API Guide

ManualsBrandsDell ManualsAccess PlatformsEMC Networking MX9116n

○ key-file {key-path | private}—Enter the local path where the downloaded or locally generated private key is

stored. If the key was downloaded to a remote server, enter the server path using a secure method, such as HTTPS,

SCP, or SFTP. Enter private to store the key in a local hidden location.

○ country 2-letter-code—(OPTIONAL) Enter the two-letter code that identifies the country.

○ state state—Enter the name of the state.

○ locality city—Enter the name of the city.

○ organization organization-name—Enter the name of the organization.

○ orgunit unit-name—Enter name of the unit.

○ cname common-name—Enter the common name assigned to the certificate. Common name is the main identity

presented to connecting devices. By default, the hostname of the switch is the common name. You can configure a

different common name for the switch; for example, an IP address. If the common-name value does not match the

identity of the device, a signed certificate does not validate.

○ email email-address—Enter a valid email address used to communicate with the organization.

○ validity days—Enter the number of days that the certificate is valid. For a CSR, validity has no effect. For a self-

signed certificate, the default is 3650 days or 10 years.

○ length bit-length—Enter a bit value for the keyword length. For FIPS mode, the range is from 2048 to 4096; for

non-FIPS mode, the range is from 1024 to 4096. The default key length for both FIPS and non-FIPS mode is 2048 bits.

The minimum key length value for FIPS mode is 2048 bits. The minimum key length value for non-FIPS mode is 1024 bits.

○ altname altname—Enter an alternate name for the organization; for example, using the IP address such as altname

IP:192.168.1.100.

● Copy CSR to the CA server.

OS10# copy home://DellHost.pem scp:///file-path/DellHost.pem

password:

The CA server signs the CSR with its private key. The CA server then makes the signed certificate available for the OS10

switch to download and install it.

● Install host certificate.

○ Use the copy command to download an X.509v3 certificate signed by a CA server to the local home directory using a

secure method, such as HTTPS, SCP, or SFTP.

○ Use the crypto cert install command to install the certificate and the private key generated with the CSR.

crypto cert install cert-file home://cert-filepath key-file {key-path | private}

[password passphrase] [fips]

Generate a certificate signing request and private key

OS10# crypto cert generate request cert-file home://DellHost.pem key-file home://

DellHost.key

email admin@dell.com length 1024 altname DNS:dell.domain.com

Processing certificate ...

Successfully created CSR file /home/admin/DellHost.pem and key

OS10# copy home://DellHost.pem scp:///tftpuser@10.11.178.103:/tftpboot/certs/DellHost.pem

password:

OS10# copy scp:///tftpuser@10.11.178.103:/tftpboot/certs/Dell_host1_CA1.pem home://

Dell_host1_CA1.pem

password:

OS10# copy scp:///tftpuser@10.11.178.103:/tftpboot/certs/Dell_host1_CA1.key home://

Dell_host1_CA1.key

password:

OS10# crypto cert install cert-file home://Dell_host1_CA1.pem key-file home://

Dell_host1_CA1.key

Processing certificate ...

Certificate and keys were successfully installed as "Dell_host1_CA1.pem" that may be

used in a

security profile. CN = Dell_host1_CA1

Display trusted certificates

OS10 security best practices