PKI

PKI stands for Public Key Infrastructure. It is a set of technologies, policies, and procedures used to create, manage, distribute, use, store, and revoke digital certificates and public-private key pairs.

The goal of PKI is to provide secure and trustworthy communication over the network by establishing a trusted digital identity for individuals, devices, and organizations. It is used for a variety of purposes, such as authentication, digital signatures, encryption, and secure email.

PKI is based on the use of asymmetric cryptography, where each entity has a public key and a private key. The public key can be shared with others to encrypt messages, while the private key is kept secret and used to decrypt messages. Digital certificates are used to bind the public key to a specific entity and provide proof of its authenticity.

Digital Certificate

A digital certificate is an electronic document that is issued by a trusted third-party organization, such as a Certificate Authority (CA), to verify the identity of an individual, organization, or device. It contains information about the identity of the entity, such as its name, public key, and other relevant details, and is digitally signed by the CA to guarantee its authenticity.

Digital certificates play a critical role in Public Key Infrastructure (PKI) and are used for a variety of purposes, such as:

  1. Authentication: Digital certificates are used to verify the identity of an individual, organization, or device, allowing for secure communication and transactions.

  2. Encryption: Digital certificates can be used to encrypt sensitive data, ensuring that only the intended recipient can access it.

  3. Digital signatures: Digital certificates can be used to create and verify digital signatures, which assure that a message or document has not been altered in transit.

CA

CA stands for Certificate Authority. It is a trusted third-party organization that is responsible for issuing and managing digital certificates used in a Public Key Infrastructure (PKI).

The main function of a CA is to verify the identity of an individual, organization, or device requesting a digital certificate, and then issue a certificate that contains the verified public key and other information about the entity. The CA’s signature on the certificate serves as proof that the certificate is genuine and the public key belongs to the identified entity.

CAs are essential in PKI as they help establish trust in digital communication by ensuring that the digital certificate belongs to the intended entity and has not been tampered with. CAs can be either commercial or operated by a government or a non-profit organization.

In addition to issuing digital certificates, CAs also manage certificate revocation and renewal and maintain the security and confidentiality of the private keys associated with the certificates they issue.

Note

All PKI actions are permanent jobs; It does not appear in running config but is preserved after the router reboot.

Note

Currently, no certificate revocation method is supported.

Key Generation

A pair of private/public keys are used for issuing certificate requests or used in other protocols.

crypto key generate rsa label NAME modulus (2048|4096)

The command is used to generate a Rivest-Shamir-Adleman (RSA) public-private key pair on a device.

Here is a breakdown of the command and its options:

  • label NAME: This option specifies a label to be assigned to the generated key pair. The label can be any alphanumeric string and is used to identify the key pair when multiple key pairs are present on the device.

  • modulus (2048|4096): This option specifies the size of the RSA key modulus, which determines the strength of the encryption. The modulus size can be either 2048 or 4096 bits.

For example, to generate an RSA key pair with a label of “my_key” and a modulus size of 2048 bits, you would use the following command:

soodar(config)# crypto key generate rsa label my_key modulus 2048

Once the key pair is generated, the public key can be shared with other devices or clients to establish secure communication using encryption and digital signatures. The private key must be kept confidential and secure, as it is used to decrypt encrypted traffic and sign digital messages.

crypto key generate x25519 label LABEL

This command generates a new X25519 key pair with a specific label that can be used for secure communication or other cryptographic purposes.

  • label: Theparameter is used to specify a descriptive label for the generated key pair.

crypto key generate raw label LABEL bytes (32-1024)

The crypto key generate raw command is used to generate a raw key that can be used for various cryptographic functions.

  • label: The name or label of the key to be generated. This is an alphanumeric string up to 20 characters long.

  • bytes: The size of the key to be generated, in bytes. This can be any value between 32 and 1024.

When this command is executed, a raw key of the specified size is generated and stored on the device. It’s important to note that this command generates a raw key, which is a binary string of random data, and not a passphrase or password.

crypto key generate ssh modulus (2048|4096)

This command is used to generate an RSA public/private key pair for Secure Shell (SSH) on the devices.

