Dell PowerSwitch S4112F-ON SmartFabric OS10 Security Best Practices Guide July - Page 24

X509v3 Subject Key Identifier, X509v3 Subject Alternative Name

Get Dell PowerSwitch S4112F-ON PDF manuals and user guides View all Dell PowerSwitch S4112F-ON manuals
Add to My Manuals
Save this manual to your list of manuals

Page 24 highlights

Example: Generate and install self-signed certificate and key OS10# crypto cert generate self-signed cert-file home://DellHost.pem key-file home:// DellHost.key email [email protected] length 1024 altname DNS:dell.domain.com validity 365 Processing certificate ... Successfully created certificate file /home/admin/DellHost.pem and key OS10# crypto cert install cert-file home://DellHost.pem key-file home://DellHost.key Processing certificate ... Certificate and keys were successfully installed as "DellHost.pem" that may be used in a security profile. CN = DellHost. Display self-signed certificate OS10# show crypto cert Installed non-FIPS certificates DellHost.pem Installed FIPS certificates OS10# show crypto cert DellHost.pem Non FIPS certificate Certificate: Data: Version: 3 (0x2) Serial Number: 245 (0xf5) Signature Algorithm: sha256WithRSAEncryption Issuer: emailAddress = [email protected] Validity Not Before: Feb 11 20:10:12 2019 GMT Not After : Feb 11 20:10:12 2020 GMT Subject: emailAddress = [email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c7:12:ca:a8:d6:d2:1c:ab:66:9a:d1:db:50:5a: b5:8a:e4:53:9d:f6:b4:fc:cd:f4:b9:46:8a:03:86: be:0b:50:51:c7:25:76:9f:ff:b4:f9:f8:d9:6f:5d: 53:52:0c:4d:05:ed:31:23:79:44:5c:d7:62:01:9d: 41:e8:ff:3a:b0:35:0c:22:d7:ef:df:05:9a:28:6b: 95:10:8e:bc:c6:62:3a:82:30:0f:4f:4e:19:17:48: f1:bd:1e:0c:4f:54:03:42:f3:a7:de:22:40:3d:5e: 6b:b2:8e:23:17:53:ef:10:d9:ae:1d:1f:d6:e4:ae: 25:9f:d9:39:60:5c:49:b0:ad Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 X509v3 Subject Alternative Name: DNS:dell.domain.com Signature Algorithm: sha256WithRSAEncryption b8:83:ae:34:bb:84:e6:b4:a3:fd:77:20:67:15:3f:02:76:ca: f6:74:d4:d2:36:0e:58:8c:96:13:c2:85:8a:df:ba:c0:d9:c8: Certificate revocation Rationale: A certificate revocation list (CRL) is a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date. These certificates are no longer meant to be trusted. Before the switch and an external device, such as a RADIUS or TLS server, set up a secure connection, they present CA-signed certificates to each other. The certificate validation allows peers to authenticate each other's identity, and is followed by checking to ensure that the certificate has not been revoked by the issuing CA. A certificate includes the URL and other information about the certificate distribution point (CDP) that issued the certificate. Using the URL, OS10 accesses the CDP to download a certificate revocation list (CRL). If the external device's certificate is on the list or if the CDP server does not respond, the connection is not set up. Configuration: 24 OS10 security best practices

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
Example: Generate and install self-signed certificate and key
OS10# crypto cert generate self-signed cert-file home://DellHost.pem key-file home://
DellHost.key email [email protected] length 1024 altname DNS:dell.domain.com validity 365
Processing certificate ...
Successfully created certificate file /home/admin/DellHost.pem and key
OS10# crypto cert install cert-file home://DellHost.pem key-file home://DellHost.key
Processing certificate ...
Certificate and keys were successfully installed as "DellHost.pem" that may be used in a
security profile. CN = DellHost.
Display self-signed certificate
OS10# show crypto cert
--------------------------------------
| Installed non-FIPS certificates |
--------------------------------------
DellHost.pem
--------------------------------------
| Installed FIPS certificates |
--------------------------------------
OS10# show crypto cert DellHost.pem
------------ Non FIPS certificate -----------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 245 (0xf5)
Signature Algorithm: sha256WithRSAEncryption
Issuer: emailAddress = [email protected]
Validity
Not Before: Feb 11 20:10:12 2019 GMT
Not After : Feb 11 20:10:12 2020 GMT
Subject: emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c7:12:ca:a8:d6:d2:1c:ab:66:9a:d1:db:50:5a:
b5:8a:e4:53:9d:f6:b4:fc:cd:f4:b9:46:8a:03:86:
be:0b:50:51:c7:25:76:9f:ff:b4:f9:f8:d9:6f:5d:
53:52:0c:4d:05:ed:31:23:79:44:5c:d7:62:01:9d:
41:e8:ff:3a:b0:35:0c:22:d7:ef:df:05:9a:28:6b:
95:10:8e:bc:c6:62:3a:82:30:0f:4f:4e:19:17:48:
f1:bd:1e:0c:4f:54:03:42:f3:a7:de:22:40:3d:5e:
6b:b2:8e:23:17:53:ef:10:d9:ae:1d:1f:d6:e4:ae:
25:9f:d9:39:60:5c:49:b0:ad
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09
X509v3 Subject Alternative Name:
DNS:dell.domain.com
Signature Algorithm: sha256WithRSAEncryption
b8:83:ae:34:bb:84:e6:b4:a3:fd:77:20:67:15:3f:02:76:ca:
f6:74:d4:d2:36:0e:58:8c:96:13:c2:85:8a:df:ba:c0:d9:c8:
Certificate revocation
Rationale
: A certificate revocation list (CRL) is a list of digital certificates that have been revoked by the issuing certificate authority (CA)
before their scheduled expiration date. These certificates are no longer meant to be trusted.
Before the switch and an external device, such as a RADIUS or TLS server, set up a secure connection, they present CA-signed
certificates to each other. The certificate validation allows peers to authenticate each other's identity, and is followed by checking to
ensure that the certificate has not been revoked by the issuing CA.
A certificate includes the URL and other information about the certificate distribution point (CDP) that issued the certificate. Using the
URL, OS10 accesses the CDP to download a certificate revocation list (CRL). If the external device's certificate is on the list or if the CDP
server does not respond, the connection is not set up.
Configuration
:
24
OS10 security best practices