Connectivity Guide
If you do specify the cert-file option, you are prompted to enter the other parameter values for the certicate interactively; for
example:
You are about to be asked to enter information that will be incorporated in your certificate
request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value; if you enter '.', the field will be left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) []:Starfleet Command
Organizational Unit Name (eg, section) []:NCC-1701A
Common Name (eg, YOUR name) [hostname]:S4148-001
Email Address []:scotty@starfleet.com
The switch uses SHA-256 as the digest algorithm. The public key algorithm is RSA with a 2048-bit modulus.
NOTE: When using self-signed X.509v3 certicates with Syslog and RADIUS servers, congure the server to accept self-signed
certicates. Syslog and RADIUS servers require mutual authentication, which means that the client and server must verify each
other's certicates. The best practice is to congure a CA server to sign certicates for all trusted devices in the network.
Install self-signed certicate
• Install a self-signed certicate and key le in EXEC mode.
crypto cert install cert-file home://cert-filename key-file {key-path | private}
[password passphrase] [fips]
– cert-file cert-path species a source location for a downloaded certicate; for example, home://s4048-001-
cert.pem
or usb://s4048-001-cert.pem.
– key-file {key-path | private} species the local path to retrieve the downloaded or locally generated private key. Enter
private to install the key from a local hidden location and rename the key le with the certicate name.
– password passphrase species the password used to decrypt the private key if it was generated using a password.
– fips installs the certicate-key pair as FIPS-compliant. Enter fips to install a certicate-key pair that is used by a FIPS-aware
application, such as RADIUS over TLS. If you do not enter
fips, the certicate-key pair is stored as a non-FIPS compliant pair.
NOTE
: You determine if the certicate-key pair is generated as FIPS-compliant. Make sure that FIPS-compliant
certicate-key pairs are not used outside of FIPS mode.
– If you enter fips after using the key-file private option in the crypto cert generate request command, a FIPS-
compliant private key is stored in a hidden location in the internal le system that is not visible to users.
If the certicate installation is successful, the le name of the self-signed certicate and its common name are displayed. Use the le name
to congure the certicate in a security prole (crypto security-profile command).
Example: Generate and install self-signed certicate and key
OS10# crypto cert generate self-signed cert-file home://DellHost.pem key-file home://
DellHost.key email admin@dell.com length 1024 altname DNS:dell.domain.com validity 365
Processing certificate ...
Successfully created certificate file /home/admin/DellHost.pem and key
OS10# crypto cert install cert-file home://DellHost.pem key-file home://DellHost.key
Processing certificate ...
Certificate and keys were successfully installed as "DellHost.pem" that may be used in a
security profile. CN = DellHost.
Display self-signed certicate
OS10# show crypto cert
--------------------------------------
| Installed non-FIPS certificates |
--------------------------------------
DellHost.pem
--------------------------------------
Security
835