Users Guide
● Create a self-signed certificate in EXEC mode. Store the device.key file in a secure, persistent location, such as NVRAM.
crypto cert generate self-signed [cert-file cert-path key-file {private | keypath}]
[country 2-letter code] [state state] [locality city] [organization organization-name]
[orgunit unit-name] [cname common-name] [email email-address] [validity days]
[length length] [altname alt-name]
If you enter the cert-file option, you must enter all the required parameters, including the local path where the
certificate and private key are stored.
If you do specify the cert-file option, you are prompted to enter the other parameter values for the certificate
interactively; for example:
You are about to be asked to enter information that will be incorporated in your
certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value; if you enter '.', the field will be
left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) []:Starfleet Command
Organizational Unit Name (eg, section) []:NCC-1701A
Common Name (eg, YOUR name) [hostname]:S4148-001
Email Address []:scotty@starfleet.com
The switch uses SHA-256 as the digest algorithm. The public key algorithm is RSA with a 2048-bit modulus.
NOTE:
When using self-signed X.509v3 certificates with Syslog and RADIUS servers, configure the server to accept self-
signed certificates. Syslog and RADIUS servers require mutual authentication, which means that the client and server must
verify each other's certificates. Dell EMC Networking recommends configuring a CA server to sign certificates for all
trusted devices in the network.
Install self-signed certificate
● Install a self-signed certificate and key file in EXEC mode.
crypto cert install cert-file home://cert-filename key-file {key-path | private}
[password passphrase] [fips]
○ cert-file cert-path specifies a source location for a downloaded certificate; for example, home://s4048-001-
cert.pem or usb://s4048-001-cert.pem.
○ key-file {key-path | private} specifies the local path to retrieve the downloaded or locally generated private
key. Enter private to install the key from a local hidden location and rename the key file with the certificate name.
○ password passphrase specifies the password used to decrypt the private key if it was generated using a password.
○ fips installs the certificate-key pair as FIPS-compliant. Enter fips to install a certificate-key pair that is used by a
FIPS-aware application, such as RADIUS over TLS. If you do not enter fips, the certificate-key pair is stored as a non-
FIPS compliant pair.
NOTE:
You determine if the certificate-key pair is generated as FIPS-compliant. Do not use FIPS-compliant
certificate-key pairs outside of FIPS mode.
○ If you enter fips after using the key-file private option in the crypto cert generate request command,
a FIPS-compliant private key is stored in a hidden location in the internal file system that is not visible to users.
If the certificate installation is successful, the file name of the self-signed certificate and its common name are displayed. Use
the file name to configure the certificate in a security profile using the crypto security-profile command.
Example: Generate and install self-signed certificate and key
OS10# crypto cert generate self-signed cert-file home://DellHost.pem key-file home://
DellHost.key email admin@dell.com length 1024 altname DNS:dell.domain.com validity 365
Processing certificate ...
Successfully created certificate file /home/admin/DellHost.pem and key
OS10# crypto cert install cert-file home://DellHost.pem key-file home://DellHost.key
Processing certificate ...
Security
1389