certmgmt

Purpose

Displays and manages entries in a database of certificate and private key data. The certmgmt supports displaying, loading, saving, removing, certificate database entries, and importing a private key for the Digi device into the database. Certificates and public/private host key pairs are an integral part of public key infrastructure (PKI) based security. The certmgmt command manages several kinds of certificate databases and security implementations, including X.509, SSL/TLS, SSH, and VPN.

Note Digi recommends using the web interface instead of certmgmt to manage certificate databases and private key data, as it is better suited to the interactive tasks involved. In the web interface, go to Management > X.509 Certificate/Key Management.

Tables managed by the “certmgmt” command

Database information is stored in the following tables:

Security type

Table

Used to load

X.509 Certificate Authority/Certificate Revocation

CA (Certificate Authority)

Certificate authority digital certificates. A certificate authority (CA) is a trusted third party which issues digital certificates for use by other parties. Digital certificates issued by the CA contain a public key. The certificate also contains information about the individual or organization to which the public key belongs. A CA verifies digital certificate applicants' credentials. The CA certificate allows verification of digital certificates, and the information contained therein, issued by that CA.

CRL (Certificate Revocation List)

Certificate revocation lists for loaded CAs. A certificate revocation list (CRL) is a file that contains the serial numbers of digital certificates issued by a CA which have been revoked, and should no longer be trusted. Like CAs, CRLs are a vital part of a public key infrastructure (PKI). The digital certificate of the corresponding CA must be installed before the CRL can be loaded.

Simple Certificate Enrollment Protocol (SCEP)

SCEP CA
(Certificate Authority)

SCEP certificate authority digital certificates that have been approved and issued. Tables are populated using SCEP commands and data is obtained from a SCEP server, rather than populated by a user.

SCEP Pending Enrollment Requests

SCEP certificate requests that are pending approval.

Virtual Private Networking (VPN)

VPN Identity

VPN identity certificates. Identity certificates and keys allow for IPSec authentication and secure key exchange with ISAKMP/IKE using RSA or DSA signatures. The VPN identity certificate must be issued by a CA trusted by the peer.

VPN Identity Keys

VPN RSA or DSA identity private keys.

Secure Sockets Layer (SSL) and

Transport Layer Security (TLS)

SSL Identity

SSL/TLS identity certificates.

A default key is generated automatically but can be overridden by a user. However, this default key is not secure.

SSL Identity Keys

SSL/TLS identity private keys.

SSL Peer

SSL/TLS peer certificates.

SSL Revoked

Verbatim revoked SSL/TLS certificates.

Secure Shell (SSHv2)

SSH Host Keys Table

SSHv2 identity private keys. Used for authentication with SSHv2 clients and secure key exchange. A default 1024-bit DSA key is generated automatically if none exists when the device boots. There is no certificate for SSHv2, just private key data.

Behavior of SSH/SSL private keys on Digi devices

Digi devices generate their SSH/SSL self-signed private keys automatically. While this automatic generation is convenient for device users, as they are not required perform any actions regarding the private keys, it presents some security loopholes.

Using TFTP to load and store certificate information

Using TFTP, you can load and store PEM-formatted certificates into the certificate and private key management tables.

Using HTTP/HTTPS to transfer certificate and key data

On the web, you can use HTTP or HTTPS to transfer certificate and private key data.

Required permissions

For Digi products with two or more users, permissions must be set to set permissions s-cert=read to display current certificate management settings, and to set permissions s-cert=rw to manage entries in certificate databases. See set permissions for details on setting user permissions for commands.

Syntax

Display certificate management and private key tables

certmgmt

Set up certificate management and private key tables

certmgmt [table={ca|crl|scep_ca|scep_pending|vpn_identity|vpn_key|
   ssl_identity|ssl_key}ssl_peer|ssl_revoked|ssh_key}
  [range={index|index-index|range,range}] 
  [action]]

action is:

For all tables but SCEP (scep_ca and scep_pending): 

{display|
remove|
load=ip address:filename|
save=ip address:filename|
password=pem file password|
request={ip address:filename|print}
generate={rsa|dsa:bits {512-4096}}

For SCEP tables (scep_ca and scep_pending):

action={getca=url 
  ca_identifer=ci identifier
accept_ca
range=range
enroll=url 
  ca=ca table index 
  sig_ca=optional signature ca table index
 enc_ca=optional encryption ca table index
 challenge=challenge password>
  encryption_algorithm={3des|des} (default=3des)
  signature_algorithm={md5|sha1}} (default=md5)

