Users Guide
During the initial TLS protocol negotiation, both participating parties also check to see if the other’s certicate is revoked by the CA. To do
this check, the devices query the CA’s designated OCSP responder on the network. The OCSP responder information is included in the
presented certicate, the Intermediate CA inserts the info upon signing it, or it may be statically congured on the host.
Information about installing CA certicates
Dell EMC Networking OS enables you to download and install X.509v3 certicates from Certicate Authorities (CAs).
In a data center environment, CA certicates are created by trusted hosts on the network. By digitally signing devices' certicates with the
CA's private key, trust can be established among all devices in a network. These CA certicates, installed on each of the devices, are used
to verify certicates presented by clients and servers such as the Syslog servers.
Dell EMC Networking OS allows you to download CA certicates using the crypto ca-cert install command. In this command,
you can specify:
• That the certicate is a CA certicate
• The location from which to download the certicate and the protocol to use. For example, tftp://192.168.1.100/
certificates/CAcert.pem. Locations can be usbash, built-in ash, TFTP, FTP, or SCP hosts.
After you download a CA certicate, the system veries the following aspects of the CA certicate:
• The system checks if “CA:TRUE” is specied in the certicate’s extensions section and the keyCertSign bit (bit 5) is set in the
KeyUsage bit string extension. If these extensions are not set, the system does not install the certicate.
• The system checks if the Issuer and Subject elds are the same. If these elds are the same, then the certicate is a self-signed
certicate. These certicates are also called the root CA certicates, as they are not signed by another CA. The system veries the
certicate with its own public key and install the certicate.
• If the Issuer and Subjects elds dier, then the certicate is signed by another CA farther up the chain. These certicates are also
called intermediate certicates. If a higher CA certicate is installed on the switch, then the system veries the downloaded certicate
with the CA's public key. The system repeats this process until the root certicate is reached. The certicate is rejected if the signature
verication fails.
• If a higher CA certicate is not installed on the switch, the system rejects the intermediate CA certicate and logs the attempt. The
system also displays a message indicating the reason for the failure of CA certicate installation. The system checks the “not before”
and “not after” elds against the current system date to ensure that the certicate has not expired.
The veried CA certicate is installed on the switch by adding it to an existing le that contains trusted certicates. The certicate is
inserted into the certicate le that stores certicates in a root-last order. Meaning, the downloaded certicate is t into the le before its
own issuer but following any certicates that it may have issued. This way, the system ensures that the CA certicates le is kept in a root-
last order. The le may contain multiple certicates in PEM format concatenated together. This le is stored in a private and persistent
location on the device such as the flash://ADMIN_DIR folder.
After the CA certicate is installed, the system can secure communications with TLS servers by verifying certicates that are signed by the
CA.
Installing CA certicate
To install a CA certicate, enter the crypto ca-cert install {path} command in Global Conguration mode.
Information about Creating Certicate Signing
Requests (CSR)
Certicate Signing Request (CSR) enables a device to get a X.509v3 certicate from a CA.
In order for a device to get a X.509v3 certicate, the device rst requests a certicate from a CA through a Certicate Signing Request
(CSR). While creating a CSR, you need to provide the information about the certicate and the private key details. Dell EMC Networking
OS enable you to create a private key and a CSR for a device using a single command.
1232
X.509v3