Dell PowerSwitch S4128F-ON SmartFabric OS10 Security Best Practices Guide July - Page 21

X.509v3 certificates

Get Dell PowerSwitch S4128F-ON PDF manuals and user guides View all Dell PowerSwitch S4128F-ON manuals
Add to My Manuals
Save this manual to your list of manuals

Page 21 highlights

X.509v3 certificates OS10 supports X.509v3 certificates to secure communications between the switch and a host, such as a RADIUS server. Both the switch and the server exchange a public key in a signed X.509v3 certificate issued by a certificate authority (CA) to authenticate each other. The certificate authority uses its private key to sign host certificates. Generate a certificate signing request and private key Rationale: To use X.509v3 certificates for secure communication and user authentication on OS10 switches in a network, a public key infrastructure (PKI) with a certificate authority (CA) is required. The CA signs certificates that prove the trustworthiness of network devices. Configuration: • Create a private key and a CSR in EXEC mode. Store the CSR file in the home directory or flash: so that you can later copy it to a CA server. Specify a keypath to store the device.key file in a secure persistent location, such as the home directory, or use the private option to store the key file in a private hidden location in the internal file system that is not visible to users. OS10# crypto cert generate request cert-file cert-path key-file {private | keypath} country 2-letter code state state locality city organization organization-name orgunit unit-name cname common-name email email-address validity days length length altname altname] ○ request-Create a certificate signing request to copy to a CA. ○ cert-file cert-path-(Optional) Enter the local path where the self-signed certificate or CSR is stored. You can enter a full path or a relative path; for example, flash://certs/s4810-001-request.csr or usb://s4810-001.crt. If you do not enter the cert-file option, the system interactively prompts you to enter the remaining fields of the certificate signing request. Export the CSR to a CA using the copy command. ○ key-file {key-path | private}-Enter the local path where the downloaded or locally generated private key is stored. If the key was downloaded to a remote server, enter the server path using a secure method, such as HTTPS, SCP, or SFTP. Enter private to store the key in a local hidden location. ○ country 2-letter-code-(OPTIONAL) Enter the two-letter code that identifies the country. ○ state state-Enter the name of the state. ○ locality city-Enter the name of the city. ○ organization organization-name-Enter the name of the organization. ○ orgunit unit-name-Enter name of the unit. ○ cname common-name-Enter the common name assigned to the certificate. Common name is the main identity presented to connecting devices. By default, the hostname of the switch is the common name. You can configure a different common name for the switch; for example, an IP address. If the common-name value does not match the identity of the device, a signed certificate does not validate. ○ email email-address-Enter a valid email address used to communicate with the organization. ○ validity days-Enter the number of days that the certificate is valid. For a CSR, validity has no effect. For a self-signed certificate, the default is 3650 days or 10 years. ○ length bit-length-Enter a bit value for the keyword length. For FIPS mode, the range is from 2048 to 4096; for non-FIPS mode, the range is from 1024 to 4096. The default key length for both FIPS and non-FIPS mode is 2048 bits. The minimum key length value for FIPS mode is 2048 bits. The minimum key length value for non-FIPS mode is 1024 bits. ○ altname altname-Enter an alternate name for the organization; for example, using the IP address such as altname IP:192.168.1.100. • Copy CSR to the CA server. OS10# copy home://DellHost.pem scp:///file-path/DellHost.pem password: The CA server signs the CSR with its private key. The CA server then makes the signed certificate available for the OS10 switch to download and install it. • Install host certificate. ○ Use the copy command to download an X.509v3 certificate signed by a CA server to the local home directory using a secure method, such as HTTPS, SCP, or SFTP. ○ Use the crypto cert install command to install the certificate and the private key generated with the CSR. crypto cert install cert-file home://cert-filepath key-file {key-path | private} [password passphrase] [fips] OS10 security best practices 21

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
X.509v3 certificates
OS10 supports X.509v3 certificates to secure communications between the switch and a host, such as a RADIUS server. Both the switch
and the server exchange a public key in a signed X.509v3 certificate issued by a certificate authority (CA) to authenticate each other. The
certificate authority uses its private key to sign host certificates.
Generate a certificate signing request and private key
Rationale
: To use X.509v3 certificates for secure communication and user authentication on OS10 switches in a network, a public key
infrastructure (PKI) with a certificate authority (CA) is required. The CA signs certificates that prove the trustworthiness of network
devices.
Configuration
:
Create a private key and a CSR in EXEC mode. Store the CSR file in the home directory or
flash:
so that you can later copy it to a CA
server. Specify a
keypath
to store the
device.key
file in a secure persistent location, such as the home directory, or use the
private
option to store the key file in a private hidden location in the internal file system that is not visible to users.
OS10# crypto cert generate request cert-file
cert-path
key-file {private |
keypath
}
country
2-letter code
state
state
locality city organization
organization-name
orgunit
unit-name
cname
common-name
email
email-address
validity
days
length
length
altname
alt-
name
]
request
—Create a certificate signing request to copy to a CA.
cert-file
cert-path
—(Optional) Enter the local path where the self-signed certificate or CSR is stored. You can enter a full
path or a relative path; for example,
flash://certs/s4810-001-request.csr
or
usb://s4810-001.crt
. If you do not
enter the
cert-file
option, the system interactively prompts you to enter the remaining fields of the certificate signing request.
Export the CSR to a CA using the
copy
command.
key-file {
key-path
| private}
—Enter the local path where the downloaded or locally generated private key is stored. If
the key was downloaded to a remote server, enter the server path using a secure method, such as HTTPS, SCP, or SFTP. Enter
private
to store the key in a local hidden location.
country
2-letter-code
—(OPTIONAL) Enter the two-letter code that identifies the country.
state
state
—Enter the name of the state.
locality
city
—Enter the name of the city.
organization
organization-name
—Enter the name of the organization.
orgunit
unit-name
—Enter name of the unit.
cname
common-name
—Enter the common name assigned to the certificate. Common name is the main identity presented to
connecting devices. By default, the hostname of the switch is the common name. You can configure a different common name for
the switch; for example, an IP address. If the
common-name
value does not match the identity of the device, a signed certificate
does not validate.
email
email-address
—Enter a valid email address used to communicate with the organization.
validity
days
—Enter the number of days that the certificate is valid. For a CSR, validity has no effect. For a self-signed
certificate, the default is 3650 days or 10 years.
length
bit-length
—Enter a bit value for the keyword length. For FIPS mode, the range is from 2048 to 4096; for non-FIPS
mode, the range is from 1024 to 4096. The default key length for both FIPS and non-FIPS mode is 2048 bits. The minimum key
length value for FIPS mode is 2048 bits. The minimum key length value for non-FIPS mode is 1024 bits.
altname
altname
—Enter an alternate name for the organization; for example, using the IP address such as
altname
IP:192.168.1.100
.
Copy CSR to the CA server.
OS10# copy home://DellHost.pem scp:///file-path/DellHost.pem
password:
The CA server signs the CSR with its private key. The CA server then makes the signed certificate available for the OS10 switch to
download and install it.
Install host certificate.
Use the copy command to download an X.509v3 certificate signed by a CA server to the local home directory using a secure
method, such as HTTPS, SCP, or SFTP.
Use the
crypto cert install
command to install the certificate and the private key generated with the CSR.
crypto cert install cert-file home://
cert-filepath
key-file {
key-path
| private}
[password
passphrase
] [fips]
OS10 security best practices
21