API Guide
The switch presents its own host certificate to clients that require authentication, such as Syslog and RADIUS servers over TLS
and HTTPS connections. The certificate is digitally signed with the private key of the OS10 switch. OS10 supports multiple host
certificates so that you can use different certificates with different applications. For more information, see Security profiles.
To obtain a host certificate from a CA:
1. Create a private key and generate a certificate signing request for the switch.
2. Copy the CSR file to a CA server.
3. Copy the CA-signed certificate to the home directory on the switch. Install the trusted certificate.
Generate a certificate signing request and private key
● Create a private key and a CSR in EXEC mode. Store the CSR file in the home directory or flash: so that you can later
copy it to a CA server. Specify a keypath to store the device.key file in a secure persistent location, such as the home
directory, or use the private option to store the key file in a private hidden location in the internal file system that is not
visible to users.
crypto cert generate request [cert-file cert-path key-file {private | keypath}]
[country 2-letter code] [state state] [locality city] [organization organization-name]
[orgunit unit-name] [cname common-name] [email email-address] [validity days]
[length length] [altname alt-name]
If you enter the cert-file option, you must enter all the required parameters, such as the local paths where the
certificate and private key are stored, country code, state, locality, and other values.
If you do not specify the cert-file option, you are prompted to fill in the other parameter values for the certificate
interactively; for example:
You are about to be asked to enter information that will be incorporated into your
certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value; if you enter '.', the field will be
left blank.
Country Name (2 letter code) [US]:
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) []:Starfleet Command
Organizational Unit Name (eg, section) []:NCC-1701A
Common Name (eg, YOUR name) [hostname]:S4148-001
Email Address []:scotty@starfleet.com
The switch uses SHA-256 as the digest algorithm. The public key algorithm is RSA with a 2048-bit modulus. The KeyUsage
bits of the certificate assert keyEncipherment (bit 2) and keyAgreement (bit 4). The keyCertSign bit (bit 5) is NOT
set. The ExtendedKeyUsage fields indicate serverAuth and clientAuth.
The attribute CA:FALSE is set in the Extensions section of the certificate. The certificate is NOT used to validate other
certificates.
● If necessary, re-enter the command to generate multiple certificate-key pairs for different applications on the switch. You
can configure a certificate-key pair in a security profile. Using different certificate-key pairs is necessary if you want to
change the certificate-key pair for a specified application without out interrupting other critical services. For example,
RADIUS over TLS may use a different certificate-key pair than SmartFabric services.
NOTE:
If the system is in FIPS mode using the crypto fips enable command, the CSR and private key are generated using
FIPS-validated and compliant algorithms. You manage whether the keys are generated in FIPS mode or not.
Copy CSR to the CA server
You can copy the CSR from flash to a destination, such as a USB flash drive, using TFTP, FTP, or SCP.
OS10# copy home://DellHost.pem scp:///tftpuser@10.11.178.103:/tftpboot/certs/
DellHost.pem
password:
The CA server signs the CSR with its private key. The CA server then makes the signed certificate available for the OS10 switch
to download and install.
Install host certificate
Security
1061