Certificate specific

This command displays summary information for all certificates or detailed information for the named certificate.

show crypto pki local-certificate [summary | <Cert-Name>]

Example of displaying certificate summary information:

switch# show crypto pki local-certificate summary
   Name                 Usage         Expiration     Parent / Profile
   -------------------- ------------- -------------- ----------------
   IDEVID_CERT          IDEVID        2031/01/26     IDEVID_INTER_1
   IDEVID_INTER_1       IDEVID        2031/01/26     IDEVID_INTER_2
   IDEVID_INTER_2       IDEVID        2031/01/26     IDEVID_ROOT

Summary mode lists all certificates below a TA profile, including both local certificates and installed intermediates. The names of intermediate certificates are transitory and can change after local certificates are added or removed. In detailed mode the “certificate name” can be provided as an argument and details specific to the certificate are displayed. If the “expiration” displays CSR, then detailed mode re-displays the CSR as described with the crypto pki create-csr local-certificate commands.

All installed certificates are shown in the same way, provided that the fields exist in the certificate. For example, a CA signed certificate has an “Issuer:” field with a different value from the “Subject” field. In a self-signed certificate, these fields are set to the same value. Since the fields are present in either type of certificate, they are always shown. Similarly, a Root certificate is a self-signed certificate. A trust anchor certificate can be either a Root certificate or an Intermediate certificate. The same fields are present in the certificate—just set to different values.

When working in the summary mode:
  • An installed certificate can or can not have a subject key identifier.

  • An installed certificate can or can not contain an authority key identifier.

  • An installed certificate can or can not contain key usage constraints, which can or can not be marked critical.

  • When an extension is critical, the keyword “critical” is displayed; when the extension is not critical, no additional wording is displayed.

While address ranges can be encoded in a certificate, this usage is not consistent with identifying a switch (or switch interface), so CIDR format is not expected. However, if present it must be displayed for diagnostic purposes. (CIDR format display can be eliminated by adding tests to reject certificates with a range at the time of certificate installation.) IP addresses are listed in lexicographical order, except that all IPv4 addresses are shown as a group before IPv6 addresses are displayed. IPv6 addresses are shown in full, without the “zeroes removed” notation.


Per RFC-5280: “Certificate users MUST be able to handle serial Number values up to 20 octets.” Thus, the serial number can take 40 hex characters to print. The serial number is printed in hex to limit string length and to allow easier manual decoding of UUID type serial numbers.

The detail form of the certificate specific show command is available from the web UI. The web UI allows display of those configured certificates related to the web server only. This includes the SSL server certificate, trust anchor certificate and any other certificates configured as part of the certificate chain. All the certificates in the trust chain are also displayed.