API Guide
Self-signed certificates
Administrators may prefer to not set up a Certificate Authority and implement a certificate trust model in the network, but still
want to use the privacy features provided by the Transport Layer Security (TLS) protocol. In this case, self-signed certificates
can be used.
A self-signed certificate is not signed by a CA. The switch presents itself as a trusted device in its certificate. Connecting clients
may prompt their users to trust the certificate — for example, when a web browser warns that a site is unsafe — or to reject
the certificate, depending on the configuration. A self-signed certificate does not provide protection against man-in-the-middle
attacks.
To generate and install a self-signed certificate:
1. Create a self-signed certificate and key in a local directory or USB flash drive.
2. Install the self-signed certificate.
Generate a self-signed certificate
● Create a self-signed certificate in EXEC mode. Store the device.key file in a secure, persistent location, such as NVRAM.
crypto cert generate self-signed [cert-file cert-path key-file {private | keypath}]
[country 2-letter code] [state state] [locality city] [organization organization-name]
[orgunit unit-name] [cname common-name] [email email-address] [validity days]
[length length] [altname alt-name]
If you enter the cert-file option, you must enter all the required parameters, including the local path where the
certificate and private key are stored.
If you do specify the cert-file option, you are prompted to enter the other parameter values for the certificate
interactively; for example:
You are about to be asked to enter information that will be incorporated in your
certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value; if you enter '.', the field will be
left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) []:Starfleet Command
Organizational Unit Name (eg, section) []:NCC-1701A
Common Name (eg, YOUR name) [hostname]:S4148-001
Email Address []:scotty@starfleet.com
The switch uses SHA-256 as the digest algorithm. The public key algorithm is RSA with a 2048-bit modulus.
NOTE:
When using self-signed X.509v3 certificates with Syslog and RADIUS servers, configure the server to accept self-
signed certificates. Syslog and RADIUS servers require mutual authentication, which means that the client and server must
verify each other's certificates. Dell EMC Networking recommends configuring a CA server to sign certificates for all
trusted devices in the network.
Install self-signed certificate
● Install a self-signed certificate and key file in EXEC mode.
crypto cert install cert-file home://cert-filename key-file {key-path | private}
[password passphrase] [fips]
○ cert-file cert-path specifies a source location for a downloaded certificate; for example, home://s4048-001-
cert.pem or usb://s4048-001-cert.pem.
○ key-file {key-path | private} specifies the local path to retrieve the downloaded or locally generated private
key. Enter private to install the key from a local hidden location and rename the key file with the certificate name.
○ password passphrase specifies the password used to decrypt the private key if it was generated using a password.
○ fips installs the certificate-key pair as FIPS-compliant. Enter fips to install a certificate-key pair that is used by a
FIPS-aware application, such as RADIUS over TLS. If you do not enter fips, the certificate-key pair is stored as a non-
FIPS compliant pair.
1064
Security