API Guide
1. Create a self-signed certificate in EXEC mode. Store the device.key file in a secure, persistent location, such as NVRAM.
crypto cert generate self-signed [cert-file cert-path key-file {private | keypath}]
[country 2-letter code] [state state] [locality city] [organization organization-
name] [orgunit unit-name] [cname common-name] [email email-address] [validity days]
[length length] [altname alt-name]
If you enter the cert-file option, you must enter all the required parameters, including the local path where the certificate
and private key are stored. If you do specify the cert-file option, you are prompted to enter the other parameter values for
the certificate interactively; for example:
You are about to be asked to enter information that will be incorporated in your
certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value; if you enter '.', the field will be
left
blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) []:Starfleet Command
Organizational Unit Name (eg, section) []:NCC-1701A
Common Name (eg, YOUR name) [hostname]:S4148-001
Email Address []:scotty@starfleet.com
2. Install a self-signed certificate and key file in EXEC mode.
crypto cert install cert-file home://cert-filename key-file {key-path | private}
[password passphrase] [fips]
● cert-file cert-path specifies a source location for a downloaded certificate; for example, home://s4048-001-
cert.pem or usb://s4048-001-cert.pem.
● key-file {key-path | private} specifies the local path to retrieve the downloaded or locally generated private
key. Enter private to install the key from a local hidden location and rename the key file with the certificate name.
● password passphrase specifies the password used to decrypt the private key if it was generated using a password.
3. fips installs the certificate-key pair as FIPS-compliant. Enter fips to install a certificate-key pair that is used by a FIPS-
aware application, such as RADIUS over TLS. If you do not enter fips, the certificate-key pair is stored as a non-FIPS
compliant pair.
NOTE:
You determine if the certificate-key pair is generated as FIPS-compliant. Do not use FIPS-compliant certificate-
key pairs outside of FIPS mode.
4. If you enter fips after using the key-file private option in the crypto cert generate request command, a FIPS-
compliant private key is stored in a hidden location in the internal file system that is not visible to users.
If the certificate installation is successful, the file name of the self-signed certificate and its common name are displayed. Use
the file name to configure the certificate in a security profile using the crypto security-profile command.
Example: Generate and install self-signed certificate and key
OS10# crypto cert generate self-signed cert-file home://DellHost.pem key-file home://
DellHost.key email admin@dell.com length 1024 altname DNS:dell.domain.com validity 365
Processing certificate ...
Successfully created certificate file /home/admin/DellHost.pem and key
OS10# crypto cert install cert-file home://DellHost.pem key-file home://DellHost.key
Processing certificate ...
Certificate and keys were successfully installed as "DellHost.pem" that may be used in a
security profile. CN = DellHost.
Display self-signed certificate
OS10# show crypto cert
--------------------------------------
| Installed non-FIPS certificates |
--------------------------------------
DellHost.pem
--------------------------------------
| Installed FIPS certificates |
--------------------------------------
26
OS10 security best practices