Users Guide
Switch Management Commands 2363
User Guidelines
This command is not saved in the router switch configuration; however, the
certificate and keys generated by this command are saved in the private
configuration. If the RSA keys do not exist, the
key-generate
command in
Crypto Certificate Generation mode must be used. The
key-generate
sub-
command regenerates the RSA key pair. At least the common name must be
configured for a certificate to be valid.
To save the generated certificate and keys on the local switch and distribute
the certificate across a stack, save the configuration. Otherwise, the certificate
and keys will not be available after the next reboot.
If the common-name is not configured, the certificate is generated with a
common name equal to the lowest IP address of the switch. If a duration is
not configured, the certificate is generated with a duration of 365 days.
As of firmware release 6.6.1, the key length of the certificate is increased to
2048 bits and the switch uses SHA-256 to sign the generated certificate. Any
previously generated certificates are left unaltered.
This command generates two files:
• sslt_certN.pem
• sslt_keyN.pem
where N is the certificate number.
To use a signed certificate on the switch, perform the following steps:
• Generate the RSA and DSA keys using the crypto key generate
command for RSA followed by DSA. or the
key-generate
command in
crypto certificate generate mode.
• Generate a self signed certificate using the crypto key generate
command, or optionally…
• Generate a certificate request using the crypto certificate request
command. This command uses the DSA keys and the self signed
certificate.
• Copy the certificate request displayed on the screen and send it to a CA.
• When the signed certificate is received, copy the signed certificate onto
the switch using the crypto certificate import command