Owner's Manual

ManualsBrandsNetgear ManualsHubsNetgear XCM8810

511

512

513

514

515

516

517

518

519

520

Chapter 17. Security | 515

NETGEAR 8800 User Manual

Creating Certificates and Private Keys

When you generate a certificate, the certificate is stored in the configuration file, and the

private key is stored in the EEPROM. The certificate generated is in PEM format.

To create a self-signed certificate and private key that can be saved in the EEPROM, use the

following command:

configure ssl certificate privkeylen <length> country <code> organization

<org_name> common-name <name>

Make sure to specify the following:

• Country code (maximum size of 2 characters)

• Organization name (maximum size of 64 characters)

• Common name (maximum size of 64)

Any existing certificate and private key is overwritten.

The size of the certificate depends on the RSA key length (privkeylen) and the length of the

other parameters (

country, organization name, and so forth) supplied by the user. If the RSA

key length is 1024, then the certificate is approximately 1 kb. For an RSA key length of 4096,

the certificate length is approximately 2 kb, and the private key length is approximately 3 kb.

Downloading a Certificate Key from a TFTP Server

You can download a certificate key from files stored in a TFTP server. If the operation is

successful, any existing certificate is overwritten. After a successful download, the software

attempts to match the public key in the certificate against the private key stored. If the private

and public keys do not match, the switch displays a warning message similar to the following:

Warning: The Private Key does not match with the Public Key in the certificate. This

warning acts as a reminder to also download the private key.

Downloaded certificates and keys are not saved across switch reboots unless you save your

current switch configuration. After you use the

save command, the downloaded certificate is

stored in the configuration file and the private key is stored in the EEPROM.

To download a certificate key from files stored in a TFTP server, use the following command:

download ssl <ip_address> certificate <cert file>

Note: For security measures, you can only download a certificate key in

the VR-Mgmt virtual router.

To see whether the private key matches with the public key stored in the certificate, use the

following command:

show ssl {detail}

This command also displays: