Users Guide
2. Install CRLs that have been downloaded from CDPs in EXEC mode.
crypto crl install crl-path [crl-filename]
Display a list of the CRLs installed on the switch in EXEC mode.
show crypto crl [crl-filename]
To delete a manually installed CRL that was configured with the crypto crl install command, use the crypto crl
delete [crl-filename] command.
To enable CRL checking on the switch, see Security profiles.
Example: Configure CDP
OS10# crypto cdp add cert1_cdp http://crl.chambersign.org/chambersignroot.crl
Successfully added CDP
OS10# show crypto cdp
--------------------------------------
| Manually installed CDPs |
--------------------------------------
cert1_cdp.crl_url
--------------------------------------
| Automatically installed CDPs |
--------------------------------------
Example: Install CRL
OS10# crypto crl install home://pki-regression/Network_Solutions_Certificate_
Authority.0.crl.pem
Processing file ...
issuer=C=US,O=Network Solutions L.L.C.,CN=Network Solutions Certificate
Authority.0.crl.pem
lastUpdate=Jul 7 04:15:08 2019 GMT
nextUpdate=Jul 11 04:15:08 2019 GMT
OS10# show crypto crl
--------------------------------------
| Manually installed CRLs |
--------------------------------------
Network_Solutions_Certificate_Authority.0.crl.pem
--------------------------------------
| Downloaded CRLs |
--------------------------------------
Request and install host certificates
OS10 also supports the switch obtaining its own X.509v3 host certificate. In this procedure, you generate a certificate signing
request (CSR) and a private key. Store the private key locally in a secure location. Copy the CSR file to a certificate authority.
The CA generates a host certificate for an OS10 switch by digitally signing the switch certificate contained in the CSR.
The administrator then copies the CA-signed host certificate to the home directory on the switch. Because a local private key is
created when the CSR is generated, it is not necessary to install a private key using an uploaded file.
The switch presents its own host certificate to clients that require authentication, such as Syslog and RADIUS servers over TLS
and HTTPS connections. The certificate is digitally signed with the private key of the OS10 switch. OS10 supports multiple host
certificates so that you can use different certificates with different applications. For more information, see Security profiles.
To obtain a host certificate from a CA:
1. Create a private key and generate a certificate signing request for the switch.
2. Copy the CSR file to a CA server.
3. Copy the CA-signed certificate to the home directory on the switch. Install the trusted certificate.
Generate a certificate signing request and private key
Security
1385