Concept Guide
NOTE: The command contains multiple options with the Common Name being a required eld and blanks being lled in
for unspecied elds.
Information about installing trusted certicates
Dell EMC Networking OS also enables you to install a trusted certicate. The system can then present this certicate for authentication to
clients such as SSH and HTTPS.
This trusted certicate is also presented to the TLS server implementations that require client authentication such as Syslog. The
certicate is digitally signed with the private key of a CA server.
You can download the trusted certicate for a device from ash, usbash, tftp, ftp, or scp. This certicate is stored in the BSD le system
and can be used to authenticate the switch to clients.
Installing trusted certicates
To install a trusted certicate, perform the following step:
In global conguration mode, enter the following command:
crypto cert inatall {path}
Transport layer security (TLS)
Transport Layer Security (TLS) provides cryptographic protection for TCP-based application protocols.
In Dell EMC Networking OS, TLS already protects secure HTTP for the REST and HTTPD server implementations.
NOTE
: There are three modern versions of the TLS protocol: 1.0, 1.1, and 1.2. Older versions are called SSL v1, v2, and v3, and are
not supported.
The TLS protocol implementation in Dell EMC Networking OS takes care of the following activities:
• Session negotiation and shutdown
– Protocol Version
– Cryptographic algorithm selection
• Session resumption and renegotiation
• Certicate revocation checking, which may be accomplished through OCSP
When operating in FIPS mode, the system is restricted to only the TLS 1.2 protocol version and support the following cipher suites in line
with the NIST SP800-131A Rev 1 policy document—published July 2015:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_DH_RSA_WITH_AES_256_CBC_SHA256
TLS_DH_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
When not operating in FIPS mode, the system may support TLS 1.0 up to 1.2, and older ciphers and hashes:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
X.509v3
1145