkiRSAKeyPairTable .1.3.6.1.4.1.9.9.505.1.1.1
cpkiRSAKeyPairEntry .1.3.6.1.4.1.9.9.505.1.1.1.1
cpkiRSAKeyPairName .1.3.6.1.4.1.9.9.505.1.1.1.1.1
cpkiRSAKeyPairId .1.3.6.1.4.1.9.9.505.1.1.1.1.2
cpkiRSAKeyPairSize .1.3.6.1.4.1.9.9.505.1.1.1.1.3
cpkiRSAPvtKeyFileName .1.3.6.1.4.1.9.9.505.1.1.1.1.4
cpkiRSAKeyPairExportable .1.3.6.1.4.1.9.9.505.1.1.1.1.5
cpkiRSAKeyPairStorageType .1.3.6.1.4.1.9.9.505.1.1.1.1.6
cpkiRSAKeyPairConfigRowStatus .1.3.6.1.4.1.9.9.505.1.1.1.1.7
cpkiTrustPointTable .1.3.6.1.4.1.9.9.505.1.1.2
cpkiTrustPointEntry .1.3.6.1.4.1.9.9.505.1.1.2.1
cpkiTrustPointName .1.3.6.1.4.1.9.9.505.1.1.2.1.1
cpkiIssuerCertFileName .1.3.6.1.4.1.9.9.505.1.1.2.1.10
cpkiIssuerCertSubjectName .1.3.6.1.4.1.9.9.505.1.1.2.1.11
cpkiIssuerCertSerialNum .1.3.6.1.4.1.9.9.505.1.1.2.1.12
cpkiIssuerCertStartDate .1.3.6.1.4.1.9.9.505.1.1.2.1.13
cpkiIssuerCertEndDate .1.3.6.1.4.1.9.9.505.1.1.2.1.14
cpkiIssuerCertFingerPrint .1.3.6.1.4.1.9.9.505.1.1.2.1.15
cpkiRevokeCheckMethods .1.3.6.1.4.1.9.9.505.1.1.2.1.16
cpkiOCSPurl .1.3.6.1.4.1.9.9.505.1.1.2.1.17
cpkiAction .1.3.6.1.4.1.9.9.505.1.1.2.1.18
cpkiActionUrl .1.3.6.1.4.1.9.9.505.1.1.2.1.19
cpkiTrustPointId .1.3.6.1.4.1.9.9.505.1.1.2.1.2
cpkiActionPassword .1.3.6.1.4.1.9.9.505.1.1.2.1.20
cpkiLastAction .1.3.6.1.4.1.9.9.505.1.1.2.1.21
cpkiLastActionResult .1.3.6.1.4.1.9.9.505.1.1.2.1.22
cpkiLastActionFailureReason .1.3.6.1.4.1.9.9.505.1.1.2.1.23
cpkiTrustPointStorageType .1.3.6.1.4.1.9.9.505.1.1.2.1.24
cpkiTrustPointConfigRowStatus .1.3.6.1.4.1.9.9.505.1.1.2.1.25
cpkiKeyPairName .1.3.6.1.4.1.9.9.505.1.1.2.1.3
cpkiIdCertFileName .1.3.6.1.4.1.9.9.505.1.1.2.1.4
cpkiIdCertSubjectName .1.3.6.1.4.1.9.9.505.1.1.2.1.5
cpkiIdCertSerialNum .1.3.6.1.4.1.9.9.505.1.1.2.1.6
cpkiIdCertStartDate .1.3.6.1.4.1.9.9.505.1.1.2.1.7
cpkiIdCertEndDate .1.3.6.1.4.1.9.9.505.1.1.2.1.8
cpkiIdCertFingerPrint .1.3.6.1.4.1.9.9.505.1.1.2.1.9
cpkiMIBConform .1.3.6.1.4.1.9.9.505.2
cpkiMIBCompliances .1.3.6.1.4.1.9.9.505.2.1
cpkiMIBGroups .1.3.6.1.4.1.9.9.505.2.2