A networking device may provide several security services
and  protocols  like SSL, SSH, IPSec/IKE  etc. which  need
identities  in the form of  X509 certificates. The  device
uses these  certificates (called identity certificates) to
authenticate itself to various  clients communicating with
the device using these protocols and also to provide other
protection  for  the  communication  like confidentiality,
integrity and non-repudiation. In addition, the device may
need to  authenticate the  clients  which involves,  among
other things, verifying  the certificates presented by the
clients (peer certificates) during the protocol exchanges.
The  certificate   verification,  in  turn,  involves  the
certificate revocation status checking and the certificate
signature verification. This MIB applies to the public key
infrastructure (PKI) participation feature which enables a
networking  device  to  participate in  one  or  more  PKI
services  (also called  Certificate Authorities)  enabling
it to  obtain one or more  X509 identity certificates  for
its own use as well as to verify peer certificates.

This MIB organizes the various certificates, key-pairs and
Certificate Authority related information into the tables:
the trustpoint  table for  certificate and  CA information
and a key-pair table for the key-pair information for each
type of key-pair  such as RSA, DSA  etc. An  entry in  the
trustpoint table corresponds to a trusted CA for obtaining
an  identity  certificate from and also for  verifying the
peer certificates  issued by  that CA. The entry  contains
information   about  the   CA  certificate,  the  identity
certificate - if obtained - from the CA, the corresponding
key-pair  from  a key-pair table   (for which the identity
certificate was obtained) and the  information needed  for
revocation checking of certitifates issued by  the CA.

For each type (RSA, DSA etc.) of key-pair supported by the
device, a key-pair table is present and contains an  entry
for each key-pair of that type present in the device. This
allows future expansion of the MIB  to support  additional
key-pair types (currently only RSA key-pair is supported).

As seen above, a key-pair entry from a key-pair table  can
be associated to an entry in the trustpoint table. A  key-
pair entry can be associated to multiple trustpoint  table
entries but not vice versa.

This MIB  supports  the certificate  work-flow operations,
generally used for generating the key-pairs and  obtaining
the certificates for them from various CAs. The  following
are the steps in one typical work-flow:

1. create a trustpoint  (an entry in  trustpoint table) in
   the device.
2. Authenticate a CA (this involves manually verifying the
   CA certificate/chain fingerprints and then inputing the
   CA certificate/chain into the trustpoint).
3. Generate a key-pair (an entry in key-pair table).
4. Associate the key-pair to the trustpoint.
5. Generate a pkcs#10 Certificate Signing Request (CSR) in
   the trustpoint.
7. Submit CSR to the CA and get the identity certificate.
9. Input the identity certificate into the trustpoint.

In another typical certificate work-flow, the key-pair and
the  corresponding  identity certificate are allowed to be
generated/obtained  outside  the device by  whatever means
and then input to the device in the pkcs#12 form.

This MIB does  not support the configuration of individual
security  services  like SSL, SSH, IPsec/IKE  etc. to  use
particular trustpoints or  certificates  and key-pairs  in
them. Instead  the  security  services  certificate  usage
configuration is supported in the respective feature MIBs.

Glossary of the terms used in this MIB:
key-pair -
   A pair of public-key cryptographic keys in which one is
   public and the other private.
RSA key-pair - 
   A key-pair belonging to the RSA public-key cryptography
Certificate Authority (CA) -
   A service which issues X509 certificates to certify the
   identity (name) and public-key of end entities.
X509 -
   A standard for certificates and CRLs.
   Reference: RFC 2459.
CA certificate - 
   The self-signed certificate of a CA certifying its  own
   identity and public-key.
CA certificate chain -
   If a CA is certified by another CA which,  in turn, was
   certified by a third CA and so on, ending in a CA which
   is  self-certified,  the  original  CA is  said to be a
   subordinate CA and its CA certificate is a chain  which
   is the set of CA certificates of all CAs involved.
Identity certificate -
  The certificate of a device issued by a CA in  which the
  device identity and public-key are certified. 
Trustpoint -
   The various  information  about a CA  (including its CA
   certificate/chain), which the device wants to trust  so
   that it  can use it  to enroll with  the CA to g et  an
   identity certificate and/or  use it to verify the  peer
   certificates issed by the CA.
Certificate fingerptint -
   The digest of a  certificate computed using MD5 or SHA
   hash algorithm.
CA authentication -
  The process of configuring  the CA certificate/chain for
  a  trustpoint. The  process  involves   calculating  the
  fingerprints of the CA  certificates  and verifying them
  against the same already published by the CAs.
Enrollment -
  The process of creating a Certificate Signing Request in
  a trustpoint, submitting it to corresponding CA, getting
  back the identity certificate and  inputing it into  the
Certificate verification -
  The process of verifying the signature on a  certificate
  to see if it was really  signed by the CA who issued it.
  This verification process uses the CA certificate/chain.
  The certificate verification also involves verifying the
  validity of certificate with respect to current  time by
  checking against the  validity  interval  given  in  the
  certificate and the revocation status of the certificate
  as maintained by the CA.
Certificate Signing Request (CSR) -
  A request to a CA for signing a certificate of an entity.
  The request contains the public key, the name and  other
  attributes of the entity.
pkcs#10 -
  A standard syntax for the CSR, Reference: RFC 2986.
pkcs#12 -
  A standard  for  exporting  and  importing a certificate
  along with associated key-pair and CA certificate/chain.
  Reference: PKCS #12 v1.0: Personal Information Exchange
  Syntax Standard, RSA Laboratories, June 24, 1999
  Certificate Revocation List, a list of certificates that
  are revoked, as maintained by a CA.
  Online Certificate Staus Protocol, a protocol for online
  checking of the revocation status of certificates.
PEM format -
  A printable text encoding  format for  certificates,
  key-pairs and CRLs, as employed by the Privacy Enhanced
  Mail standard. Reference: RFCs 1421-1424.

Imported Objects

TEXTUAL-CONVENTION, DateAndTime, TruthValue, StorageType, RowStatusSNMPv2-TC
cpkiMIBNotifs .
cpkiMIBObjects .
cpkiConfig .
cpkiRSAKeyPairTable .
cpkiRSAKeyPairEntry .
cpkiRSAKeyPairName .
cpkiRSAKeyPairId .
cpkiRSAKeyPairSize .
cpkiRSAPvtKeyFileName .
cpkiRSAKeyPairExportable .
cpkiRSAKeyPairStorageType .
cpkiRSAKeyPairConfigRowStatus .
cpkiTrustPointTable .
cpkiTrustPointEntry .
cpkiTrustPointName .
cpkiIssuerCertFileName .
cpkiIssuerCertSubjectName .
cpkiIssuerCertSerialNum .
cpkiIssuerCertStartDate .
cpkiIssuerCertEndDate .
cpkiIssuerCertFingerPrint .
cpkiRevokeCheckMethods .
cpkiOCSPurl .
cpkiAction .
cpkiActionUrl .
cpkiTrustPointId .
cpkiActionPassword .
cpkiLastAction .
cpkiLastActionResult .
cpkiLastActionFailureReason .
cpkiTrustPointStorageType .
cpkiTrustPointConfigRowStatus .
cpkiKeyPairName .
cpkiIdCertFileName .
cpkiIdCertSubjectName .
cpkiIdCertSerialNum .
cpkiIdCertStartDate .
cpkiIdCertEndDate .
cpkiIdCertFingerPrint .
cpkiMIBConform .
cpkiMIBCompliances .
cpkiMIBGroups .