1.9.3. Certificates¶
An X.509 certificate is a digital document that securely associates cryptographic key pairs with identities such as individuals, organizations, machines or services. It is used by public key infrastructures (PKI) to verify that a public key belongs to the identity contained within the certificate.
An X.509 certificate contains information about the identity to which a certificate is issued and the identity that issued it. Common issuance fields included in X.509 certificate are:
- Version: X.509 version applies to the certificate.
- Serial Number: a serial number that distinguishes a certificate from other certificates.
- Algorithm information: the algorithm used by the issuer to sign the certificate.
- Issuer Distinguished Name: the name of the entity issuing the certificate.
- Validity: period in which the certificate can be trusted (start/end date).
- Subject Distinguished Name: the name of the identity the certificate is issued to.
- Subject Public Key Information: the public key associated with the identity.
- Extensions(optional): other useful fields such- Subject Alternative Name(s)and- Key Usage.
The following sections explain various supported operations used to manage certificates in the 6WINDGate’s local database using nc-cli commands.
Import a Certificate¶
Use the command cmd certificate import name <cert-name> url <remote-url> to import a root CA or
an intermediate CA to the local database. As an example we use this command
to import two CAs named rootca and 6WIND:
vsr running config# cmd certificate import name rootca url http://10.16.0.190:8999/rootca.pem
OK.
..
We can use also the previous command to import a user certificate user01 with its private key:
vsr running config# cmd certificate import name user01 url http://10.16.0.190:8999/user01_cert.pem private-key-url http://10.16.0.190:8999/user01_key.pem
OK.
..
Use the show certificate list command to show the imported certificates:
vsr running config# show certificate list
6WIND
rootca
user01
user02
See also
The Import certificate command reference for details.
Export a certificate¶
Use command cmd certificate export name <cert-name> url <remote-url>
to export a certificate stored in the local database to a remote location:
vsr> cmd certificate export name rootca url http://remote_server:8999/
OK.
..
See also
The Export certificate command reference for details.
Add a certificate¶
Use this command cmd certificate add <cert-name> data <pem-format-input>,
to add certificate as a string input (the pem encoded format):
vsr> cmd certificate add name user03 data "-----BEGIN CERTIFICATE-----
... MIIDazCCAlOgAwIBAgIUOittEYmcZTGUGioankW6HvDYTMcwDQYJKoZIhvcNAQEL
... BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
... GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTA4MjcxNTEwNTFaFw0yMjA4
... MjcxNTEwNTFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
... HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
... AQUAA4IBDwAwggEKAoIBAQCwebLs/zQB0RyVi1VJW7sT/ZUgkTg2kf/1ab312+Fh
... 1nCnMz7q5loNVm7ZJ/8+kwdGIEkCxwbZr++asN8EjKOvSNZphk7kOJbam6ui1j5C
... ollm77CF4n6urj9/mA73OJJkwkTbzzBwTcfSXephAa5lAw0z83C04WaVleBlH5c8
... RhEcwx+8dlMmBkpwuaaxFBDfXHHeu4W554PpJEY0/W1m3uaX44QvXbRZV+f6/CpM
... RpdBKsMqPvj776VDeYylHewb0MlwOadXw8YMXs7pkkRoP2AvuP0hFev8+LTj6kkG
... 4c89VX5s6DPuu/P1cLowLCnt5DppAt69nTK8Zbk4wjVJAgMBAAGjUzBRMB0GA1Ud
... DgQWBBR3c9b3DavflgTCoUEWQY6OyqXhmzAfBgNVHSMEGDAWgBR3c9b3DavflgTC
... oUEWQY6OyqXhmzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAm
... vleOmDHBChJ7at+yEQM8hmAqmupVWX3aUXaoKkGMpD8vg46uYhxxcInzBPaySblQ
... QyGLom2raUW0a27hhAucQe1ZRqpfIAvJ5/hUkztkOsUOC2nptMn9lZQvbnmGFoSR
... AQP3me3QffYVU4ozL2UeqUQV1yd91cIQOGu9DZFQOQkeVj7J5O4iAw3Xp0xxNuAJ
... GgncUQMya16UW4wbAjXpq0ZVKIWQtkZw+0ZffVfIyYUFsq3j6pFVcETa6VDrES0h
... r6phc+0OVpwUU0AQg7SJucApPNOf0KbnGyLli/e8yUtsrDouifSr29QipRiHhrOr
... eS4EeexMXu6W4TsFjpkP
... -----END CERTIFICATE-----"
OK.
