Dell PowerSwitch S4128F-ON OS10 Enterprise Edition User Guide Release 10.4.3.0 - Page 832

If you do not specify the cert-file option, you are prompted to fill in the other parameter values for the certificate interactively; for example: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value; if you enter '.', the field will be left blank. Country Name (2 letter code) [US]: State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:San Francisco Organization Name (eg, company) []:Starfleet Command Organizational Unit Name (eg, section) []:NCC-1701A Common Name (eg, YOUR name) [hostname]:S4148-001 Email Address []:[email protected] The switch uses SHA-256 as the digest algorithm. The public key algorithm is RSA with a 2048-bit modulus. The KeyUsage bits of the certificate assert keyEncipherment (bit 2) and keyAgreement (bit 4). The keyCertSign bit (bit 5) is NOT set. The ExtendedKeyUsage fields indicate serverAuth and clientAuth. The attribute CA:FALSE is set in the Extensions section of the certificate. The certificate is NOT used to validate other certificates. • If necessary, re-enter the command to generate multiple certificate-key pairs for different applications on the switch. You can configure a certificate-key pair in a security profile. Using different certificate-key pairs is necessary if you want to change the certificate-key pair for a specified application without out interrupting other critical services. For example, RADIUS over TLS may use a different certificate-key pair than SmartFabric services. NOTE: If the system is in FIPS mode (crypto fips enable command), the CSR and private key are generated using FIPS-validated and compliant algorithms. You manage whether the keys are generated in FIPS mode or not. Copy CSR to the CA server You can copy the CSR from flash to a destination, such as a USB flash drive, using TFTP, FTP, or SCP. OS10# copy home://DellHost.pem scp:///[email protected]:/tftpboot/certs/DellHost.pem password: The CA server signs the CSR with its private key. The CA server then makes the signed certificate available for the OS10 switch to download and install. Install host certificate 1 Use the copy command to download an X.509v3 certificate signed by a CA server to the local home directory using a secure method, such as HTTPS, SCP, or SFTP. 2 Use the crypto cert install command to install the certificate and the private key generated with the CSR. • Install a trusted certificate and key file in EXEC mode. crypto cert install cert-file home://cert-filepath key-file {key-path | private} [password passphrase] [fips] - cert-file cert-filepath specifies a source location for a downloaded certificate; for example, home://s4048-001- cert.pem or usb://s4048-001-cert.pem. - key-file {key-path | private} specifies the local path to retrieve the downloaded or locally generated private key. Enter private to install the key from a local hidden location and rename the key file with the certificate name. - password passphrase specifies the password used to decrypt the private key if it was generated using a password. - fips installs the certificate-key pair as FIPS-compliant. Enter fips to install a certificate-key pair that is used by a FIPS-aware application, such as RADIUS over TLS. If you do not enter fips, the certificate-key pair is stored as a non-FIPS compliant pair. NOTE: You determine if the certificate-key pair is generated as FIPS-compliant. Make sure that FIPS-compliant certificate-key pairs are not used outside of FIPS mode. When FIPS mode is enabled on the switch, you can still generate CSRs for non-FIPS certificates for use with non-FIPS applications. Be sure to install these certificates as non-FIPS with the crypto cert install command. 832 Security