cpkiAction
CISCO-PKI-PARTICIPATION-MIB ·
.1.3.6.1.4.1.9.9.505.1.1.2.1.18
Object
column
r/w
CiscoPkiAction
The PKI support action to be triggered for this
trustpoint entry.
The PKI support actions are steps in the certificate
work-flow used to facilitate the configuration of the
RSAkey-pair, identity certificate and CA certificates
in a trustpoint. A PKI support action is triggered by
setting this object to the corresponding value as defined
in TC CiscoPkiAction. The value of this object and the
values of the objects cpkiActionUrl and cpkiActionPassword
are interpreted and applied together as single action
trigger. All thease actions operate over the trustpoint
and modify appropriate columns in the entry.
An attempt to set this object when the value of the
object cpkiActionResult is 'inProgress' will result in an
inconsistentValue error.
The work-flow nature of certificate operations requires
that the trustpoint entry already exists. Some of the
operation requires that some other previous operations
are already performed successfully, as seen below.
The following is a brief of each action semantics, its
parameters and the result:
'caauth' - This action is used to authenticate a CA and
configure its CA certificate/chain in this trustpoint. This
is generally the first step in a certificate work-flow.
It requires the parameter objects cpkiActionUrl and
cpkiActionPassword set with appropriate values. The CA
certificate/chain being installed should be available in
PEM fromat in a file on bootflash. The filename is
specified as 'bootflash:<filename>' as the value of the
object cpkiActionUrl. On successful completion of the
operation, the CA certificate fingerprint will be
available as the value of the object
cpkiIssuerCertFingerPrint and the value of the object
cpkiLastActionResult will be 'needConfirm'. This action
is to be followed up with a subsequent 'certconfirm' or
'certnoconfirm' as explained later, to complete the CA
authentication process.
'cadelete' - This action is used to delete the CA
certificate/chain from this trustpoint. On successful
completion of the operation, the values of all issuer
certificate related objects (cpkiIssuerCertFileName
etc.) in this trustpoint entry will zero length strings.
For this action to succeed, a CA certificate/chain should
have been already configured through the 'caauth' action.
'certreq' - This action is used to generate a pkcs#10
certificate signing request (CSR) needed to obtain an
identity certificate from the CA corresponding to this
trustpoint entry. This entry should have a key-pair
already associated (as indicated by non-zero value of
cpkiKeyPairIndex in the entry). Also the CA certificate/
chain should have been already configured through the
'caauth' action. This action requires the parameter
object cpkiActionPassword to be set with a password string
which will be used as the 'challenge password' attribute
in the CSR being created (the password being opional, it
should be a zero length string if no password is being
specified). On successful completion of the operation, the
value of the object cpkiActionUrl will contain a file name
string in the format 'bootflash:<filename>' which will
contain the CSR generated in PEM format. This CSR has to be
submitted to the CA to get the identity certificate. The
process of submitting CSR to the CA and getting the identity
certificate is a step not supported by this MIB currently.
Once the identity certificate is obtained, it has to be
installed in this trustpoint with a subsequent 'certimport'
action explained next.
'certimport' - This action is used to import in this
trustpoint, an idenetity certificate obtained from the
corresponding CA for an earlier CSR generated (previous
operation 'certreq'). It requires that the identity
certificate being installed be available in PEM fromat in a
file on bootflash. The filename is specified as
'bootflash:<filename>' as the value of the object
cpkiActionUrl. On successful completion of the operation,
the values of all identity certificate related objects
(cpkiIdCertFileName etc.) in this entry will get filled
with the appropriate strings as per the corresponding
attributes in the identity certificate.
'certdelete' - This action is used to delete the identity
certificate from this trustpoint. On successful completion
of the operation, the values of all identity certificate
related objects (cpkiIdCertFileName etc.) in this entry
will become zero length strings.
'pkcs12import' - This action is used to import the
key-pair, identity certificate and the CA certificate/chain
in pkcs#12 format into this trustpoint. It requires
that the file containing the import data be
available on bootflash and whose filename be specified as
'bootflash:<filename>' as the value of the object
cpkiActionUrl. It also requires that the parameter
object cpkiActionPassword to be set with a password
string to be used for decoding the pkcs#12 data. On
successful completion of the operation, an entry in the
cpkiRSAKeyPairTable will be created corresponding to the
imported key-pair and it will be named using the trustpoint
name specified. Secondly, the values of all identity
certificate related objects (cpkiIdCertFileName etc.)
and the values of all issuer certificate related objects
(cpkiIssuerCertFileName etc.)in this entry will get filled
with the appropriate strings as per the corresponding
attributes in the identity and CA certificates
respectively.
'pkcs12export' - This action is used to export the
key-pair, identity certificate and the CA certificate/chain
in pkcs#12 format from this trustpoint. It requires that
the filename to contain the exported data be specified as
'bootflash:<filename>' as the value of the object
cpkiActionUrl. It also requires that the parameter
object cpkiActionPassword to be set with a password string
to be used for encoding the pkcs#12 data. On successful
completion of the operation, the exported data will be
available on bootflash in the specified file.
