Dell MX9116n SmartFabric OS10 Security Best Practices Guide July 2020 - Page 21
X.509v3 certificates
![]() |
View all Dell MX9116n manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 21 highlights
X.509v3 certificates OS10 supports X.509v3 certificates to secure communications between the switch and a host, such as a RADIUS server. Both the switch and the server exchange a public key in a signed X.509v3 certificate issued by a certificate authority (CA) to authenticate each other. The certificate authority uses its private key to sign host certificates. Generate a certificate signing request and private key Rationale: To use X.509v3 certificates for secure communication and user authentication on OS10 switches in a network, a public key infrastructure (PKI) with a certificate authority (CA) is required. The CA signs certificates that prove the trustworthiness of network devices. Configuration: • Create a private key and a CSR in EXEC mode. Store the CSR file in the home directory or flash: so that you can later copy it to a CA server. Specify a keypath to store the device.key file in a secure persistent location, such as the home directory, or use the private option to store the key file in a private hidden location in the internal file system that is not visible to users. OS10# crypto cert generate request cert-file cert-path key-file {private | keypath} country 2-letter code state state locality city organization organization-name orgunit unit-name cname common-name email email-address validity days length length altname altname] ○ request-Create a certificate signing request to copy to a CA. ○ cert-file cert-path-(Optional) Enter the local path where the self-signed certificate or CSR is stored. You can enter a full path or a relative path; for example, flash://certs/s4810-001-request.csr or usb://s4810-001.crt. If you do not enter the cert-file option, the system interactively prompts you to enter the remaining fields of the certificate signing request. Export the CSR to a CA using the copy command. ○ key-file {key-path | private}-Enter the local path where the downloaded or locally generated private key is stored. If the key was downloaded to a remote server, enter the server path using a secure method, such as HTTPS, SCP, or SFTP. Enter private to store the key in a local hidden location. ○ country 2-letter-code-(OPTIONAL) Enter the two-letter code that identifies the country. ○ state state-Enter the name of the state. ○ locality city-Enter the name of the city. ○ organization organization-name-Enter the name of the organization. ○ orgunit unit-name-Enter name of the unit. ○ cname common-name-Enter the common name assigned to the certificate. Common name is the main identity presented to connecting devices. By default, the hostname of the switch is the common name. You can configure a different common name for the switch; for example, an IP address. If the common-name value does not match the identity of the device, a signed certificate does not validate. ○ email email-address-Enter a valid email address used to communicate with the organization. ○ validity days-Enter the number of days that the certificate is valid. For a CSR, validity has no effect. For a self-signed certificate, the default is 3650 days or 10 years. ○ length bit-length-Enter a bit value for the keyword length. For FIPS mode, the range is from 2048 to 4096; for non-FIPS mode, the range is from 1024 to 4096. The default key length for both FIPS and non-FIPS mode is 2048 bits. The minimum key length value for FIPS mode is 2048 bits. The minimum key length value for non-FIPS mode is 1024 bits. ○ altname altname-Enter an alternate name for the organization; for example, using the IP address such as altname IP:192.168.1.100. • Copy CSR to the CA server. OS10# copy home://DellHost.pem scp:///file-path/DellHost.pem password: The CA server signs the CSR with its private key. The CA server then makes the signed certificate available for the OS10 switch to download and install it. • Install host certificate. ○ Use the copy command to download an X.509v3 certificate signed by a CA server to the local home directory using a secure method, such as HTTPS, SCP, or SFTP. ○ Use the crypto cert install command to install the certificate and the private key generated with the CSR. crypto cert install cert-file home://cert-filepath key-file {key-path | private} [password passphrase] [fips] OS10 security best practices 21
![](/manual_guide/products/dell-mx5108n-smartfabric-os10-security-best-practices-guide-2020-c2fefbc/21.png)