show ipsec certificates

(Encryption interface on M Series and T Series routers only) Display information about the IPSec certificate database.

Options

none — Display standard information about all of the entries in the IPSec certificate database.

crl crl-name | serial-number — (Optional) Display information about the entries on the certificate revocation list (CRL) or for the specified serial number. A CRL is a timestamped list identifying revoked certificates. The CRL is signed by a certificate authority (CA) or CRL issuer and made freely available in a public repository. Each revoked certificate is identified in a CRL by its certificate serial number.

Required Privilege Level

Related Topics

List of Sample Output

Output Fields

Table 234 lists the output fields for the show ipsec certificates command. Output fields are listed in the approximate order in which they appear.

Sample Output

Field Name	Field Description	Level of Output
Database	Display information about the IPSec certificate database. Total entries—Number of database entries, including entries that are not trusted or that are in the process of being deleted. Active entries—Number of database entries, excluding entries that are marked as deleted. Locked entries—Number of statically configured database entries that cannot expire, such as CA certificates that are root or trusted.	All levels
Subject	Distinguished name for the certificate for C, O, CN, as described in RFC 3280, Internet x.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.	All levels
ID	Identification number of the database entry. ID is generated by the internal certificate database.	All levels
References	Reference number the certificate manager has for the particular entry.	detail
Serial	Unique serial number assigned to each certificate by the CA.	All levels
Flags	State of the certificate. Trusted—Passed validity checks. Not trusted—Failed validity checks. Root—Entry is locked and may have been learned through IKE or a locally configured CA certificate. Non-root—Entry is not locked. Crl-issuer—Entity issues CRLs. Non-crl-issuer—Entity does not issue CRLs.	detail
Validity period starts	Start time that the certificate is valid, in the format yyyy mon dd, hh:mm:ss GMT.	detail
Validity period ends	End time that the certificate is valid, in the format yyyy mon dd, hh:mm:ss GMT.	detail
Alternative name information	Auxiliary identity for the certificate: dns-name, email-address, ip-address, or uri (uniform resource identifier).	detail
Issuer	Information about the entity that has signed and issued the CRL as described in RFC 2459, Internet X.509 Public Key Infrastructure Certificate and CRL Profile.	detail

show ipsec certificates detail

user@host> show ipsec certificates detail

Database: Total entries: 3 Active entries: 4 Locked entries: 1
Subject: C=us, O=x
  ID: 5, References: 0, Serial: 22314868
  Flags: Trusted Non-root Crl-issuer
  Validity period starts: 2003 Mar  1st, 01:20:42 GMT
  Validity period ends: 2003 Mar 31st, 01:50:42 GMT
  Alternative name information:
    IP address: 10.20.210.1
  Issuer: C=FI, O=Company-ABC, CN=Company ABC class 2

Subject: C=us, O=x
  ID: 4, References: 0, Serial: 22315496
  Flags: Trusted Non-root Crl-issuer
  Validity period starts: 2003 Mar  1st, 01:21:45 GMT
  Validity period ends: 2003 Mar 31st, 01:51:45 GMT
  Alternative name information:
    IP address: 10.20.210.20
  Issuer: C=FI, O=Company-ABC, CN=Company ABC class 2

Subject: C=FI, O=SSH Company-ABC, CN=Company ABC class 2
  ID: 1, References: 1, Serial: 1538512
  Flags: Trusted Root Non-crl-issuer
  Validity period starts: 2001 Aug  1st, 07:08:32 GMT
  Validity period ends: 2004 Aug  1st, 07:08:32 GMT
  Alternative name information:
    Email address: certifier-support@ssh.com
  Issuer: C=FI, O=Company-ABC, CN=Company ABC class 2

Syntax