Users Guide
Replace the default certificate-key pair used for cluster applications:
● In a deployment where untrusted devices access management or data ports on an OS10 switch.
● Before the default X.509v3 certificate expires on July 27, 2021. If the default certificate-key pair expires, the VLT domain on
peer switches does not come up.
NOTE: The expiration date for the default certificate-key pair that is installed by OS10 on a switch running the 10.5.0.0
release is July 27, 2021. To ensure secure communication in a cluster before the expiration date, install a more recent
X.509v3 certificate-key pair.
Create a custom X.509v3 certificate-key pair by configuring an application-specific security profile using the cluster
security-profile command. Before the default or custom X.509v3 certificate-key pair that is used between the peer
devices in a VLT domain or fabric application cluster expires, install a valid CA certificate by following the procedures in:
● Manage CA certificates.
● Request and install host certificates.
When you replace the default certificate-key pair for cluster applications, ensure that all devices in the cluster use the same
custom certificate-key pair or a unique certificate-key pair that is issued by the same CA.
CAUTION: While you replace the default certificate-key pair, cluster devices temporarily lose their secure
channel connectivity. Dell EMC Networking recommends that you change the cluster security configuration
during a maintenance time.
This example shows how to install an X.509v3 CA and host certificate-key pair for a cluster application. For more information,
see:
● Importing and installing a CA certificate — see Manage CA certificates.
● Generating a CSR and installing a host certificate — see Request and install host certificates.
1. Install a trusted CA certificate.
OS10# copy tftp://CAadmin:secret@172.11.222.1/GeoTrust_Universal_CA.crt
home:// GeoTrust_Universal_CA.crt
OS10# crypto ca-cert install home://GeoTrust_Universal_CA.crt
Processing certificate ...
Installed Root CA certificate
CommonName = GeoTrust Universal CA
IssuerName = GeoTrust Universal CA
2. Generate a CSR, copy the CSR to a CA server, download the signed certificate, and install the host certificate.
OS10# crypto cert generate request cert-file home://s4048-001.csr key-file home://
tsr6.key cname "Top of Rack 6" altname "IP:10.0.0.6 DNS:tor6.dell.com" email
admin@dell.com organization "Dell EMC" orgunit Networking locality "Santa Clara" state
California country US length 1024
Processing certificate ...
Successfully created CSR file /home/admin/tor6.csr and key
OS10# copy home://tor6.csr scp://CAadmin:secret@172.11.222.1/s4048-001-csr.pem
OS10# copy scp://CAadmin:secret@172.11.222.1/s4048-001.crt usb://s4048-001.crt
OS10# crypto cert install crt-file usb://s4048-001.crt key-file usb://s4048-001.key
This will replace the already installed host certificate.
Do you want to proceed ? [yes/no(default)]:yes
Processing certificate ...
Host certificate installed successfully.
3. Configure an X.509v3 security profile.
OS10# show crypto cert
-------------------------------------
| Installed non-FIPS certificates |
-------------------------------------
s4048-001
-------------------------------------
| Installed FIPS certificates |
-------------------------------------
OS10# config terminal
1392
Security