| Description | The PKI support action to be triggered for this
trustpoint entry.
The PKI support actions are steps in the certificate
work-flow used to facilitate the configuration of the
RSAkey-pair, identity certificate and CA certificates
in a trustpoint. A PKI support action is triggered by
setting this object to the corresponding value as defined
in TC CiscoPkiAction. The value of this object and the
values of the objects cpkiActionUrl and cpkiActionPassword
are interpreted and applied together as single action
trigger. All thease actions operate over the trustpoint
and modify appropriate columns in the entry.
An attempt to set this object when the value of the
object cpkiActionResult is 'inProgress' will result in an
inconsistentValue error.
The work-flow nature of certificate operations requires
that the trustpoint entry already exists. Some of the
operation requires that some other previous operations
are already performed successfully, as seen below.
The following is a brief of each action semantics, its
parameters and the result:
'caauth' - This action is used to authenticate a CA and
configure its CA certificate/chain in this trustpoint. This
is generally the first step in a certificate work-flow.
It requires the parameter objects cpkiActionUrl and
cpkiActionPassword set with appropriate values. The CA
certificate/chain being installed should be available in
PEM fromat in a file on bootflash. The filename is
specified as 'bootflash:' as the value of the
object cpkiActionUrl. On successful completion of the
operation, the CA certificate fingerprint will be
available as the value of the object
cpkiIssuerCertFingerPrint and the value of the object
cpkiLastActionResult will be 'needConfirm'. This action
is to be followed up with a subsequent 'certconfirm' or
'certnoconfirm' as explained later, to complete the CA
authentication process.
'cadelete' - This action is used to delete the CA
certificate/chain from this trustpoint. On successful
completion of the operation, the values of all issuer
certificate related objects (cpkiIssuerCertFileName
etc.) in this trustpoint entry will zero length strings.
For this action to succeed, a CA certificate/chain should
have been already configured through the 'caauth' action.
'certreq' - This action is used to generate a pkcs#10
certificate signing request (CSR) needed to obtain an
identity certificate from the CA corresponding to this
trustpoint entry. This entry should have a key-pair
already associated (as indicated by non-zero value of
cpkiKeyPairIndex in the entry). Also the CA certificate/
chain should have been already configured through the
'caauth' action. This action requires the parameter
object cpkiActionPassword to be set with a password string
which will be used as the 'challenge password' attribute
in the CSR being created (the password being opional, it
should be a zero length string if no password is being
specified). On successful completion of the operation, the
value of the object cpkiActionUrl will contain a file name
string in the format 'bootflash:' which will
contain the CSR generated in PEM format. This CSR has to be
submitted to the CA to get the identity certificate. The
process of submitting CSR to the CA and getting the identity
certificate is a step not supported by this MIB currently.
Once the identity certificate is obtained, it has to be
installed in this trustpoint with a subsequent 'certimport'
action explained next.
'certimport' - This action is used to import in this
trustpoint, an idenetity certificate obtained from the
corresponding CA for an earlier CSR generated (previous
operation 'certreq'). It requires that the identity
certificate being installed be available in PEM fromat in a
file on bootflash. The filename is specified as
'bootflash:' as the value of the object
cpkiActionUrl. On successful completion of the operation,
the values of all identity certificate related objects
(cpkiIdCertFileName etc.) in this entry will get filled
with the appropriate strings as per the corresponding
attributes in the identity certificate.
'certdelete' - This action is used to delete the identity
certificate from this trustpoint. On successful completion
of the operation, the values of all identity certificate
related objects (cpkiIdCertFileName etc.) in this entry
will become zero length strings.
'pkcs12import' - This action is used to import the
key-pair, identity certificate and the CA certificate/chain
in pkcs#12 format into this trustpoint. It requires
that the file containing the import data be
available on bootflash and whose filename be specified as
'bootflash:' as the value of the object
cpkiActionUrl. It also requires that the parameter
object cpkiActionPassword to be set with a password
string to be used for decoding the pkcs#12 data. On
successful completion of the operation, an entry in the
cpkiRSAKeyPairTable will be created corresponding to the
imported key-pair and it will be named using the trustpoint
name specified. Secondly, the values of all identity
certificate related objects (cpkiIdCertFileName etc.)
and the values of all issuer certificate related objects
(cpkiIssuerCertFileName etc.)in this entry will get filled
with the appropriate strings as per the corresponding
attributes in the identity and CA certificates
respectively.
'pkcs12export' - This action is used to export the
key-pair, identity certificate and the CA certificate/chain
in pkcs#12 format from this trustpoint. It requires that
the filename to contain the exported data be specified as
'bootflash:' as the value of the object
cpkiActionUrl. It also requires that the parameter
object cpkiActionPassword to be set with a password string
to be used for encoding the pkcs#12 data. On successful
completion of the operation, the exported data will be
available on bootflash in the specified file.
'certconfirm' - This action is used to confirm as
acceptable, the certificate fingerprint for the action
'caauth' in this trustpoint As mentioned earlier, the
certificate fingerprint is available as the value of the
object cpkiIssuerCertFingerPrint and the value of the
object cpkiActionResult will be 'needConfirm' after a
successfull 'caauth' action on a trustpoint. On successful
completion of the 'certconfirm' operation, values of all
issuer certificate related objects (cpkiIssuerCertFileName
etc.) in this entry get filled with the appropriate strings
as per the attributes in the CA certificate.
'certnoconfirm' - This action is used to confirm as not
acceptable, the certificate fingerprint for the action
'caauth. As mentioned earlier, the certificate fingerprint
is available as the value of the object
cpkiIssuerCertFingerPrint and the value of the object
cpkiActionResult will be 'needConfirm' after a successfull
'caauth' action on a trustpoint. On successful completion
of the 'certnoconfirm' action subsequent to a 'caauth'
action, the import pending CA certificate/chain will be
rejected.
'forcecertdelete' - Same as 'certdelete' but the operation
is forced even if the certificate being deleted is the
last-most one.
'crlimport' - This action is used to import in this
trustpoint, the CRL obtained from the corresponding CA.
It requires that the CRL being imported be available in
PEM fromat in a file on bootflash. The filename is specified
as 'bootflash:' as the value of the object
cpkiActionUrl. On successful completion of the operation,
the CRL will be installed in the trustpoint. For this
action to succeed, a CA certificate/chain should
have been already configured through the 'caauth' action.
'crldelete' - This action is used to delete the CRL from a
trustpoint. This action does not require any parameters.
On successful completion of any of the above actions, the
result object cpkiActionResult will have the value
'success'. on any error during the execution of the action,
the object cpkiActionResult will be set with the value
'failed' and the object cpkiActionFailureReason will have
the appropriate failure message string.
An attempt to set this object with a value other than
'certconfirm' or 'certnoconfirm', when the value of the
object cpkiActionResult is 'needConfirm', will result in
an inconsistentValue error.
All Actions are done on existing entry, action trigger is
not allowed as part of row creation.
Retrieving the value of this object via SNMP will always
return 'noop'. |