Connectivity Guide
– If you enter fips after using the key-file private option in the crypto cert generate request command, a FIPS-
compliant private key is stored in a hidden location in the internal le system that is not visible to users.
If the certicate installation is successful, the le name of the host certicate and its common name are displayed. Use the lename to
congure the certicate in a security prole (crypto security-profile command).
Example: Generate CSR and upload to server
OS10# crypto cert generate request cert-file home://DellHost.pem key-file home://DellHost.key
email admin@dell.com length 1024 altname DNS:dell.domain.com
Processing certificate ...
Successfully created CSR file /home/admin/DellHost.pem and key
OS10# copy home://DellHost.pem scp:///tftpuser@10.11.178.103:/tftpboot/certs/DellHost.pem
password:
Host certicate tip
When administering a large number of switches, you may choose to not generate numerous CSRs for all switches. An alternate method to
installing a host certicate on each switch is to generate both the private key le and CSR oine; for example, on the CA server. The CSR
is signed by the CA, which generates both a certicate and key le. You then copy the trusted certicate and key le to the switch using
the copy command and install them using the crypto cert install cert-file home://cert-filename key-file
home://key-filename command.
NOTE: For security reasons, the private key le is copied to an internal, secure location and removed from the viewable le
system.
Example: Download and install trusted certicate and private key
OS10# copy scp:///tftpuser@10.11.178.103:/tftpboot/certs/Dell_host1_CA1.pem home://
Dell_host1_CA1.pem
password:
OS10# copy scp:///tftpuser@10.11.178.103:/tftpboot/certs/Dell_host1_CA1.key home://
Dell_host1_CA1.key
password:
OS10# crypto cert install cert-file home://Dell_host1_CA1.pem key-file home://Dell_host1_CA1.key
Processing certificate ...
Certificate and keys were successfully installed as "Dell_host1_CA1.pem" that may be used in a
security profile. CN = Dell_host1_CA1
Display trusted certicates
OS10# show crypto cert
--------------------------------------
| Installed non-FIPS certificates |
--------------------------------------
Dell_host1_CA1.pem
--------------------------------------
| Installed FIPS certificates |
--------------------------------------
OS10# show crypto cert Dell_host1_CA1.pem
------------ Non FIPS certificate -----------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = California, O = Dell EMC, OU = Networking, CN = Dell_interCA1
Validity
Not Before: Jul 25 19:11:19 2018 GMT
Not After : Jul 22 19:11:19 2028 GMT
Subject: C = US, ST = California, L = Santa Clara, O = Dell EMC, OU = Networking, CN =
Dell_host1_CA1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Security
833