'certconfirm' - This action is used to confirm as
acceptable, the certificate fingerprint for the action
'caauth' in this trustpoint As mentioned earlier, the
certificate fingerprint is available as the value of the
object cpkiIssuerCertFingerPrint and the value of the
object cpkiActionResult will be 'needConfirm' after a
successfull 'caauth' action on a trustpoint. On successful
completion of the 'certconfirm' operation, values of all
issuer certificate related objects (cpkiIssuerCertFileName
etc.) in this entry get filled with the appropriate strings
as per the attributes in the CA certificate.
'certnoconfirm' - This action is used to confirm as not
acceptable, the certificate fingerprint for the action
'caauth. As mentioned earlier, the certificate fingerprint
is available as the value of the object
cpkiIssuerCertFingerPrint and the value of the object
cpkiActionResult will be 'needConfirm' after a successfull
'caauth' action on a trustpoint. On successful completion
of the 'certnoconfirm' action subsequent to a 'caauth'
action, the import pending CA certificate/chain will be
rejected.
'forcecertdelete' - Same as 'certdelete' but the operation
is forced even if the certificate being deleted is the
last-most one.
'crlimport' - This action is used to import in this
trustpoint, the CRL obtained from the corresponding CA.
It requires that the CRL being imported be available in
PEM fromat in a file on bootflash. The filename is specified
as 'bootflash:<filename>' as the value of the object
cpkiActionUrl. On successful completion of the operation,
the CRL will be installed in the trustpoint. For this
action to succeed, a CA certificate/chain should
have been already configured through the 'caauth' action.
'crldelete' - This action is used to delete the CRL from a
trustpoint. This action does not require any parameters.
On successful completion of any of the above actions, the
result object cpkiActionResult will have the value
'success'. on any error during the execution of the action,
the object cpkiActionResult will be set with the value
'failed' and the object cpkiActionFailureReason will have
the appropriate failure message string.
An attempt to set this object with a value other than
'certconfirm' or 'certnoconfirm', when the value of the
object cpkiActionResult is 'needConfirm', will result in
an inconsistentValue error.
All Actions are done on existing entry, action trigger is
not allowed as part of row creation.
Retrieving the value of this object via SNMP will always
return 'noop'.
Context
- MIB
- CISCO-PKI-PARTICIPATION-MIB
- OID
.1.3.6.1.4.1.9.9.505.1.1.2.1.18- Type
- column
- Access
- readwrite
- Status
- current
- Parent
- cpkiTrustPointEntry
- Table
- cpkiTrustPointTable
- Siblings
- 24
Syntax
CiscoPkiAction
- Source
- CiscoPkiAction
- Base type
Enumeration
Values & Constraints
Type Values
1 | noop |
2 | caauth |
3 | cadelete |
4 | certreq |
5 | certimport |
6 | certdelete |
7 | pkcs12import |
8 | pkcs12export |
9 | certconfirm |
10 | certnoconfirm |
11 | forcecertdelete |
12 | crlimport |
13 | crldelete |
Related Objects
Sibling Objects
| Object | Type | Syntax | OID |
|---|---|---|---|
| cpkiTrustPointName The unique name or label of a trustpoint. | column | OctetString | .1.3.6.1.4.1.9.9.505.1.1.2.1.1 |
| cpkiIssuerCertFileName The name of the file storing the issuer certificate.
It is a unix style '/' seperated string representing
the absolute path of the file in the file system of
the device. If there … | column | OctetString | .1.3.6.1.4.1.9.9.505.1.1.2.1.10 |
| cpkiIssuerCertSubjectName The issuer name (subject name in issuer certificate
which will be the same as the issuer name in the
identity certificate if present).
If there is no certificate (a… | column | OctetString | .1.3.6.1.4.1.9.9.505.1.1.2.1.11 |
| cpkiIssuerCertSerialNum The serial number of the issuer certificate.
If there is no certificate (as indicated by a zero
length string value of the object
cpkiIssuerCertFileName), the value… | column | OctetString | .1.3.6.1.4.1.9.9.505.1.1.2.1.12 |
| cpkiIssuerCertStartDate The time when the issuer certificate starts to be
valid, corresponding to the notBefore field in the
certificate.
If there is no certificate (as indicated by a zero… | column | SNMPv2-TCDateAndTime | .1.3.6.1.4.1.9.9.505.1.1.2.1.13 |
| cpkiIssuerCertEndDate The time when the issuer certificate validity ends,
corresponding to the notAfter field on in the
certificate.
If there is no certificate (as indicated by a zero
le… | column | SNMPv2-TCDateAndTime | .1.3.6.1.4.1.9.9.505.1.1.2.1.14 |
| cpkiIssuerCertFingerPrint The MD5 fingerprint of the issuer's certificate in
HEX string format.
