API Guide
Table Of Contents
- Dell EMC SmartFabric OS10 Security Best Practices Guide May 2021
- Contents
- OS10 security best practices
different common name for the switch; for example, an IP address. If the common-name value does not match the
identity of the device, a signed certificate does not validate.
○ email email-address—Enter a valid email address used to communicate with the organization.
○ validity days—Enter the number of days that the certificate is valid. For a CSR, validity has no effect. For a
self-signed certificate, the default is 3650 days or 10 years.
○ length bit-length—Enter a bit value for the keyword length. For FIPS mode, the range is from 2048 to 4096; for
non-FIPS mode, the range is from 1024 to 4096. The default key length for both FIPS and non-FIPS mode is 2048 bits.
The minimum key length value for FIPS mode is 2048 bits. The minimum key length value for non-FIPS mode is 1024 bits.
○ altname altname—Enter an alternate name for the organization; for example, using the IP address such as altname
IP:192.168.1.100.
● Copy CSR to the CA server.
OS10# copy home://DellHost.pem scp:///file-path/DellHost.pem
password:
The CA server signs the CSR with its private key. The CA server then makes the signed certificate available for the OS10
switch to download and install it.
● Install host certificate.
○ Use the copy command to download an X.509v3 certificate signed by a CA server to the local home directory using a
secure method, such as HTTPS, SCP, or SFTP.
○ Use the crypto cert install command to install the certificate and the private key generated with the CSR.
crypto cert install cert-file home://cert-filepath key-file {key-path | private}
[password passphrase] [fips]
Generate a certificate signing request and private key
OS10# crypto cert generate request cert-file home://DellHost.pem key-file home://
DellHost.key
email admin@dell.com length 1024 altname DNS:dell.domain.com
Processing certificate ...
Successfully created CSR file /home/admin/DellHost.pem and key
OS10# copy home://DellHost.pem scp:///tftpuser@10.11.178.103:/tftpboot/certs/DellHost.pem
password:
OS10# copy scp:///tftpuser@10.11.178.103:/tftpboot/certs/Dell_host1_CA1.pem home://
Dell_host1_CA1.pem
password:
OS10# copy scp:///tftpuser@10.11.178.103:/tftpboot/certs/Dell_host1_CA1.key home://
Dell_host1_CA1.key
password:
OS10# crypto cert install cert-file home://Dell_host1_CA1.pem key-file home://
Dell_host1_CA1.key
Processing certificate ...
Certificate and keys were successfully installed as "Dell_host1_CA1.pem" that may be
used in a
security profile. CN = Dell_host1_CA1
Display trusted certificates
The following output displays the installed certificates, the validity period, and details about the CA.
OS10# show crypto cert
--------------------------------------
| Installed non-FIPS certificates |
--------------------------------------
Dell_host1_CA1.pem
--------------------------------------
| Installed FIPS certificates |
--------------------------------------
OS10# show crypto cert Dell_host1_CA1.pem
------------ Non FIPS certificate -----------------
Certificate:
Data:
24
OS10 security best practices