Administrator Guide
After the CA certificate is installed, the system can secure communications with TLS servers by verifying certificates that are
signed by the CA.
Installing CA certificate
To install a CA certificate, enter the crypto ca-cert install {path} command in Global Configuration mode.
Information about Creating Certificate Signing
Requests (CSR)
Certificate Signing Request (CSR) enables a device to get a X.509v3 certificate from a CA.
In order for a device to get a X.509v3 certificate, the device first requests a certificate from a CA through a Certificate Signing
Request (CSR). While creating a CSR, you need to provide the information about the certificate and the private key details. Dell
EMC Networking OS enable you to create a private key and a CSR for a device using a single command.
If you do not specify the cert-file option, the system prompts you to enter metadata information related to the CSR as follows:
You are about to be asked to enter information that will be incorporated into your
certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value; if you enter '.', the field will be left
blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) []:Starfleet Command
Organizational Unit Name (eg, section) []:NCC-1701A
Common Name (eg, YOUR name) [hostname]:S4810-001
Email Address []:scotty@starfleet.com
The switch uses SHA-256 as the digest algorithm and the public key algorithm is RSA with a 2048-bit modulus. The KeyUsage
bits of the certificate assert keyEncipherment (bit 2) and keyAgreement (bit 4). The keyCertSign bit (bit 5) is NOT be
set. The ExtendedKeyUsage fields indicate serverAuth and clientAuth.
The attribute CA:FALSE is set in the Extensions section of the certificate. The certificate is NOT used to validate other
certificates. The CSR is then copied out to the CA server. It can be copied from flash to a destination like usbflash, TFTP, FTP,
or SCP.
The CA server signs the CSR with its private key. The CA server then makes the signed certificate available for the requesting
device to download and install.
Creating Certificate Signing Requests (CSR)
To create a private key and CSR, perform the following step:
In global configuration mode, enter the following command:
crypto cert generate {self-signed | request} [cert-file cert-path key-file {private | key-
path}] [country 2-letter code] [state state] [locality city] [organization organization-
name] [orgunit unit-name] [cname common-name] [email email-address] [validity days] [length
length] [altname alt-name]
You must specify the following parameters for this command:
● Certificate File
● Private Key
● Country Name
● State or Province Name
● Locality Name
● Organization Name
X.509v3
1137