Specifications

ManualsBrandsEnterasys ManualsComputer equipmentRoamAbout RBT-8100

331

332

333

334

335

336

337

338

339

340

Creating Keys and Certificates

RoamAbout Mobility System Software Configuration Guide 16-7

Creating Public-Private Key Pairs

Touseaself‐signedcertificateorCertificateSigning Req uest (CSR)certificateforRoamAbout

switchauthentication,youmustgenerateapublic‐privatekeypair.

Tocreateapublic‐privatekeypair,usethefollowingcommand:

crypto generate key {admin | domain | eap | ssh | web} {128 | 512 | 1024 | 2048}

Choosethekeylengthbasedonyourneedforsecurityortoconformwithyourorganization’s

practices.

Example

Forexample,thefollowingcommandgeneratesanadministrativekeypairof1024bits:

RBT-8100# crypto generate key admin 1024

admin key pair generated

Somekeylengthsapplyonlytospecifickeytypes.Forexample,128appliesonlytodomainkeys.

SSHrequiresanSSHauthenticationkey,butyoucanallowMSStogenerateitautomatically.The

firsttimeanSSHclientattemptstoaccesstheSSHserveronaRoamAboutSwitch,theswitch

automatically

generatesa1024‐byteSSHkey.Ifyouwanttouse a 2048‐bytekeyinstead,usethe

cryptogeneratekeyssh2048commandtogenerateone.

Generating Self-Signed Certificates

Aftercreatingapublic‐privatekeypair,youcangenerateaself‐signedcertificate.Togeneratea

self‐signedcertificate,usethefollowingcommand:

crypto generate self-signed {admin | eap | web}

Whenyoutypethecommand,theCLIpromptsyoutoenterinformationtoidentifythecertificate.

Example

RBT-8100# crypto generate self-signed admin

Country Name: US

State Name: CA

Locality Name: San Jose campus

Organizational Name: Enterasys

Organizational Unit: eng

Common Name: RAS1

Email Address: admin@example.com

Unstructured Name: RAS in wiring closet 120

Youmustincludeacommonname(string)whenyougenerateaself‐signedcertificate.Theother

informationisoptional.Useafullyqualifiednameifsuchnamesaresupportedonyournetwork.

Thecertificateappearsafteryouenterthisinformation.

Note: After you generate or install a certificate (described in the following sections), do not create

the key pair again. If you do, the certificate might not work with the new key, in which case you will

need to regenerate or reinstall the certificate.