Technical data
3-20 Fabric OS Administrator’s Guide
Publication Number: 53-0000518-09
Configuring for the SSL Protocol
3
Choosing a Certificate Authority
To ease maintenance and allow secure out-of-band communication between switches, consider using
one certificate authority (CA) to sign all management certificates for a fabric. If you use different CAs,
management services operate correctly, but the Web Tools Fabric Events button is unable to retrieve
events for the entire fabric.
Each CA (for example, Verisign or GeoTrust) has slightly different requirements; for example, some
generate certificates based on IP address, while others require an FQDN, and most require a 1024-bit
public/private key while some might accept a 2048-bit key. Consider your fabric configuration, check
CA Web sites for requirements, and gather all the information that the CA requires.
Generating a Public/Private Key
Perform this procedure on each switch:
1. Connect to the switch and log in as admin.
2. Enter this command to generate a public/private key pair:
The system reports that this process will disable secure protocols, delete any existing CSR, and
delete any existing certificates.
3. Respond to the prompts to continue and select the key size:
Because CA support for the 2048-bit key size is limited, you should select 1024 in most cases.
Generating and Storing a CSR
After generating a public/private key (see “Generating a Public/Private Key,” earlier), perform this
procedure on each switch:
1. Connect to the switch and log in as admin.
2. Enter this command:
switch:admin> seccertutil genkey
Continue (yes, y, no, n): [no] y
Select key size [1024 or 2048]: 1024
Generating new rsa public/private key pair
Done.
switch:admin> seccertutil gencsr