Cisco MDS-9124 Troubleshooting Guide - Page 480
Switches > Security > PKI, Admin > Flash Files
View all Cisco MDS-9124 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 480 highlights
Digital Certificate Issues Chapter 24 Troubleshooting Digital Certificates Send documentation comments to [email protected] Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Follow these steps to create a trust point and associate the RSA key pairs with it: a. Choose Switches > Security > PKI and select the Trust Point tab. b. Click Create Row and set the TrustPointName field. c. Select the RSA key pairs from the KeyPairName drop-down menu. d. Select the certificates revocation method from the RevokeCheckMethods drop-down menu. e. Click Create. Choose Switches > Copy Configuration and click Apply Changes to copy the running-config to startup-config and save the trust point and key pair. Download the CA certificate from the CA that you want to add as the trustpoint CA. Follow these steps to authenticate the CA that you want to enroll to the trust point: a. In Device Manager, choose Admin > Flash Files and select Copy and then select tftp from the Protocols radio button to copy the CA certificate to bootflash. b. In Fabric Manager, choose Switches > Security > PKI and select the TrustPoint Actions tab. c. Select cauth from the Command drop-down menu. d. Click... in the URL field and select the CA certificate from bootflash. e. Click Apply Changes to authenticate the CA that you want to enroll to the trust point. f. Click the Trust Point Actions tab in the Information Pane. g. Make a note of the CA certificate fingerprint displayed in the IssuerCert FingerPrint column for the trust point row in question. Compare the CA certificate fingerprint with the fingerprint already communicated by the CA (obtained from the CA web site). If the fingerprints match exactly, accept the CA by selecting the certconfirm trust point action. Otherwise, reject the CA by selecting the certnoconfirm trust point action. h. If you selected certconfirm in step g, select the Trust Point Actions tab, select certconfirm from the Command drop-down menu and then click Apply Changes. i. If you selected certnoconfirm inStep g, select the Trust Point Actions tab, select certnoconfirm from the Command drop-down menu, and then click Apply Changes. Follow these steps to generate a certificate request for enrolling with that trust point: a. Select the Trust Point Actions tab in the Information pane. b. Select certreq from the Command drop-down menu. This generates a PKCS#10 certificate signing request (CSR) needed for an identity certificate from the CA corresponding to this trust point entry. c. Enter the output file name for storing the generated certificate request. It should be specified in the bootflash:filename format and will be used to store the CSR generated in PEM format. d. Enter the challenge password to be included in the CSR. The challenge password is not saved with the configuration. This password is required in the event that your certificate needs to be revoked, so you must remember this password. e. Click Apply Changes to save the changes. Request an identity certificate from the CA. Note The CA may require manual verification before issuing the identity certificate. 24-6 Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x OL-9285-05