Users Guide

Table Of Contents
Generate a certicate signing request and private key
Create a private key and a CSR in EXEC mode. Store the CSR le in the home directory or flash: so that you can later copy it to a
CA server. Specify a keypath to store the device.key le in a secure persistent location, such as the home directory, or use the
private option to store the key le in a private hidden location in the internal le system that is not visible to users.
crypto cert generate request [cert-file cert-path key-file {private | keypath}]
[country
2-letter code] [state state] [locality city] [organization organization-name]
[orgunit unit-name] [cname common-name] [email email-address] [validity days]
[length length] [altname alt-name]
If you enter the cert-file option, you must enter all the required parameters, such as the local paths where the certicate and
private key are stored, country code, state, locality, and other values.
If you do not specify the cert-file option, you are prompted to ll in the other parameter values for the certicate interactively; for
example:
You are about to be asked to enter information that will be incorporated into your
certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value; if you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) []:Starfleet Command
Organizational Unit Name (eg, section) []:NCC-1701A
Common Name (eg, YOUR name) [hostname]:S4148-001
Email Address []:scotty@starfleet.com
The switch uses SHA-256 as the digest algorithm. The public key algorithm is RSA with a 2048-bit modulus. The KeyUsage bits of the
certicate assert keyEncipherment (bit 2) and keyAgreement (bit 4). The keyCertSign bit (bit 5) is NOT set. The
ExtendedKeyUsage elds indicate serverAuth and clientAuth.
The attribute CA:FALSE is set in the Extensions section of the certicate. The certicate is NOT used to validate other certicates.
If necessary, re-enter the command to generate multiple certicate-key pairs for dierent applications on the switch. You can congure
a certicate-key pair in a security prole. Using dierent certicate-key pairs is necessary if you want to change the certicate-key pair
for a specied application without out interrupting other critical services. For example, RADIUS over TLS may use a dierent
certicate-key pair than SmartFabric services.
NOTE
:
If the system is in FIPS mode using the crypto fips enable command, the CSR and private key are generated using FIPS-
validated and compliant algorithms. You manage whether the keys are generated in FIPS mode or not.
Copy CSR to the CA server
You can copy the CSR from ash to a destination, such as a USB ash drive, using TFTP, FTP, or SCP.
OS10# copy home://DellHost.pem scp:///tftpuser@10.11.178.103:/tftpboot/certs/DellHost.pem
password:
The CA server signs the CSR with its private key. The CA server then makes the signed certicate available for the OS10 switch to
download and install.
Install host certicate
1 Use the copy command to download an X.509v3 certicate signed by a CA server to the local home directory using a secure
method, such as HTTPS, SCP, or SFTP.
2 Use the crypto cert install command to install the certicate and the private key generated with the CSR.
Install a trusted certicate and key le in EXEC mode.
crypto cert install cert-file home://cert-filepath key-file {key-path | private}
[password passphrase] [fips]
980
Security