  • modulus: Specifies the size of the RSA modulus to be used. The modulus size can be either 2048 or 4096 bits.

Note

Currently, generated private keys are non-exportable.

Note

Although the keys are non-exportable, there’s an option to take a backup from the device keys.

Trustpoint

A trustpoint is a certificate management tool used to establish trust between a device and other devices or services. It is used to store and manage digital certificates and keys that are used for secure communication.

Trustpoints can be used to manage self-signed certificates, as well as certificates issued by trusted third-party Certificate Authorities (CAs).

In order to use a trustpoint, a digital certificate must first be obtained and imported into the trustpoint. In case of using a self-signed CA, the trustpoint should first be authenticated and import the CA, then import the certificate. Once the certificate is imported, it can be used to establish secure connections with other devices and services that recognize the certificate as trusted.

Importing a CA

First, to import a CA, we need to define a trustpoint. After defining trustpoint, authentication is needed to import the CA. This certificate could be self-signed, and the SSH terminal is the input( SoodarOS administrator should copy/paste the certificate).

Note

All inputs/outputs( including certificate, CSR and…) are in PEM format

crypto pki trustpoint NAME

The command is used to configure a PKI (Public Key Infrastructure) trustpoint on a device. A trustpoint is a configuration object that specifies a trusted identity or entity in the context of PKI operations.

  • NAME: The argument specifies the name of the trustpoint being configured.

crypto pki authenticate TP

Authenticate the trustpoint TP and write its CA to the non-volatile memory.

Example :

n1(config)# crypto pki trustpoint root-ca
n1(config)# crypto pki authenticate root-ca
Enter the base 64 encoded CA certificate
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIIQMT8Qv03sXYwDQYJKoZIhvcNAQELBQAwNTELMAkGA1UE
BhMCSVIxEzARBgNVBAoTClRlbXAgQ29ycC4xETAPBgNVBAMTCHRlbXAuY29tMB4X
DTIxMDEyMDExNDIzNFoXDTI0MDEyMDExNDIzNFowNTELMAkGA1UEBhMCSVIxEzAR
BgNVBAoTClRlbXAgQ29ycC4xETAPBgNVBAMTCHRlbXAuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy1KPgdCS6BB7PCdeggnsf6NjW4KBxeG6H18R
lOHYoTBMlR3QrvCrpgoZv3DtGR8T6Ch0/HdL1GdFJ7RcJqZPbaxdepqI08SZG4VD
CcZbIOdCNgKWD+jaO0vgyfcK2cXKY70bdyUuJLwNvSvPEPhzH1UNx7kfBdvGn2Vg
s/XyYhsn3xc6ioODT+HUAAd2WvBIOzd+RUo0yANJRKbPnLPgpNEiE1wG6Bj6orjR
ajnC8SYt5XGqD0DX7JGi7bELHw0JGdDk1acr9GQyjwVobDYCKDTuW4ELDsS+2GIK
E76rmlAGrJGy3po2itVbmMprhbTl3EOpxPzl78qkG/r0i4lUXQIDAQABo18wXTAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU7CsuL8vJ
o0kfANvQjVQkaR4K/WQwGwYDVR0RBBQwEoIQb3RoZXIuZG9tYWluLmNvbTANBgkq
hkiG9w0BAQsFAAOCAQEAHe8iOUjW8+BNBCfyyfcQOokd7UuK/0DE40wEXVRpMzyv
4IoLNnz5SmWBZo5WdtkIUfGMc9ll8uRsBpIcqHOR8ZSRkjswtOFn+C5KxNXum1pQ
cLmNpxn2ecsr2K2qW6IRfig8cQwzpFe3c59zFf13gKdr6g0B+lpx/hMBdhyaUn6A
9uXtvgeCzAqdJehpo12IKNnYeL+GrfHcFe7R7BRLD2XzoAgjFR48w24h3FbrxM8I
1jqEwbvnGT7FECGZbyKGBEM/dY1gbVD19GTJlaZ8z3HrHdaRFvCYgAqFLTVtU8Q+
lq+EWiCSMRlPPx1OiLDddbxRw2JIjdF7XIsU3WGhtw==
-----END CERTIFICATE-----
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

