cpki Action

1.3.6.1.4.1.9.9.505.1.1.2.1.18

The PKI support action to be triggered for this trustpoint entry. The PKI support actions are steps in the certificate work-flow used to facilitate the configuration of the RSAkey-pair, identity certificate and CA certificates in a trustpoint. A PKI support action is triggered by setting this object to the corresponding value as defined in TC CiscoPkiAction. The value of this object and the values of the objects cpkiActionUrl and cpkiActionPassword are interpreted and applied together as single action trigger. All thease actions operate over the trustpoint and modify appropriate columns in the entry. An attempt to set this object when the value of the object cpkiActionResult is 'inProgress' will result in an inconsistentValue error. The work-flow nature of certificate operations requires that the trustpoint entry already exists. Some of the operation requires that some other previous operations are already performed successfully, as seen below. The following is a brief of each action semantics, its parameters and the result: 'caauth' - This action is used to authenticate a CA and configure its CA certificate/chain in this trustpoint. This is generally the first step in a certificate work-flow. It requires the parameter objects cpkiActionUrl and cpkiActionPassword set with appropriate values. The CA certificate/chain being installed should be available in PEM fromat in a file on bootflash. The filename is specified as 'bootflash:' as the value of the object cpkiActionUrl. On successful completion of the operation, the CA certificate fingerprint will be available as the value of the object cpkiIssuerCertFingerPrint and the value of the object cpkiLastActionResult will be 'needConfirm'. This action is to be followed up with a subsequent 'certconfirm' or 'certnoconfirm' as explained later, to complete the CA authentication process. 'cadelete' - This action is used to delete the CA certificate/chain from this trustpoint. On successful completion of the operation, the values of all issuer certificate related objects (cpkiIssuerCertFileName etc.) in this trustpoint entry will zero length strings. For this action to succeed, a CA certificate/chain should have been already configured through the 'caauth' action. 'certreq' - This action is used to generate a pkcs#10 certificate signing request (CSR) needed to obtain an identity certificate from the CA corresponding to this trustpoint entry. This entry should have a key-pair already associated (as indicated by non-zero value of cpkiKeyPairIndex in the entry). Also the CA certificate/ chain should have been already configured through the 'caauth' action. This action requires the parameter object cpkiActionPassword to be set with a password string which will be used as the 'challenge password' attribute in the CSR being created (the password being opional, it should be a zero length string if no password is being specified). On successful completion of the operation, the value of the object cpkiActionUrl will contain a file name string in the format 'bootflash:' which will contain the CSR generated in PEM format. This CSR has to be submitted to the CA to get the identity certificate. The process of submitting CSR to the CA and getting the identity certificate is a step not supported by this MIB currently. Once the identity certificate is obtained, it has to be installed in this trustpoint with a subsequent 'certimport' action explained next. 'certimport' - This action is used to import in this trustpoint, an idenetity certificate obtained from the corresponding CA for an earlier CSR generated (previous operation 'certreq'). It requires that the identity certificate being installed be available in PEM fromat in a file on bootflash. The filename is specified as 'bootflash:' as the value of the object cpkiActionUrl. On successful completion of the operation, the values of all identity certificate related objects (cpkiIdCertFileName etc.) in this entry will get filled with the appropriate strings as per the corresponding attributes in the identity certificate. 'certdelete' - This action is used to delete the identity certificate from this trustpoint. On successful completion of the operation, the values of all identity certificate related objects (cpkiIdCertFileName etc.) in this entry will become zero length strings. 