Connectivity Guide
If you do not specify the cert-file option, you are prompted to ll in the other parameter values for the certicate interactively; for
example:
You are about to be asked to enter information that will be incorporated into your
certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value; if you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) []:Starfleet Command
Organizational Unit Name (eg, section) []:NCC-1701A
Common Name (eg, YOUR name) [hostname]:S4148-001
Email Address []:scotty@starfleet.com
The switch uses SHA-256 as the digest algorithm. The public key algorithm is RSA with a 2048-bit modulus. The KeyUsage bits of the
certicate assert keyEncipherment (bit 2) and keyAgreement (bit 4). The keyCertSign bit (bit 5) is NOT set. The
ExtendedKeyUsage elds indicate serverAuth and clientAuth.
The attribute CA:FALSE is set in the Extensions section of the certicate. The certicate is NOT used to validate other certicates.
• If necessary, re-enter the command to generate multiple certicate-key pairs for dierent applications on the switch. You can congure
a certicate-key pair in a security prole. Using dierent certicate-key pairs is necessary if you want to change the certicate-key pair
for a specied application without out interrupting other critical services. For example, RADIUS over TLS may use a dierent
certicate-key pair than SmartFabric services.
NOTE:
If the system is in FIPS mode (crypto fips enable command), the CSR and private key are generated using FIPS-validated and
compliant algorithms. You manage whether the keys are generated in FIPS mode or not.
Copy CSR to the CA server
You can copy the CSR from ash to a destination, such as a USB ash drive, using TFTP, FTP, or SCP.
OS10# copy home://DellHost.pem scp:///tftpuser@10.11.178.103:/tftpboot/certs/DellHost.pem
password:
The CA server signs the CSR with its private key. The CA server then makes the signed certicate available for the OS10 switch to
download and install.
Install host certicate
1 Use the copy command to download an X.509v3 certicate signed by a CA server to the local home directory using a secure
method, such as HTTPS, SCP, or SFTP.
2 Use the crypto cert install command to install the certicate and the private key generated with the CSR.
• Install a trusted certicate and key le in EXEC mode.
crypto cert install cert-file home://cert-filepath key-file {key-path | private}
[password passphrase] [fips]
– cert-file cert-filepath species a source location for a downloaded certicate; for example, home://s4048-001-
cert.pem
or usb://s4048-001-cert.pem.
– key-file {key-path | private} species the local path to retrieve the downloaded or locally generated private key. Enter
private to install the key from a local hidden location and rename the key le with the certicate name.
– password passphrase species the password used to decrypt the private key if it was generated using a password.
– fips installs the certicate-key pair as FIPS-compliant. Enter fips to install a certicate-key pair that is used by a FIPS-aware
application, such as RADIUS over TLS. If you do not enter
fips, the certicate-key pair is stored as a non-FIPS compliant pair.
NOTE
: You determine if the certicate-key pair is generated as FIPS-compliant. Make sure that FIPS-compliant
certicate-key pairs are not used outside of FIPS mode. When FIPS mode is enabled on the switch, you can still
generate CSRs for non-FIPS certicates for use with non-FIPS applications. Be sure to install these certicates as
non-FIPS with the crypto cert install command.
832 Security