n1# show crypto pki certificate root-ca
Trustpoint: root-ca
CA:
  subject:  "C=IR, O=Temp Corp., CN=temp.com"
  issuer:   "C=IR, O=Temp Corp., CN=temp.com"
  validity:  not before Jan 20 15:12:34 2021, not valid yet (valid in 58 seconds)
             not after  Jan 20 15:12:34 2024, ok (expires in 1095 days)
  serial:    40:c4:fc:42:fd:37:b1:76
  altNames:  other.domain.com
  flags:     CA CRLSign self-signed
  subjkeyId: ec:2b:2e:2f:cb:c9:a3:49:1f:00:db:d0:8d:54:24:69:1e:0a:fd:64
  pubkey:    RSA 2048 bits
  keyid:     cf:d8:04:82:62:b9:f1:a9:84:75:56:e7:1b:5b:ac:4a:c8:ba:ae:21
  subjkey:   ec:2b:2e:2f:cb:c9:a3:49:1f:00:db:d0:8d:54:24:69:1e:0a:fd:64
  Fingerprint: 954E9105EEE221C7BCDF351BBA0184E950F82C75

Generate a certificate and CSR

Users can request a certificate signing and import that certificate. To do this, a trustpoint needs to have these parameters set: 1. Certificate’s SN( and optionally some SANs) 2. A RSA key pair to create and sign the CSR. 3. An enrollment method. Currently, only the SSH terminal( copy and paste) method is available and could be skipped. After setting up trustpoint, and authenticating it, a CSR should be generated. If terminal enrollment is used, the PKCS#10 format CSR is printed on the screen, and SoodarOS administrator needs to copy it and sign it by a CA. To import this signed certificate, an authentication for this trustpoint is needed.

subject-name LINE...

The command is used within a trustpoint configuration to specify the distinguished name (DN) of the certificate subject.

  • LINE: One or more lines of DN.

For example, to configure a trustpoint with the DN “CN=example.com, O=Example Inc., C=IR”, the following commands could be used:

soodar(config)# crypto pki trustpoint TP1
soodar(ca-trustpoint)# subject-name CN=example.com, O=Example Inc., C=IR
subject-alt-name LINE

The command is used in a trustpoint configuration mode to specify additional subject names for the certificate.

  • LINE: Specifies the subject alternative name value.

This command can be used to specify additional subject names for the certificate, such as DNS names, email addresses, or IP addresses.

Note

Enter the command multiple times to set multiple SANs. Up to 100 SANs are supported.

no subject-alt-name LINE

Remove a SAN from trustpoint.

rsakeypair KEY

Use previously-generated key pair KEY to sign CSR

enrollment terminal pem

Enroll via terminal( copy and paste), including PEM encapsulation boundaries.

crypto pki enroll TP

Generate a Certificate Signing Request for trustpoint TP. If terminal enrollment is used, the PKCS#10 format CSR is printed on the screen

crypto pki import TP certificate

Import the trustpoint TP’s general-purpose certificate and write it to non-volatile memory.

Note

Imported general-purpose certificate should be signed by the same CA that the trustpoint is authenticated, or else, it fails to import.

Example :

