Certificate specific

This command has two forms of output, summary and detailed. The CLI displays certificate details if a name is given. If argument summary or no argument is entered, a brief about all certificates is printed.


(Switch_Name#)show crypto pki local-certificate summary|<cert-name>

Show local certificate information.


Sample summary output:
Name                   Usage      Expiration     Parent / Profile
-------------------- ---------- -------------- --------------------
SSL_Certificate        Web        CSR            Customer Secondary PKI
Openflow_Cert          Openflow   2030/06/11     Intermediate01
Intermediate01         Inter      2014/01/01     Customer Primary PKI
Default_cert           All        2030/06/11     Intermediate02
Intermediate02         Inter      2014/01/01     Intermediate01

Summary mode lists all certificates below a TA profile, including both local certificates and installed intermediates. The names of intermediate certificates are transitory and can change after local certificates are added or removed. In detailed mode the “certificate name” can be provided as an argument and details specific to the certificate are displayed. If the “expiration” displays CSR, then detailed mode re-displays the CSR as described with the crypto pki create-csr local-certificate commands.

All installed certificates are shown in the same way, provided that the fields exist in the certificate. For example, a CA signed certificate has an “Issuer:” field with a different value from the “Subject” field. In a self-signed certificate, these fields are set to the same value. Since the fields are present in either type of certificate, they are always shown. Similarly, a Root certificate is a self-signed certificate. A trust anchor certificate can be either a Root certificate or an Intermediate certificate. The same fields are present in the certificate—just set to different values.

When working in the summary mode:
  • An installed certificate can or can not have a subject key identifier.

  • An installed certificate can or can not contain an authority key identifier.

  • An installed certificate can or can not contain key usage constraints, which can or can not be marked critical.

  • When an extension is critical, the keyword “critical” is displayed; when the extension is not critical, no additional wording is displayed (see screen display below.)

While address ranges can be encoded in a certificate, this usage is not consistent with identifying a switch (or switch interface), so CIDR format is not expected. However, if present it must be displayed for diagnostic purposes. (CIDR format display can be eliminated by adding tests to reject certificates with a range at the time of certificate installation.) IP addresses are listed in lexicographical order, except that all IPv4 addresses are shown as a group before IPv6 addresses are displayed. IPv6 addresses are shown in full, without the “zeroes removed” notation.


Per RFC-5280: “Certificate users MUST be able to handle serial Number values up to 20 octets.” Thus, the serial number can take 40 hex characters to print. The serial number is printed in hex to limit string length and to allow easier manual decoding of UUID type serial numbers.

Certificate Detail:
Serial Number:    75A5A501ABCDEF12345675A5A501ABCDEF123456
Sig. Algorithm:   SHA1 with RSA encryption
Issuer:           CN=HP Networking Platform Certificate Authority 01,
 OU=HP Networking, O=Hewlett-Packard Company, L=Roseville, ST=California, C=US
Validity From: Mar 11 23:56:35 2010 GMT
Validity To: Mar 8 23:56:38 2030 GMT
Subject: CN=Model J1234A/serialNumber=SW123456780A, BaseMAC 010203-040506,
 OU=HP Networking EVPG, O=Hewlett-Packard Company
X509v3 Subject Key Identifier:  02:62:50:03:D1:7B:E3:68:F9:D7:67:5A:7D:FD:99:BC:AA:D8:07:B7
X509v3 Authority Key Identifier: C7:92:78:C5:19:66:46:DD:7C:47:C1:8D:47:5F:05:1A:C6:30:30:05
X509v3 Key Usage: Critical
Digital signature, Key encipherment, Key agreement

The detail form of the certificate specific show command is available from the web UI. The web UI allows display of those configured certificates related to the web server only. This includes the SSL server certificate, trust anchor certificate and any other certificates configured as part of the certificate chain. All the certificates in the trust chain are also displayed.