..
See also
The Add certificate command reference for details.
Delete a certificate¶
Use the command cmd certificate delete name <cert-name> to delete a certificate
from the local database. In this example we delete the certificate user01 stored before:
vsr> cmd certificate delete name user01
OK.
..
See also
The Delete certificate command reference for details.
Show certificate list¶
Use command show certificate list is used to list certificates stored in the local database,
these certificates might be imported using the ‘cmd certificate import’ or by another service:
vsr running config# show certificate list
6WIND
rootca
user02
user03
..
See also
The Show certificate list command reference for details.
Show certificate detail¶
Use show certificate name <cert-name> to show certificate content in ASCII format:
vsr running config# show certificate name 6WIND
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:54:ca:5f:55:97:1c:09:67:1b:d6:ab:ad:50:f7:9d:6e:96:72:79
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=6WIND"
        Validity:
            Not Before: Thu Aug 12 12:49:41 2021
            Not After : Fri Aug 12 12:49:40 2022
        Subject: "CN=6WIND"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    d7:22:f8:56:fb:06:8c:2d:28:2a:44:9c:28:40:79:96:
                    (....)
                    55:93:79:05:74:f9:63:88:96:66:d1:30:00:4f:d0:d0:
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with no maximum path length.
            Name: Certificate Authority Key Identifier
            Key ID:
                c9:4f:b9:85:92:d0:de:2a:28:76:e6:2c:2c:7f:c0:20:
                73:a4:71:b1
            Name: Certificate Subject Key ID
            Data:
                c9:4f:b9:85:92:d0:de:2a:28:76:e6:2c:2c:7f:c0:20:
                73:a4:71:b1
            Name: Certificate Key Usage
            Critical: True
            Usages: Digital Signature
                    Certificate Signing
                    CRL Signing
    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        a5:6c:26:6a:ef:6d:f1:75:7d:f9:a5:57:69:c0:19:97:
        (...)
        fa:2a:88:11:26:f7:c1:f4:cf:8f:4d:31:c5:42:ce:26:
    Fingerprint (SHA-256):
        E2:E2:D8:0D:B0:...:2D:05:56:96:F6:21:5D:EA:62:B9
    Fingerprint (SHA1):
        6C:EB:86:6A:C5:...:0A:9A:43:6E:2A:14:0C:F8:B9:4F
..
Include base64 option to print the PEM format of the certificate,
show certificate name <cert-name> base64:
vsr running config# show certificate name 6WIND base64
-----BEGIN CERTIFICATE-----
MIIDETCCAfmgAwIBAgIUBFTKX1WXHAlnG9arrVD3nW6WcnkwDQYJKoZIhvcNAQEL
BQAwEDEOMAwGA1UEAwwFNldJTkQwHhcNMjEwODEyMTI0OTQxWhcNMjIwODEyMTI0
OTQwWjAQMQ4wDAYDVQQDDAU2V0lORDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANci+Fb7BowtKCpEnChAeZYLfO6THUIXZv7RKNOCkEiq5MvWt5uxO980
w7IM+LZRHq2YNfmtLXrpEe6j/ptdMj8haXqXBCJHKTAiFPWXASeQJ40ufyy29ACS
YM4/ukutCFWTeQV0+WOIlmbRMABP0NCMt7IwQa+cGtGufsb+PnLdqOEGLITwZnDY
K9mDtgLCYU+WM+PMU0xWgUoa/GyZ5jy+6pCwYBCJDVGHiSVjk2mBme+UE4Y/rUsS
SIdbbdcEXhh6gX4LsLO0VwT0X7z+5N2JyEnYHR+oZ8UEjK66k9HtfDu+txeMUnwC
C9plh6MUCn9mh6Qp6iaY2MQqQHIM+A0CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB
/zAfBgNVHSMEGDAWgBTJT7mFktDeKih25iwsf8Agc6RxsTAdBgNVHQ4EFgQUyU+5
hZLQ3iooduYsLH/AIHOkcbEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUA
A4IBAQClbCZq723xdX35pVdpwBmXIHTuGxFvt7aUischhg5WssjR+evB5R0OSMEl
ZVULiJ/6KogRJvfB9M+PTTHFQs4mgQSpQuiWzYvl6jdz6pma2SNxOC+kNOFLsLPR
yFL8qmjnYF659Vi2NklHCxDYshw7kZ5oCnGIwcxXQdXEYRHoY8k43kYoutTlRpeV
PJfE7HZbltJXKemDtSpmPoKnKmsudL7wphf73u1ynZeL0Kvv/lqh3y5kiLh+X43P
SMQtQWvniW2LoPYMdVPY3/n8g6Gg4vtHwbZEOrjOVt6nmuEa0FYZEiFoKfKZuaGH
tIil3m9hg05tJ0838yO5v0c0cB4s
-----END CERTIFICATE-----
..