Options

table={ca|crl|scep_ca|scep_pending|vpn_identity|vpn_key|
ssl_identity|ssl_key}ssl_peer|ssl_revoked|ssh_key}

Identifies a certificate management database table.

ca

Certificate Authority (CA) table.

crl

Certificate A uthority Certificate Revocation Lists (CRL) table.

scep_ca

SCEP CA (Certificate Authority) table.

scep_pending

SCEP Pending Enrollment Requests Table.

vpn_identity

Virtual Private Network (VPN) identity certificates table.

vpn_key

VPN Identity Keys table.

ssl_identity

SSL Identity table.

ssl_key

SSL Identity Keys table.

ssl_peer

SSL Peer table.

ssl_revoked

SSL Revoked table.

ssh_key

SSH Host Keys table.

range={index|index-index|range,range}

Identifies a range of entries in a certificate management database table. When range is specified as index-index, the table shows the index range to specify for various tables types:

Index range

Applies to table types

1-2

SSL Identity

SSL Identity Keys

SSH Host Keys

1-4

SCEP Pending Enrollment

1-5

VPN Identity

VPN Identity Keys

1-8

CA (Certificate Authority)

CRL (Certificate Authority)

SCEP CA

SSL Peer

SSL Revoked

action={display|remove|load=ip address:filename|
save=ip address:filename|password=pem file password|
request={ip address:filename|print}
generate={rsa|dsa:bits {512-4096}}

For all tables but SCEP (scep_ca and scep_pending), the action to be performed on the specified database table.

display

Display specific entries or all entries in the specified certificate management database tables.

remove

Removes specific entries or all entries from certificate management database tables.

load=ip address:filename

Loads certificates via TFTP from the specified server and filename into a certificate management database table

save={ip address:filename|password=pem file password}

Saves certificate management entries via TFTP to the specified file.

request={ip address:filename|print}

Generates a certificate request and sends it to the TFTP server specified by ip address:filename for the certificate to be signed.

print

Prints out the certificate request so that it can be copied and pasted into an email for emailing the request.

generate={rsa|dsa}:bits (512-4096)

Generates a new private key using the specified algorithm (RSA or DSA), or a specified set of bits. This option applies to SSL identity keys, SSH host keys, and VPN identity keys.

action={getca=url
ca_identifer=ci identifier|
accept_ca
range=range
enroll=url
 ca=ca table index
sig_ca=optional signature ca table index
 enc_ca=optional encryption ca table index
 challenge=challenge password
encryption_algorithm={3des|des}
signature_algorithm={md5|sha1}}

For SCEP tables (scep_ca and scep_pending), the action to be performed on the specified database table.

getca=url

Obtain CA certificates from the SCEP server at the specified URL.

Certificates must be accepted by the operator to be used for any purpose.

ca_identifer=ca identifier

Identifies the CA certificate to be obtained from the SCEP server.

accept_ca

Accept the specified CA certificate at the specified URL.This action moves the CA certificate from the SCEP CA to the X.509 CA table.

range=range

A range of values in the SCEP table. This option is used to populate empty entries in the SCEP CA table.

enroll=url

Obtain CA certificates from the SCEP server at the specified URL. Additional options for this action include:

ca=ca table index

Index number for the CA certificate.

sig_ca=optional signature ca table index
enc_ca=optional encryption ca table index

There are roles in a certificate enrollment request: The CA that signs the enrollment request, and the CA that encrypts the request. These two options are indices into the CAs in the Digi device’s certificate database, and are used to both sign and encrypt the request. This information is typically downloaded from the SCEP CA table. To obtain this information:

1. Enter a certmgmt command specifying the getca action.

2. Enter another certmgmt command, specifying the accept_ca action.

sig_ca=optional signature ca table index

An optional index number assigned to the CA certificate.

enc_ca=optional encryption ca table index

An optional index number associated with the CA that encrypts the request.

challenge=challenge password

A simple password that can be used to guard access to certificates.

encryption_algorithm={3des|des}

The encryption algorithm used with the database action.

3des

3DES encryption algorithm, which uses 192-bit keys.

des

DES encryption algorithm, which uses 64-bit keys.

The default is 3des.

signature_algorithm={md5|sha1}

The authentication algorithm used with the database action.

md5

MD5 authentication algorithm, which uses 128-bit keys.

sha1

SHA1 authentication algorithm, which uses 160-bit keys.

The default is md5.

See also