KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

501

502

503

504

505

506

507

508

509

510

KFzmffQJXRXOnH6rfQSNYBXndg0azhc8saORrOqrTn3Yw3psYSNMbA==

-----END CERTIFICATE REQUEST-----

Local certificate enrollment — manual mode

You must manually copy the certificate signing request (CSR) created with the “create-csr” command

(above) and have it signed by a CA. The local certificate status is updated to “pending” after the

CSR is created. A pending certificate request is not persistent across a power cycle or reboot.

Once the CA-signed certificate response is received, the user executes the following command

and pastes the signed certificate provided by CA on the command line.

The switch retains the name of the certificate used when creating the CSR in memory while waiting

for the signed certificate to be installed. When the signed certificate is pasted to the command

line, the switch matches the certificate to the CSR by matching the public key and then saves the

signed certificate to flash. The signed certificate will not be accepted if a CSR does not exist or if

the trust chaing cannot be verified (for example if the CA’s root certificate is not installed in the

Trust Anchor Profile.)

Syntax

(config)# crypto pki install-signed-certificate <data>

When intermediate certificates are to be individually installed, the local-certificate name is used

and certificate manager uses this name to build the certificate chain between the root and the leaf

certificate of the specified name. Intermediate certificates must be presented in order from the trust

anchor to the local (leaf) certificate. The user is prompted to paste the new certificate (PEM-encoded

PKCS#7) to the command line. The provided data is parsed internally by Certificate Manager and

stored in DER format thus requiring no additional parsing in CLI. The following text appears.

NOTE: To install a signed certificate, the certificate must match a previously created signing

request.

With the cursor at the start of a blank line, when the user presses the Enter key, the user operation

is done. Usage of word pad is suggested to copy the certificate and paste it to this command.

The local or intermediate certificate is authenticated against the signature chain. If the signature

chain leads to an installed Trust Anchor, the certificate status is updated to “authenticated”. The

status gets updated to unauthenticated if the certificate chain is not complete.

Local enrollment is implemented in the web UI; specifically the security — SSL page is updated for

the Web UI SSL server application, with web usage. The Web UI does not provide general PKI

configurability for all applications (Web UI does not allow creation or management of other device

certificates add.)

NOTE: Self-signed certificate for a specific application (along with the key-pair) is removed once

a CA signed local-certificate is installed for that application.

Self-signed certificate enrollment

This certificate installation method may be used when a Certificate Authority is not available. A

self-signed certificate provides the relying party no assurance of identity, so this is not as secure

as using a CA-signed certificate. A self-signed certificate may be useful, but its use is not

recommended.

A self-signed certificate many only be installed on the “default” TA-Profile, so the ta-profile-name

parameter is not present in the command.

Syntax

[no]crypto pki enroll-self-signed certificate-name [cert-name]

508 Certificate manager