Connectivity Guide
crypto cert generate
Creates a certicate signing request (CSR) or a self-signed certicate.
Syntax
crypto cert generate {request | self-signed} [cert-file cert-path key-file
{private | keypath}] [country 2-letter code] [state state] [locality city]
[organization organization-name] [orgunit unit-name] [cname common-name] [email
email-address] [validity days] [length length] [altname alt-name]
Parameters
• request — Create a certicate signing request to copy to a CA.
• self-signed — Create a self-signed certicate.
• cert-file cert-path — (Optional) Enter the local path where the self-signed certicate or CSR will be
stored. You can enter a full path or a relative path; for example, flash://certs/s4810-001-
request.csr or usb://s4810-001.crt. If you do not enter the cert-file option, the system
interactively prompts you to ll in the remaining elds of the certicate signing request. Export the CSR to a CA
using the copy command.
• key-file {key-path | private} — Enter the local path where the downloaded or locally generated
private key will be stored. If the key was downloaded to a remote server, enter the server path using a secure
method, such as HTTPS, SCP, or SFTP. Enter private to store the key in a local hidden location.
• country 2-letter-code — OPTIONAL) Enter the two letter code that identies the country.
• state state — Enter the name of the state.
• locality city — Enter the name of the city.
• organization organization-name — Enter the name of the organization.
• orgunit unit-name — Enter name of the unit.
• cname common-name — Enter the common name assigned to the certicate. Common name is the main
identity presented to connecting devices. By default, the switch’s host name is the common name. You can
congure a dierent common name for the switch; for example, an IP address. If the
common-name value
does not match the device’s presented identity, a signed certicate does not validate.
• email email-address — Enter a valid email address used to communicate with the organization.
• validity days — Enter the number of days for which the certicate is valid. For a CSR, validity has no
eect. For a self-signed certicate, the default is 3650 days or 10 years.
• length bit-length — Enter a bit value for the keyword length. For FIPS mode, the range is from 2048 to
4096; for non-FIPS mode, the range is from 1024 to 4096. The default key length for both FIPS and non-FIPS
mode is 2048 bits. The minimum key length value for FIPS mode is 2048 bits. The minimum key length value
for non-FIPS mode is 1024 bits.
• altname altname — Enter an alternate name for the organization; for example, using the IP address such
as
altname IP:192.168.1.100.
Default
Not congured
Command mode EXEC
Usage information Generate a CSR when you want a CA to sign a host certicate. Generate a self-signed certicate if you do not set
up a CA and implement a certicate trust model in your network.
If you enter the cert-file option, you must enter all the following required parameters, including the local path
where the certicate and private key are stored.
Security 841