n1(config)# crypto key generate rsa label mycert-key modulus 2048
n1# show crypto key mycert-key
Keypair Label: mycert-key
  Algorithm:   RSA
  Modulus:     2048 bits
  Subject key: fcc893035eda7e736d0a612bad1d000612c87724
  Key ID:      E5611192FEAD3FDFA877A0BAC5F336480A8C2D97
n1(config)# crypto pki trustpoint mycert
n1(ca-trustpoint)# subject-name C=IR, O=My Org, CN=my.org
n1(ca-trustpoint)# subject-alt-name other.my.org
n1(ca-trustpoint)# subject-alt-name other2.my.com
n1(ca-trustpoint)# rsakeypair mycert-key
n1(config)# crypto pki authenticate mycert
Enter the base 64 encoded CA certificate
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIDODCCAiCgAwIBAgIIM7DVFqEvgxgwDQYJKoZIhvcNAQELBQAwOjELMAkGA1UE
BhMCQ0gxEzARBgNVBAoTCnN0cm9uZ1N3YW4xFjAUBgNVBAMTDXN0cm9uZ1N3YW4g
Q0EwHhcNMjAxMTExMDk1OTEzWhcNMjMxMTExMDk1OTEzWjA6MQswCQYDVQQGEwJD
SDETMBEGA1UEChMKc3Ryb25nU3dhbjEWMBQGA1UEAxMNc3Ryb25nU3dhbiBDQTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANjhd9ZFsCS4O3TcnXWFy/cr
wXnVCxev6g5XecHG0A+jaOS6MyJowjJU/CY5S8/LWKIBlKFhdswDT0LaPodnKw8e
RVGwAfQSYb8OymUeHByzxxfhqcCjYu0qWdb2Tf9yVadkt//qW5n2F78j3prFlZ4o
pbG1sLhACY+729iJxB7dg5DKXxECBzSiMo2dScZpQKuADiev4g7TmEH0u3MUa9zU
CzIhoqjzEJ1wF4YC7Y6BZxQU4c04RZGctaOmKRUT0NfVGbqseJHsJVZSCDFud/ls
48tDmQ08GULFNFlFAeGWcUnLle2sorsB+zjfQrJQJBtE/RuoKZ3ODK+ZwGH8wHEC
AwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0O
BBYEFNET3aeJu4082kUYI8TpeBK4w61sMA0GCSqGSIb3DQEBCwUAA4IBAQCB2ciJ
D197+CIwL/DveAJf7Bt0cMD2lPwY4hsHUyHridX2B/t6EMOOujWPouSeBYjLBz7s
akHwh3G9Yx4wlS+k+du5AbkQHMnYigeO4rul+tCg7FzouxFtKEcD6T707DnSEkP+
iA9mLeKxCK3P4vGY2H9x6McqZ1aM55xmdEbvD3QhUMLePBk4aMVKyOr4yWRQgUPB
oBqRVSEvthOyXEWtPkqxY72O/5IQmHDSncBP/D+wiC2wQsYQZhmDoN6d74OqkcBr
HMWDCUM1b8RfVBTeIKvkvQ14BgwPveO99E+P6rrNhdxRA8BwmnNyMvrd81Z1FDU/
J+XkIuPRfz33vO00
-----END CERTIFICATE-----
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

n1(ca-trustpoint)# enrollment terminal pem
n1(config)# crypto pki enroll mycert
-----BEGIN CERTIFICATE REQUEST-----
MIICrTCCAZUCAQAwLzELMAkGA1UEBhMCSVIxDzANBgNVBAoTBk15IE9yZzEPMA0G
A1UEAxMGbXkub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtvWm
Xi+CtKrJndPw09hPOnTO8DSDIJqi3GdcNDVRcdKb/FB+/C++Vyb2vOLNICxCmRJH
RnoZKPnWqRHWyHeVCNr+Da+bFYHXd4LyaZtCzEoUrmULMyBWGmbUfUlfFpOCa4yq
28qV1BjYXEm93X56XIaT/WpqXELihJC2nnBPxhkLHA80fLmQPZdOzytrjeJt1Rvn
I/PpI+OzEN9/pUvGLv29wfzUN2T9WGdIY/SJuyafQ2972juRA2OTTSsMSOxM4fuj
Mk116RixYvHCd454gehPKOqMUHbXKZ7tQXPaDFtiQIgNqBMz4AlT40Wn3GsODV8Y
AtJ9UOvhmMW1iTHC2wIDAQABoDkwNwYJKoZIhvcNAQkOMSowKDAmBgNVHREEHzAd
ggxvdGhlci5teS5vcmeCDW90aGVyMi5teS5jb20wDQYJKoZIhvcNAQELBQADggEB
AKwvB+bPTMpU2t3HE6CA0mLA9ufc9EqWx2YCTyddTJ8Qp7xhdXywzB64R5Um/mqy
x7lMEyS69pZzTMivm28piIEplSdjKSiHmRpVZsXGWvhpz1alqA6h5IaWlm9s3Bga
YKBmaC0uEsuhXnAxFBPtbwWSaGN0uD5kKTkwZXMxKv4gVkTbrdZfZ2uJR2CiZu1q
yb7u47MeZF4xfcnvFZCuUjlLmpFXMLXjYuNywJP6U/i1DpSG07mDYcnEfS9Ku/o/
gdNBahSspRtBVOx4QtnN4bGZ0MDEn5cEBuWcN4dNbE30dn70NKaNe1DhdKQ/lUxQ
qyIP+5tc2i8GoJsL9wyWJIo=
-----END CERTIFICATE REQUEST-----

