KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

511

512

513

514

515

516

517

518

519

520

Name Usage Expiration Parent / Profile

-------------------- ---------- -------------- --------------------

SSL_Certificate Web CSR Customer Secondary

PKI

Openflow_Cert Openflow 2030/06/11 Intermediate01

Intermediate01 Inter 2014/01/01 Customer Primary

PKI

Default_cert All 2030/06/11 Intermediate02

Intermediate02 Inter 2014/01/01 Intermediate01

Summary mode lists all certificates below a TA profile, including both local

certificates and installed intermediates. The names of intermediate certificates are

transitory and can change after local certificates are added or removed. In detailed

mode the “certificate name” can be provided as an argument and details specific

to the certificate are displayed. If the “expiration” displays CSR, then detailed mode

re-displays the CSR as described with the crypto pki create-csr

local-certificate commands.

All installed certificates are shown in the same way, provided that the fields exist

in the certificate. For example, a CA signed certificate has an “Issuer:” field with

a different value from the “Subject” field. In a self-signed certificate, these fields

are set to the same value. Since the fields are present in either type of certificate,

they are always shown. Similarly, a Root certificate is a self-signed certificate. A

trust anchor certificate can be either a Root certificate or an Intermediate certificate.

The same fields are present in the certificate—just set to different values.

When working in the summary mode:

• An installed certificate can or can not have a subject key identifier.

• An installed certificate can or can not contain an authority key identifier.

• A subjectAltName IP address list can or can not be present and it can or

can not be marked critical.

• An installed certificate can or can not contain key usage constraints, which

can or can not be marked critical.

• When an extension is critical, the keyword “critical” is displayed; when the

extension is not critical, no additional wording is displayed (see screen display

below.)

While address ranges can be encoded in a certificate, this usage is not consistent

with identifying a switch (or switch interface), so CIDR format is not expected.

However, if present it must be displayed for diagnostic purposes. (CIDR format

display can be eliminated by adding tests to reject certificates with a range at the

time of certificate installation.) IP addresses are listed in lexicographical order,

except that all IPv4 addresses are shown as a group before IPv6 addresses are

displayed. IPv6 addresses are shown in full, without the “zeroes removed” notation.

NOTE: Per RFC-5280: “Certificate users MUST be able to handle serial Number

values up to 20 octets.” Thus, the serial number can take 40 hex characters to print.

The serial number is printed in hex to limit string length and to allow easier manual

decoding of UUID type serial numbers.

Certificate Detail:

Serial Number: 75A5A501ABCDEF12345675A5A501ABCDEF123456

Sig. Algorithm: SHA1 with RSA encryption

Issuer: CN=HP Networking Platform Certificate Authority 01, OU=HP Networking,

O=Hewlett-Packard Company, L=Roseville, ST=California, C=US

Validity From: Mar 11 23:56:35 2010 GMT

Validity To: Mar 8 23:56:38 2030 GMT

Subject: CN=Model J1234A/serialNumber=SW123456780A, BaseMAC 010203-040506, OU=HP Networking

EVPG, O=Hewlett-Packard Company

X509v3 Subject Key Identifier: 02:62:50:03:D1:7B:E3:68:F9:D7:67:5A:7D:FD:99:BC:AA:D8:07:B7

X509v3 Authority Key Identifier: C7:92:78:C5:19:66:46:DD:7C:47:C1:8D:47:5F:05:1A:C6:30:30:05

514 Certificate manager