If there is no certificate (as indicated by a
zero length string value of cpkiIssuerCertFileNa… | column | OctetString | .1.3.6.1.4.1.9.9.505.1.1.2.1.15 |
| cpkiRevokeCheckMethods Revocation checking methods list which is an ordered
list of certificate revocation checking methods to be
employed while verifying peer certificates issued by
the CA correspondin… | column | OctetString | .1.3.6.1.4.1.9.9.505.1.1.2.1.16 |
| cpkiOCSPurl The contact http url of the external OCSP server for
certificate revocation checking using OCSP protocol.
The default value of this object (after row creation)
is … | column | OctetString | .1.3.6.1.4.1.9.9.505.1.1.2.1.17 |
| cpkiActionUrl The value of this object indicates the filename
containig the input or output certificate data needed
for the PKI support action being triggered on this entry.
The filename should… | column | SNMP-FRAMEWORK-MIBSnmpAdminString | .1.3.6.1.4.1.9.9.505.1.1.2.1.19 |
| cpkiTrustPointId A unique identification number of the trustpoint.
This is included to support ordered lists of trustpoints
when needed. One such scenario where such ordered list
may be needed is … | column | SNMPv2-SMIUnsigned32 | .1.3.6.1.4.1.9.9.505.1.1.2.1.2 |
| cpkiActionPassword The value of this object indicates the password
required to perform the PKI support action being
triggered. This password is required to be
specified only for 'certreq', 'importpk… | column | OctetString | .1.3.6.1.4.1.9.9.505.1.1.2.1.20 |
| cpkiLastAction The PKI support action attempted last. In otherwords,
the value attempted to be set for cpkiAction object
last. If no action has been triggered for the trustpoint
after its creati… | column | CiscoPkiAction | .1.3.6.1.4.1.9.9.505.1.1.2.1.21 |
| cpkiLastActionResult The result of the execution of the last PKI support
action (represented by the value of cpkiLastAction).
When the value of this object is 'inProgress', an
attempt to set the value… | column | CiscoPkiActionResult | .1.3.6.1.4.1.9.9.505.1.1.2.1.22 |
| cpkiLastActionFailureReason The failure reason description for the failed
execution of PKI support action. If the object
cpkiActionResult has the value 'failed', then
this object contains the reason string a… | column | SNMP-FRAMEWORK-MIBSnmpAdminString | .1.3.6.1.4.1.9.9.505.1.1.2.1.23 |
| cpkiTrustPointStorageType The storage type for this conceptual row. | column | SNMPv2-TCStorageType | .1.3.6.1.4.1.9.9.505.1.1.2.1.24 |
| cpkiTrustPointConfigRowStatus The conceptual row status of the trustpoint entry.
After row creation, the value of this object will
become active(1) as there is no prerequisite of certain
objects… | column | SNMPv2-TCRowStatus | .1.3.6.1.4.1.9.9.505.1.1.2.1.25 |
| cpkiKeyPairName The name of the associated key-pair from a key-pair
table. If a key-pair is not yet associated, the value
of this object will be a zero length string.
If a key-pair… | column | OctetString | .1.3.6.1.4.1.9.9.505.1.1.2.1.3 |
| cpkiIdCertFileName The name of the file storing the identity
certificate. It is a unix style '/' seperated string
representing the absolute path of the file in the
file system of the device. If ther… | column | OctetString | .1.3.6.1.4.1.9.9.505.1.1.2.1.4 |
| cpkiIdCertSubjectName The subject name of the identity certificate.
If there is no certificate (as indicated by a zero
length string value of the object cpkiIdCertFileName)
or no subject name in the ce… | column | OctetString | .1.3.6.1.4.1.9.9.505.1.1.2.1.5 |
| cpkiIdCertSerialNum The serial number of the identity certificate.
If there is no certificate (as indicated by a zero
length string value of the object cpkiIdCertFileName),
the value of this object… | column | OctetString | .1.3.6.1.4.1.9.9.505.1.1.2.1.6 |
| cpkiIdCertStartDate The time when the identity certificate starts to be
valid, corresponding to the notBefore field in the
certificate.
If there is no certificate (as indicated by a z… | column | SNMPv2-TCDateAndTime | .1.3.6.1.4.1.9.9.505.1.1.2.1.7 |
| cpkiIdCertEndDate The time when the identity certificate validity ends,
corresponding to the notAfter field in the
certificate.
If there is no certificate (as indicated by the zero
… | column | SNMPv2-TCDateAndTime | .1.3.6.1.4.1.9.9.505.1.1.2.1.8 |
| cpkiIdCertFingerPrint The MD5 fingerprint of the identity certificate in
HEX string format.
If there is no certificate (as indicated by a zero
length string value of the object cpkiIdCer… | column | OctetString | .1.3.6.1.4.1.9.9.505.1.1.2.1.9 |