n1(config)# crypto pki import mycert certificate
Enter the base 64 encoded CA certificate
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
MIIDMTCCAhmgAwIBAgIIVmyRIVfPsKowDQYJKoZIhvcNAQELBQAwNTELMAkGA1UE
BhMCSVIxEzARBgNVBAoTClRlbXAgQ29ycC4xETAPBgNVBAMTCHRlbXAuY29tMB4X
DTIxMDEyMDExNDgzNloXDTI0MDEyMDExNDgzNlowLzELMAkGA1UEBhMCSVIxDzAN
BgNVBAoTBk15IE9yZzEPMA0GA1UEAxMGbXkub3JnMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAtvWmXi+CtKrJndPw09hPOnTO8DSDIJqi3GdcNDVRcdKb
/FB+/C++Vyb2vOLNICxCmRJHRnoZKPnWqRHWyHeVCNr+Da+bFYHXd4LyaZtCzEoU
rmULMyBWGmbUfUlfFpOCa4yq28qV1BjYXEm93X56XIaT/WpqXELihJC2nnBPxhkL
HA80fLmQPZdOzytrjeJt1RvnI/PpI+OzEN9/pUvGLv29wfzUN2T9WGdIY/SJuyaf
Q2972juRA2OTTSsMSOxM4fujMk116RixYvHCd454gehPKOqMUHbXKZ7tQXPaDFti
QIgNqBMz4AlT40Wn3GsODV8YAtJ9UOvhmMW1iTHC2wIDAQABo0swSTAfBgNVHSME
GDAWgBTsKy4vy8mjSR8A29CNVCRpHgr9ZDAmBgNVHREEHzAdggxvdGhlci5teS5v
cmeCDW90aGVyMi5teS5jb20wDQYJKoZIhvcNAQELBQADggEBAGbt3R0FyA48FWUh
eoud1zh6ujrg0PgFjOhAMnWaln8nXdhMjJJvOI/MZtcyl7fghXr1Asr2M9I3KMxh
BbBefCci5+94g+QucP/R0v5/fzFpiV8gRYXD8o7UWyYanQG5SUyTCdpR5vXxVbEW
FXp3Yk1HBYXDe09AK9AGwRVFHTkaaPze8U5FyJpbrjDZuD/cbkN4lFn+lw49JahO
cVqYXyY84rHjvbq98081NsittSa4QUqBNo8nUXYj+yLuNiV39Zh1pWzl/kugy0yR
mvrqC3irZGXeJbSLDaAT1LdJhiu2Axc7EjwKxcNK+GiXyN/B/7JJrWLL0u6xaA9L
ezbvqQw=
-----END CERTIFICATE-----
Installed successfully

n1# show crypto pki certificate mycert
Trustpoint: n1Cert
CA:
  subject:  "C=IR, O=Temp Corp., CN=temp.com"
  issuer:   "C=IR, O=Temp Corp., CN=temp.com"
  validity:  not before Jan 20 15:12:34 2021, ok
             not after  Jan 20 15:12:34 2024, ok (expires in 1094 days)
  serial:    40:c4:fc:42:fd:37:b1:76
  altNames:  other.domain.com
  flags:     CA CRLSign self-signed
  subjkeyId: ec:2b:2e:2f:cb:c9:a3:49:1f:00:db:d0:8d:54:24:69:1e:0a:fd:64
  pubkey:    RSA 2048 bits
  keyid:     cf:d8:04:82:62:b9:f1:a9:84:75:56:e7:1b:5b:ac:4a:c8:ba:ae:21
  subjkey:   ec:2b:2e:2f:cb:c9:a3:49:1f:00:db:d0:8d:54:24:69:1e:0a:fd:64
  Fingerprint: 954E9105EEE221C7BCDF351BBA0184E950F82C75

