Administrator Guide
the CA certificates file is kept in a root-last order. The file may contain multiple certificates in PEM format concatenated
together. This file is stored in a private and persistent location on the device such as the flash://ADMIN_DIR folder.
After the CA certificate is installed, the system can secure communications with TLS servers by verifying certificates that are
signed by the CA.
Installing CA certificate
To install a CA certificate, perform the following step:
Enter the following command in the global configuration mode:
crypto ca-cert install {path}
Information about Creating Certificate Signing
Requests (CSR)
Certificate Signing Request (CSR) enables a device to get a X.509v3 certificate from a CA.
In order for a device to get a X.509v3 certificate, the device first requests a certificate from a CA through a Certificate Signing
Request (CSR). While creating a CSR, you need to provide the information about the certificate and the private key details. Dell
Networking OS enable you to create a private key and a CSR for a device using a single command.
NOTE: For the procedure on creating CSRs, see Creating Certificate Signing Requests (CSRs).
If you do not specify the cert-file option, the system prompts you to enter metadata information related to the CSR as follows:
You are about to be asked to enter information that will be incorporated into your
certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value; if you enter '.', the field will be left
blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) []:Starfleet Command
Organizational Unit Name (eg, section) []:NCC-1701A
Common Name (eg, YOUR name) [hostname]:S4810-001
Email Address []:scotty@starfleet.com
The system uses SHA-256 as the digest algorithm and the public key algorithm is RSA with a 2048-bit modulus. The KeyUsage
bits of the certificate assert keyEncipherment (bit 2) and keyAgreement (bit 4). The keyCertSign bit (bit
5) is NOT be set. The ExtendedKeyUsage fields indicate serverAuth and clientAuth.
The “CA:FALSE” is set in the Extensions section of the certificate. The certificate is NOT used to validate other certificates.
The CSR is then copied out to the CA server. It can be copied from flash to a destination like usbflash, tftp, ftp, or SCP.
The CA server signs the CSR with its private key. The CA server then makes the signed certificate available for the requesting
device to download and install.
Creating Certificate Signing Requests (CSR)
To create a private key and CSR, perform the following step:
In global configuration mode, enter the following command:
crypto cert generate {self-signed | request} [cert-file cert-path key-file {private | key-
path}] [country 2-letter code] [state state] [locality city] [organization organization-
name] [orgunit unit-name] [cname common-name] [email email-address] [validity days] [length
length] [altname alt-name]
You must specify the following parameters for this command:
● Certificate File
X.509v3
1099