I knew about this, Kings.
It's not very user-friendly. This is how the nvram content of CA server looks
like:
R6#dir nvram:
Directory of nvram:/
236 -rw- 2255 <no date> startup-config
237 ---- 24 <no date> private-config
238 -rw- 2255 <no date> underlying-config
1 -rw- 0 <no date> ifIndex-table
2 ---- 80 <no date> persistent-data
3 -rw- 2945 <no date> cwmp_inventory
6 -rw- 32 <no date> IOS-CA.ser
7 -rw- 802 <no date> 0x1.crt
8 -rw- 72 <no date> 0x1.cnm
9 -rw- 403 <no date> IOS-CA.crl
10 -rw- 2411 <no date> IOS-CA_00001.p12
13 -rw- 706 <no date> 0x2.crt
14 -rw- 94 <no date> 0x2.cnm
15 -rw- 689 <no date> 0x3.crt
16 -rw- 84 <no date> 0x3.cnm
17 -rw- 709 <no date> 0x4.crt
18 -rw- 94 <no date> 0x4.cnm
19 -rw- 757 <no date> 0x5.crt
20 -rw- 94 <no date> 0x5.cnm
21 -rw- 760 <no date> 0x6.crt
22 -rw- 94 <no date> 0x6.cnm
Can you imagine 80+ remote devices with their respective HEX file names? How
would one know which is which? Let's say the remote device is compromised or
even stolen. The CA administrator will need to quickly find the serial number
of the certificate issued to this device in question. It all creates some
overhead on the CA admin to keep a mapping of certificates S/N and the devices
hostnames. Not very appealing option as opposed to Microsoft CA where one can
quickly consult Issued certificates and find the needed one based on the device
hostname.
Eugene
From: Kingsley Charles [mailto:[email protected]]
Sent: Friday, June 01, 2012 12:00 AM
To: Eugene Pefti
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] Listing issued certificates on IOS CA
You can.
Have "database level complete" configured. There you can check for the .cnm
file which have the enrolled host's subject name and the crt file will have the
issued cert.
With regards
Kings
On Fri, Jun 1, 2012 at 8:24 AM, Eugene Pefti
<[email protected]<mailto:[email protected]>> wrote:
Hi guys,
I wonder if I can see client cerificates issued by the IOS CA on the router
acting as CA. Of course I have a way to see the file names in the database but
I need to see the hostname of the client that enrolled and received a
certificate. Preparing an RFP to the client of ours and thinking of deploying
an IOS based CA for their 80+ remote sites connecting to the hub HQ. Being able
to revoke a certificate quickly and easily is important.
Eugene
Sent from iPhone
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com<http://www.ipexpert.com>
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
