Cisco Cisco Packet Data Interworking Function (PDIF) Guía Para Resolver Problemas
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
Engineering Rules
▀ X.509 Certificate (CERT) Restrictions
▄ Cisco ASR 5000 Series Packet Data Interworking Function Administration Guide
OL-22963-01
X.509 Certificate (CERT) Restrictions
The following are known restrictions for the creation and use of X.509 CERT:
The maximum size of CERT configuration is 1K bytes.
The PDIF includes the CERT payload only in the first IKE_AUTH Response for the first authentication.
The CERT payload will be sent in the AUTH response, if configured, irrespective of receiving CERT-REQ
payload in the first IKEv2 AUTH request.
The PDIF will not process a CERT payload from the MS and will respond accordingly (with
INVALID_SYNTAX) if the CRITICAL bit is set in the payload.
If the PDIF receives the CERT-REQ payload with the CRITICAL bit set in the IKE_AUTH request, the PDIF
will reject the exchange. If the CRITICAL bit is not set, then the PDIF ignores the payload and proceeds with
the exchange.
the exchange.
Only a single CERT payload is supported. While [RFC-4306] mandates the support of up to 4 certificates, the
PDIF service will support only one X.509 certificate per context. This is due to the size of an X.509 certificate.
Inclusion of multiple certificates in a single IKE_AUTH may result in the IKE_AUTH message not being
properly transmitted.
Inclusion of multiple certificates in a single IKE_AUTH may result in the IKE_AUTH message not being
properly transmitted.