See also
The Show certificate detail command reference for details.
Show certificate private key¶
Use show certificate key name <cert-name> to show the private key of the given
certificate in PEM format:
vsr running config# show certificate key name user01
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCwebLs/zQB0RyV
i1VJW7sT/ZUgkTg2kf/1ab312+Fh1nCnMz7q5loNVm7ZJ/8+kwdGIEkCxwbZr++a
sN8EjKOvSNZphk7kOJbam6ui1j5Collm77CF4n6urj9/mA73OJJkwkTbzzBwTcfS
XephAa5lAw0z83C04WaVleBlH5c8RhEcwx+8dlMmBkpwuaaxFBDfXHHeu4W554Pp
JEY0/W1m3uaX44QvXbRZV+f6/CpMRpdBKsMqPvj776VDeYylHewb0MlwOadXw8YM
Xs7pkkRoP2AvuP0hFev8+LTj6kkG4c89VX5s6DPuu/P1cLowLCnt5DppAt69nTK8
Zbk4wjVJAgMBAAECggEAeznfaIGjDQm5Term+Lxm20SclwsQF3rHIdReYojQzgJw
0y+DZX7HrryF1niJUGZWE++DS78x11t0ka2jbIfP3BueLD0uZUnmfGtq4995xgmb
J7eCqVpIXy0pBa1l9da40kac0mfQSPrm5svRVz9XSQ1icL4yGvuxKA5pi/MNJXYW
mC+NbUx0vrpvk9CPBSu3H3gc3x/YhVOk4cs5y96TQKiRl6L7zmJOUwPT4GN8IHHZ
lQihgefJTO0nC4YPmV2mM5wbYYjtVcoB9cD6TQgDnCYiOlo5hW2Pj7ER0WMKMCBr
6J/hCIMjOiwX1W2pkfGFgPmgk/MmwBWiYs7VWQXyCQKBgQDaP0w1Nu5bW+kjRGZ8
d4S7NJCPiylMIvY2AMK99K41uOZpIIc63GQ6rlTJDI1/IGsVKvUJKUxhuk5MUXDC
yJE0uvoqNZI3BToZkePaHKPJlnrK//dW4BjHxI0CC5l3VsishDwgztbj6wKcwOiG
DyDEJH6oSw/hUwONxElNzAnlgwKBgQDPAJsw2L1E018HNOqvCCAzCzub2CM6Q/ry
juhJY5tE+cALKkrHofPGxUJXTuET2YLz0oIVdxmqN3JEY4LkPy3O5nhPYUv7BSEk
hO+mb/0IPSekXcs6MvEB/98TSSgEhWZvgK10zCbANwPa1qdVzASy6o14iBsBsdKo
T+Bnk6MMQwKBgQCmV/5exOpxiaEtdzHiBjqNcSgJsFiepjsgt/22SKsLWU2MrPVF
QLvIGh2XS1EBpxTXAnHXNLn59sU82Ano/HPoS+bmiwRRmVNKL+8JzDBuMpqO5P+B
ILbidAXBnFOxKN002Gj33I7fEr1f+ox/uUIRHXvIC8YjyGD6CbSRbkXQvwKBgAhg
YedMHfyXARVtksGadpMaNUNNL7+/2HvQRJ4TpcjYwmixQW1qpE661MBrtLf06VOs
hQ8RTryQmdMio71QwS3KLbwol8aEop6zsm7twTOAJgaEtSCZxx7pl8FUCIaGT2rb
rik3yamlkEZewU67fsUusKLb/xvGclvVP6NxWfu5AoGAfwtptH0mXIVx9ZL9X9T1
uzbfHqFNriOoQ5KyvC3B0vmYSz3DqPX5/l/PSP+l6I8syjK4U1HzYz0vYTpPYK9q
vtNRD9VXfwvCRSwVaIAE9c8aSagnDf0Y7FRo/wa4kxkNlTgSVR5JxfRgJkmeVJmd
S262RQu3Hkpu+4iML8zjHGo=
-----END PRIVATE KEY-----
..
See also
The Show certificate key command reference for details.