General Purpose Certificate:
  subject:  "C=IR, O=My Org, CN=my.org"
  issuer:   "C=IR, O=Temp Corp., CN=temp.com"
  validity:  not before Jan 20 15:18:36 2021, ok
             not after  Jan 20 15:18:36 2024, ok (expires in 1094 days)
  serial:    56:6c:91:21:57:cf:b0:aa
  altNames:  other.my.org, other2.my.com
  flags:
  authkeyId: ec:2b:2e:2f:cb:c9:a3:49:1f:00:db:d0:8d:54:24:69:1e:0a:fd:64
  subjkeyId: fc:c8:93:03:5e:da:7e:73:6d:0a:61:2b:ad:1d:00:06:12:c8:77:24
  pubkey:    RSA 2048 bits
  keyid:     e5:61:11:92:fe:ad:3f:df:a8:77:a0:ba:c5:f3:36:48:0a:8c:2d:97
  subjkey:   fc:c8:93:03:5e:da:7e:73:6d:0a:61:2b:ad:1d:00:06:12:c8:77:24
  Keypair:   mycert-key
  Fingerprint: D51636591648DBDE21FEEFA4C6DF4B38A96502B5

Self-signed Trustpoints

Self-signed certificates are available to generate in SoodarOS PKI system. Set the enrollment method of trustpoint to selfsigned, and you are good to go. A self-signed certificate can’t be imported or authenticated. Enrolling this trustpoint generates the certificate.

Example :

n1(config)# crypto key generate rsa label self-signed-key
n1(config)# crypto pki trustpoint self-signed-tp
n1(ca-trustpoint)# enrollment selfsigned
n1(ca-trustpoint)# rsakeypair self-signed-key
n1(ca-trustpoint)# subject-name C=IR, O=Independent Ltd., CN=self.indie.com
n1(config)# crypto pki enroll self-signed-tp
n1# show crypto pki certificate self-signed-tp
Trustpoint: self-signed-tp
CA:
  subject:  "C=IR, O=Independent Ltd., CN=self.indie.com"
  issuer:   "C=IR, O=Independent Ltd., CN=self.indie.com"
  validity:  not before Jan 20 15:45:09 2021, ok
             not after  Jan 20 15:45:09 2024, ok (expires in 1094 days)
  serial:    15:9a:3b:16:34:f9:79:49
  flags:     CA CRLSign self-signed
  subjkeyId: 33:74:e2:a1:5e:d1:49:bf:c7:bf:f7:23:4c:c6:53:a0:07:56:24:09
  pubkey:    RSA 2048 bits
  keyid:     bd:12:cd:f2:1a:b7:d2:27:82:26:db:51:01:d2:60:0d:48:24:bf:3d
  subjkey:   33:74:e2:a1:5e:d1:49:bf:c7:bf:f7:23:4c:c6:53:a0:07:56:24:09
  Fingerprint: 89177619D312F1AEFAC0A5C8B9DE5E0196B56F16

Removing a private key

Admin can remove unused private keys. Removing is done securely by shredding and zeroing the key file.

crypto key zeroize RSAKEY

Shred a key pair.

Note

Removing a key makes the trustpoints using them invalid. It’s the admin’s duty to take care of this situation and remove unused keys or remove all certificates depending on that key.

Removing a trustpoint

Admin can remove a trustpoint. This action removes the CA and general-purpose certificate( if available) and updates the system CA database.

no crypto pki trustpoint TPNAME

Viewing installed Certificates and keys

After installing a certificate, one can see that certificate with a show command.

show crypto pki certificate [CA]

Show available certificates on device. If CA name is not provided, all certificates on the system are shown.

