API Guide
Table Of Contents
- Dell EMC SmartFabric OS10 Security Best Practices Guide May 2021
- Contents
- OS10 security best practices
Validity
Not Before: Feb 11 20:10:12 2019 GMT
Not After : Feb 11 20:10:12 2020 GMT
Subject: emailAddress = admin@dell.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c7:12:ca:a8:d6:d2:1c:ab:66:9a:d1:db:50:5a:
b5:8a:e4:53:9d:f6:b4:fc:cd:f4:b9:46:8a:03:86:
be:0b:50:51:c7:25:76:9f:ff:b4:f9:f8:d9:6f:5d:
53:52:0c:4d:05:ed:31:23:79:44:5c:d7:62:01:9d:
41:e8:ff:3a:b0:35:0c:22:d7:ef:df:05:9a:28:6b:
95:10:8e:bc:c6:62:3a:82:30:0f:4f:4e:19:17:48:
f1:bd:1e:0c:4f:54:03:42:f3:a7:de:22:40:3d:5e:
6b:b2:8e:23:17:53:ef:10:d9:ae:1d:1f:d6:e4:ae:
25:9f:d9:39:60:5c:49:b0:ad
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09
X509v3 Subject Alternative Name:
DNS:dell.domain.com
Signature Algorithm: sha256WithRSAEncryption
b8:83:ae:34:bb:84:e6:b4:a3:fd:77:20:67:15:3f:02:76:ca:
f6:74:d4:d2:36:0e:58:8c:96:13:c2:85:8a:df:ba:c0:d9:c8:
Certificate revocation
Rationale: A certificate revocation list (CRL) is a list of digital certificates that have been revoked by the issuing certificate
authority (CA) before their scheduled expiration date. These certificates are no longer meant to be trusted.
Before the switch and an external device, such as a RADIUS or TLS server, set up a secure connection, they present CA-signed
certificates to each other. The certificate validation allows peers to authenticate each other's identity, and is followed by
checking to ensure that the certificate has not been revoked by the issuing CA.
A certificate includes the URL and other information about the certificate distribution point (CDP) that issued the certificate.
Using the URL, OS10 accesses the CDP to download a certificate revocation list (CRL). If the external device's certificate is on
the list or if the CDP server does not respond, the connection is not set up.
Configuration:
1. Configure the URL for a certificate distribution point in EXEC mode.
OS10# crypto cdp add cdp-name cdp-url
Verify the CDPs accessed by the switch in EXEC mode.
OS10# show crypto cdp [cdp-name]
To delete an installed CDP, use the crypto cdp delete cdp-name command.
2. Install CRLs that have been downloaded from CDPs in EXEC mode.
OS10# crypto crl install crl-path [crl-filename]
Display a list of the CRLs installed on the switch in EXEC mode.
OS10# show crypto crl [crl-filename]
To delete a manually installed CRL that was configured with the crypto crl install command, use the crypto crl
delete [crl-filename] command.
Example: Configure CDP
OS10# crypto cdp add cert1_cdp http://crl.chambersign.org/chambersignroot.crl
Successfully added CDP
OS10# show crypto cdp
--------------------------------------
OS10 security best practices
27