CA-profile

In SR OS, CA-related configuration is stored in a CA-profile which contains following configurations:

  • name and description

  • CA’s certificate (an imported certificate)

  • CA’s CRL (an imported CRL)

  • revocation check method (specifies the way CA checks the revocation status of the certificate it issued)

  • CMPv2 (a CMPv2 server related configurations)

  • OCSP (an OCSP responder related configurations)

When user enables a ca-profile (no shutdown), the system loads the specified CA certificate and CRL into memory. And following checks are performed:

  • for CA certificate

    • All non-optional fields defined in section 4.1 of RFC 5280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, must exist and conform to the RFC 5280 defined format.

    • Check the version field to see if its value is 0x2.

    • Check the Validity field to see that if the certificate is still in validity period.

    • X509 Basic Constraints extension must exist and CA Boolean must be True.

    • If Key Usage extension exists, then at least keyCertSign and cRLSign should be asserted.

  • for CRL

    • All non-optional fields defined in section 5.1 of RFC 5280 must exist and conform to the RFC 5280 defined format.

    • If the version field exists, the value must be 0x1.

    • The delta CRL Indicator must not exist (Delta CRL is not supported).

    • CRL must be signed by the configured CA certificate.

CRL, by default, is required to enable ca-profile, but it could be optional by changing the revocation check method configuration. For the revocation check method configuration, see Certificate revocation check.