The api call-home host certificate identity command configures CN verification for the certificate of a call-home host.
The undo api call-home host certificate identity command disables CN verification for the certificate of a call-home host.
By default, the device does not perform CN verification on the certificate of a call-home host.
api call-home host hostname certificate identity cn-name
undo api call-home host hostname certificate identity
Parameter |
Description |
Value |
|---|---|---|
hostname |
Specifies the call-home host name. |
The value is a string of 1 to 31 case-sensitive characters. Spaces are not supported. The call-home host must already exist. |
cn-name |
Specifies the CN field of the call-home host certificate. |
The value is a string of 1 to 64 case-sensitive characters. When double quotation marks are used around the string, spaces are allowed in the string. |
In the call-home scenario, when the FW proactively connects to a call-home host, the FW uses the preconfigured or imported CA certificate to verify the validity of the call-home host's certificate by default.
If CN verification is not configured, the FW only checks whether the certificate is issued by a legitimate CA but does not check whether the certificate is issued for the current call-home host. If the host certificate is lost, attackers may use the lost certificate to impersonate the host. Therefore, you are advised to enable the CN verification function to verify the CN field of the call-home host certificate. The certificate is valid only when the CN field of the certificate is the same as the configured CN field.