'pkcs12import' - This action is used to import the key-pair, identity certificate and the CA certificate/chain in pkcs#12 format into this trustpoint. It requires that the file containing the import data be available on bootflash and whose filename be specified as 'bootflash:' as the value of the object cpkiActionUrl. It also requires that the parameter object cpkiActionPassword to be set with a password string to be used for decoding the pkcs#12 data. On successful completion of the operation, an entry in the cpkiRSAKeyPairTable will be created corresponding to the imported key-pair and it will be named using the trustpoint name specified. Secondly, the values of all identity certificate related objects (cpkiIdCertFileName etc.) and the values of all issuer certificate related objects (cpkiIssuerCertFileName etc.)in this entry will get filled with the appropriate strings as per the corresponding attributes in the identity and CA certificates respectively. 'pkcs12export' - This action is used to export the key-pair, identity certificate and the CA certificate/chain in pkcs#12 format from this trustpoint. It requires that the filename to contain the exported data be specified as 'bootflash:' as the value of the object cpkiActionUrl. It also requires that the parameter object cpkiActionPassword to be set with a password string to be used for encoding the pkcs#12 data. On successful completion of the operation, the exported data will be available on bootflash in the specified file. 'certconfirm' - This action is used to confirm as acceptable, the certificate fingerprint for the action 'caauth' in this trustpoint As mentioned earlier, the certificate fingerprint is available as the value of the object cpkiIssuerCertFingerPrint and the value of the object cpkiActionResult will be 'needConfirm' after a successfull 'caauth' action on a trustpoint. On successful completion of the 'certconfirm' operation, values of all issuer certificate related objects (cpkiIssuerCertFileName etc.) in this entry get filled with the appropriate strings as per the attributes in the CA certificate. 'certnoconfirm' - This action is used to confirm as not acceptable, the certificate fingerprint for the action 'caauth. As mentioned earlier, the certificate fingerprint is available as the value of the object cpkiIssuerCertFingerPrint and the value of the object cpkiActionResult will be 'needConfirm' after a successfull 'caauth' action on a trustpoint. On successful completion of the 'certnoconfirm' action subsequent to a 'caauth' action, the import pending CA certificate/chain will be rejected. 'forcecertdelete' - Same as 'certdelete' but the operation is forced even if the certificate being deleted is the last-most one. 'crlimport' - This action is used to import in this trustpoint, the CRL obtained from the corresponding CA. It requires that the CRL being imported be available in PEM fromat in a file on bootflash. The filename is specified as 'bootflash:' as the value of the object cpkiActionUrl. On successful completion of the operation, the CRL will be installed in the trustpoint. For this action to succeed, a CA certificate/chain should have been already configured through the 'caauth' action. 'crldelete' - This action is used to delete the CRL from a trustpoint. This action does not require any parameters. On successful completion of any of the above actions, the result object cpkiActionResult will have the value 'success'. on any error during the execution of the action, the object cpkiActionResult will be set with the value 'failed' and the object cpkiActionFailureReason will have the appropriate failure message string. An attempt to set this object with a value other than 'certconfirm' or 'certnoconfirm', when the value of the object cpkiActionResult is 'needConfirm', will result in an inconsistentValue error. All Actions are done on existing entry, action trigger is not allowed as part of row creation. Retrieving the value of this object via SNMP will always return 'noop'. DEFVAL { noop } ::= { cpkiTrustPointEntry 18 } SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION The value of this object indicates the filename containig the input or output certificate data needed for the PKI support action being triggered on this entry. The filename should pe specified as 'bootflash:' and it should be available on bootflash or get created on bootflash depending upon the action being triggered. ::= { cpkiTrustPointEntry 19 } SYNTAX SnmpAdminString (SIZE (0..64)) MAX-ACCESS read-create STATUS current DESCRIPTION The value of this object indicates the password required to perform the PKI support action being triggered. This password is required to be specified only for 'certreq', 'importpkcs12' and 'exportpkcs12' actions. For security reasons, the value of this object, whenever it is retrieved by the management prototcol, is always the zero length string. DEFVAL { ''H } ::= { cpkiTrustPointEntry 20 } SYNTAX CiscoPkiAction MAX-ACCESS read-only STATUS current DESCRIPTION The PKI support action attempted last. In otherwords, the value attempted to be set for cpkiAction object last. If no action has been triggered for the trustpoint after its creation, then retrieving the value of this object will return 'noop'.