Example :

n1# show crypto pki certificate mycert
Trustpoint: n1Cert
CA:
subject:  "C=IR, O=Temp Corp., CN=temp.com"
issuer:   "C=IR, O=Temp Corp., CN=temp.com"
validity:  not before Jan 20 15:12:34 2021, ok
            not after  Jan 20 15:12:34 2024, ok (expires in 1094 days)
serial:    40:c4:fc:42:fd:37:b1:76
altNames:  other.domain.com
flags:     CA CRLSign self-signed
subjkeyId: ec:2b:2e:2f:cb:c9:a3:49:1f:00:db:d0:8d:54:24:69:1e:0a:fd:64
pubkey:    RSA 2048 bits
keyid:     cf:d8:04:82:62:b9:f1:a9:84:75:56:e7:1b:5b:ac:4a:c8:ba:ae:21
subjkey:   ec:2b:2e:2f:cb:c9:a3:49:1f:00:db:d0:8d:54:24:69:1e:0a:fd:64
Fingerprint: 954E9105EEE221C7BCDF351BBA0184E950F82C75

General Purpose Certificate:
subject:  "C=IR, O=My Org, CN=my.org"
issuer:   "C=IR, O=Temp Corp., CN=temp.com"
validity:  not before Jan 20 15:18:36 2021, ok
            not after  Jan 20 15:18:36 2024, ok (expires in 1094 days)
serial:    56:6c:91:21:57:cf:b0:aa
altNames:  other.my.org, other2.my.com
flags:
authkeyId: ec:2b:2e:2f:cb:c9:a3:49:1f:00:db:d0:8d:54:24:69:1e:0a:fd:64
subjkeyId: fc:c8:93:03:5e:da:7e:73:6d:0a:61:2b:ad:1d:00:06:12:c8:77:24
pubkey:    RSA 2048 bits
keyid:     e5:61:11:92:fe:ad:3f:df:a8:77:a0:ba:c5:f3:36:48:0a:8c:2d:97
subjkey:   fc:c8:93:03:5e:da:7e:73:6d:0a:61:2b:ad:1d:00:06:12:c8:77:24
Keypair:   mycert-key
Fingerprint: D51636591648DBDE21FEEFA4C6DF4B38A96502B5
show crypto key [[KEY] [json]] [ssh]

Show key information. If a key name is not provided, all keys on the system are shown. Output can be JSON( except SSH)

Example :

n1# show crypto key mycert-key-rsa
Keypair Label: mycert-key-rsa
  Algorithm:   RSA
  Modulus:     2048 bits
  Subject key: FCC893035EDA7E736D0A612BAD1D000612C87724
  Key ID:      E5611192FEAD3FDFA877A0BAC5F336480A8C2D97
n1# show crypto key x25519-key
Keypair Label: x25519-key
  Algorithm:   X25519
  Public key:  DEE5089576AD02780EFEF6908034E6BD471C2C6DF7FE68FC77F12C5DFCDB9D59
  Public key base64:  3uUIlXatAngO/vaQgDTmvUccLG33/mj8d/EsXfzbnVk=
n1# show crypto key raw-key
Keypair Label: raw-key
  Algorithm:   Raw
  Length:      256 bits
n1# show crypto key json
{
  "keys":[
    {
      "label":"mycert-key-rsa",
      "algorithm":"RSA",
      "modulus":2048,
      "subject_key":"FCC893035EDA7E736D0A612BAD1D000612C87724",
      "key_id":"E5611192FEAD3FDFA877A0BAC5F336480A8C2D97"
    },
    {
      "label":"x25519-key",
      "algorithm":"X25519",
      "public_key":"DEE5089576AD02780EFEF6908034E6BD471C2C6DF7FE68FC77F12C5DFCDB9D59"
    },
    {
      "label":"raw-key",
      "algorithm":"RAW",
      "length":256
    }
  ]
}