Always set the CertStatus attributes before loading the actual certificate data, because otherwise the CMTS
will assume the certificate is chained and will immediately attempt to verify it with the manufacturers and
root certificates.
Tip
For example, to use the Unix command-line SNMP utility to add a manufacturer’s certificate to the list of
trusted certificates on the CMTS at IP address 192.168.100.134, enter the following command (be sure to
substitute a valid index pointer for the table entry for the <index> value).
% setany -v2c 192.168.100.134 private docsBpi2CmtsCACertStatus.
<index>
-i 4
docsBpi2CmtsCACert.
<index>
-o
'<hex_data>' docsBpi2CmtsCACertTrust.
<index>
-i 1
To do the same thing for a CM certificate, use the following command:
% setany -v2c 192.168.100.134 private docsBpi2CmtsProvisionedCmCertStatus.
<index>
-i 4 docsBpi2CmtsProvisionedCmCert.
<index>
-o
'<hex_data>' docsBpi2CmtsProvisionedCmCertTrust.
<index>
-i 1
Most operating systems cannot accept input lines that are as long as needed to input the hexadecimal
decimal string that specifies a certificate. For this reason, you should use a graphical SNMP manager to
set these attributes. For a number of certificates, you can also use a script file, if more convenient.
Tip
If you are adding self-signed certificates, you must also use the cable privacy accept-self-signed-certificate
command before the CMTS will accept the certificates.
Note
Adding a Manufacturer’s or CM Certificate to the Hotlist
The DOCSIS specifications allow operators to add a digital manufacturer’s or CM certificate to a hotlist (also
known as the certificate revocation list, or CRL) on the CMTS, to indicate that this particular certificate should
no longer be accepted. This might be done when a user reports that their cable modem has been stolen, or
when the service provider decides not to support a particular manufacturer’s brand of cable modems.
Adding a Certificate to the Hotlist Using SNMP Commands
You can also use an SNMP manager to create and add certificates to the hotlist by manipulating the tables
and attributes in the DOCS-BPI-PLUS-MIB . To add a manufacturer’s certificate, add an entry to the
docsBpi2CmtsCACertTable table. Specify the following attributes for each entry:
• docsBpi2CmtsCACertStatus—Set to 4 to create the row entry.
Cisco cBR Series Converged Broadband Routers Quality of Services Configuration Guide for Cisco IOS XE Fuji
16.7.x
55
DOCSIS 1.1 for the Cisco CMTS Routers
Adding a Manufacturer’s or CM Certificate to the Hotlist
To Next Page
Loading...
Need help?
General
