Users Guide
● Create a private key and a CSR in EXEC mode. Store the CSR file in the home directory or flash: so that you can later
copy it to a CA server. Specify a keypath to store the device.key file in a secure persistent location, such as the home
directory, or use the private option to store the key file in a private hidden location in the internal file system that is not
visible to users.
crypto cert generate request [cert-file cert-path key-file {private | keypath}]
[country 2-letter code] [state state] [locality city] [organization organization-name]
[orgunit unit-name] [cname common-name] [email email-address] [validity days]
[length length] [altname alt-name]
If you enter the cert-file option, you must enter all the required parameters, such as the local paths where the
certificate and private key are stored, country code, state, locality, and other values.
If you do not specify the cert-file option, you are prompted to fill in the other parameter values for the certificate
interactively; for example:
You are about to be asked to enter information that will be incorporated into your
certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value; if you enter '.', the field will be
left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) []:Starfleet Command
Organizational Unit Name (eg, section) []:NCC-1701A
Common Name (eg, YOUR name) [hostname]:S4148-001
Email Address []:scotty@starfleet.com
The switch uses SHA-256 as the digest algorithm. The public key algorithm is RSA with a 2048-bit modulus. The KeyUsage
bits of the certificate assert keyEncipherment (bit 2) and keyAgreement (bit 4). The keyCertSign bit (bit 5) is NOT
set. The ExtendedKeyUsage fields indicate serverAuth and clientAuth.
The attribute CA:FALSE is set in the Extensions section of the certificate. The certificate is NOT used to validate other
certificates.
● If necessary, re-enter the command to generate multiple certificate-key pairs for different applications on the switch. You
can configure a certificate-key pair in a security profile. Using different certificate-key pairs is necessary if you want to
change the certificate-key pair for a specified application without out interrupting other critical services. For example,
RADIUS over TLS may use a different certificate-key pair than SmartFabric services.
NOTE:
If the system is in FIPS mode using the crypto fips enable command, the CSR and private key are generated using
FIPS-validated and compliant algorithms. You manage whether the keys are generated in FIPS mode or not.
Copy CSR to the CA server
You can copy the CSR from flash to a destination, such as a USB flash drive, using TFTP, FTP, or SCP.
OS10# copy home://DellHost.pem scp:///tftpuser@10.11.178.103:/tftpboot/certs/
DellHost.pem
password:
The CA server signs the CSR with its private key. The CA server then makes the signed certificate available for the OS10 switch
to download and install.
Install host certificate
1. Use the copy command to download an X.509v3 certificate signed by a CA server to the local home directory using a
secure method, such as HTTPS, SCP, or SFTP.
2. Use the crypto cert install command to install the certificate and the private key generated with the CSR.
● Install a trusted certificate and key file in EXEC mode.
crypto cert install cert-file home://cert-filepath key-file {key-path | private}
[password passphrase] [fips]
○ cert-file cert-filepath specifies a source location for a downloaded certificate; for example, home://
s4048-001-cert.pem or usb://s4048-001-cert.pem.
1386
Security