Adding and deleting a TA Profile

Procedure
  1. To add a TA profile:
    1. In the navigation pane, expand Security, and select PKI.

      The PKI page is displayed.

    2. In the TA Profiles panel, click Add.

      The Add TA Profile dialog box is displayed.

    3. Click Browse and select a certificate to associate with the TA profile. The certificate file must be in .pem format. The switch can import Privacy-Enhanced Mail (PEM) encoded ITU-T X.509 v3 certificates.
      NOTE:

      The certificate with PEM data must be delimited with the following lines:

      -----BEGIN CERTIFICATE-----
      -----END CERTIFICATE-----

      For example:

      -----BEGIN CERTIFICATE-----
      MIIDsDCCApgCCQDJotuPPj9GCDANBgkqhkiG9w0BAQsAADCBqzELMAkGA
      UEBhVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAcBM1JvY2tsa
      W4xDDAKBgBAoMA0hQTjEVMBMGA1UECwwMSFBOUm9zZXZpbGxlMSokwAYD
      ...
      MioDy0096DvSMPsnOaI+jnZ3AozN8y+nLgotXUsg36pO/Ncc51oQhyUdc
      AbgA1rzSLgyTnpXZKumvlaoTk3pzrIf7m5V103GTbgHGSFCzgO6QWxVxu
      9d7ju1o59SaOIT7JSsYI5LsLpVz9ZqS599rj/lLoH+rLNlRDVXpS+J51U
      -----END CERTIFICATE-----
    4. Enter a profile name for the TA profile. The profile name can have a maximum of 32 characters.
    5. Configure the following optional parameters:
      • Revocation-Check: Select the OCSP checkbox to determining the revocation status of the certificate. Optionally, enter the primary and secondary OCSP responder URLs that the TA profile should use to verify the revocation status.

        Selecting the checkbox enables certificate revocation checking for the TA profile using the online certificate status protocol (OCSP). If no OCSP responder URLs are defined for a TA profile (default setting), then the OCSP responder URL in the peer certificate is used for revocation status checking. (The OCSP responder URL is contained in a certificate's Authority Information Access field, which is an X.509 v3 certificate extension.)

      • OCSP Disable-Nounce: Select the Disable-Nounce checkbox to exclude nonce from OCSP requests.

        A nonce is a unique identifier that an OCSP client inserts in an OCSP request and expects the OCSP responder to include it in the corresponding OCSP response. The nonce mechanism helps prevent replay attacks in which a malicious player attempts to masquerade as the OCSP responder. Although the nonce is included by default, it can be excluded. Some OCSP responders choose to not support the use of the nonce due to performance considerations.

      • OCSP Enforcement Level: Select either Strict or Optional to enforce OCSP check on certificates. Strict enforcement is enabled by default.

        • Strict: The certificate is accepted only if all possible checking (including validation failures, software system errors, configuration errors, transactional errors) is successful.

        • Optional: The certificate is accepted unless one or more of the following validation errors occur: Response signature is invalid, nonce in response mismatch, or certificate is revoked, when revocation checking is possible. If revocation check is not possible, the certificate is still accepted if there are no other validation errors.

      • OCSP VRF: Select the VRF that the switch uses to communicate with OCSP responders for OCSP checking. VRF mgmt is used by default.

    6. Click OK.
  2. To delete a TA profile:
    1. In the TA Profiles panel, select the TA profile, and click Delete.

      A confirmation message is displayed.

    2. Click Delete.