You are here: Home > CLI Commands > Just_CLI_Topics > crypto-local pki

crypto-local pki

crypto-local pki

allow-low-assurance-devices

CRL <name> <filename>

global-oscp-signer-cert

IntermediateCA <name> <filename>

OCSPResponderCert <certname> <filename>

OCSPSignerCert <certname> <filename>

PublicCert <name> <filename>

rcp <name>

ServerCert <name> <filename>

service-ocsp-responder {enable|disable}

TrustedCA <name> <filename>

Description

This command configures a local certificate, OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signer or responder certificate, and Certificate Revocation List (CRLCertificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority.). You can also list revocation checkpoints and enable the responder service.

Syntax

Parameter

Description

allow-low-assurance-devices

Enables or disables low assurance devices.

CRL

Specifies a Certificate Revocation list. Validation of the CRLCertificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority. is done when it imported through the WebUI (requires the CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. to have been already present). CRLs can only be imported through the WebUI.

<name>

Name of the CRLCertificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority..

<filename>

Original imported filename of the CRLCertificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority..

global-ocsp-signer-cert

Specifies the global OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signer certificate used to sign OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. responses if there is no checkpoint-specific OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signer certificate present. If the ocsp-signer-cert is not specified, OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. responses are signed using the global OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signer certificate. If this is not present, an error message is sent out to clients.

NOTE: The OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signer certificate (if configured) takes precedence over the global OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signer certificate as this is checkpoint-specific.

IntermediateCA

Configures an intermediate CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate.

<name>

Name of the intermediate CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate.

<filename>

Original imported filename of the CRLCertificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority..

OCSPResponderCert

Configures an OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. responder certificate.

<certname>

Name of responder certificate.

<filename>

Original imported filename of the responder certificate.

OCSPSignerCert

Configures an OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signer certificate.

<certname>

Name of the signer certificate.

<filename>

Original imported filename of the signer certificate.

PublicCert

Public key of a certificate. This allows an application to identify an exact certificate.

<certname>

Name of the signer certificate.

<filename>

Original imported filename of the signer certificate.

rcp <name>

Specifies the revocation checkpoint. A revocation checkpoint is automatically created when a TrustedCA or IntermediateCA certificate is imported on the Mobility Master. See crypto-local pki rcp for more details.

ServerCert

Configures a server certificate. This certificate must contain both a public and private keyThe part of a public-private key pair that is always kept private. The private key encrypts the signature of a message to authenticate the sender. The private key also decrypts a message that was encrypted with the public key of the sender. (the public and private keys must match). You can import a server certificate in either PKCS12 or x509 PEM format; the certificate is stored in x509 PEM DESData Encryption Standard. DES is a common standard for data encryption and a form of secret key cryptography, which uses only one key for encryption and decryption. encrypted format on the Mobility Master.

<certname>

Name of the signer certificate.

<filename>

Original imported filename of the signer certificate.

service-ocsp-responder

Enables or disables the OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL.  responder service. The default is disabled. To enable this option, a CRLCertificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority. must be configured for this revocation checkpoint, as this is the source of revocation information in the OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. responses.

TrustedCA

Configures a trusted CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate. This can be either a root CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. or intermediate CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.. Aruba encourages (but does not require) an intermediate CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.’s signing CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. to be the Mobility Master itself.

<certname>

Name of the signer certificate.

<filename>

Original imported filename of the signer certificate.

Usage Guidelines

This command lets you configure the Mobility Master to perform real-time certificate revocation checks using the Online Certificate Status Protocol (OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. ) or traditional certificate validation using the Certificate Revocation List (CRLCertificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority.) client. Refer toCertificate Revocation for more information on how to configure this feature using both the WebUI and CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

Example

The following example configures the Mobility Master as an OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. responder:

(host) [mynode] (config) #crypto-local pki service-ocsp-responder

(host) [mynode] (config) #crypto-local pki rcp CARoot

ocsp-signer-cert RootCA-Ocsp_signer

crl-location file Security1-WIN-05PRGNGEKAO-CA-unrevoked.crl

enable-ocsp-responder

Related Commands

Command

Description

crypto-local pki rcp

Specifies the certificates that are used to sign OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. responses for this revocation check point

show crypto-local pki

Displays local certificates, OCSPOnline Certificate Status Protocol. OCSP is used for determining the current status of a digital certificate without requiring a CRL. signer or responder certificates, and CRLCertificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority. data and statistics.

Command History

Version

Modification

ArubaOS 8.2.0.0

The allow-low-assurance-devices parameter was added.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

Licensing

Command Mode

All platforms

Base operating system.

Config mode on Mobility Master.

/*]]>*/