Dell PowerSwitch S5212F-ON SmartFabric OS10 Security Best Practices Guide July - Page 23

SSL Client, S/MIME Netscape Comment: OpenSSL Generated Client Certificate X509v3 Subject Key Identifier: 4A:20:AA:E1:69:BF:BE:C5:66:2E:22:71:70:B4:7E:32:6F:E0:05:28 X509v3 Authority Key Identifier: keyid:A3:39:CB:C7:76:86:3B:05:44:34:C2:6F:90:73:1F:5F:64:55:5C:76 X509v3 Key Usage: critical Generate a self-signed certificate Rationale: Administrators may prefer to not set up a Certificate Authority and implement a certificate trust model in the network, but still want to use the privacy features provided by the Transport Layer Security (TLS) protocol. In this case, self-signed certificates can be used. A self-signed certificate is not signed by a CA. The switch presents itself as a trusted device in its certificate. Connecting clients may prompt their users to trust the certificate-for example, when a web browser warns that a site is unsafe-or to reject the certificate, depending on the configuration. A self-signed certificate does not provide protection against man-in-the-middle attacks. Configuration: 1. Create a self-signed certificate in EXEC mode. Store the device.key file in a secure, persistent location, such as NVRAM. crypto cert generate self-signed [cert-file cert-path key-file {private | keypath}] [country 2-letter code] [state state] [locality city] [organization organization-name] [orgunit unit-name] [cname common-name] [email email-address] [validity days] [length length] [altname alt-name] If you enter the cert-file option, you must enter all the required parameters, including the local path where the certificate and private key are stored. If you do specify the cert-file option, you are prompted to enter the other parameter values for the certificate interactively; for example: You are about to be asked to enter information that will be incorporated in your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value; if you enter '.', the field will be left blank. Country Name (2 letter code) [US]: State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:San Francisco Organization Name (eg, company) []:Starfleet Command Organizational Unit Name (eg, section) []:NCC-1701A Common Name (eg, YOUR name) [hostname]:S4148-001 Email Address []:[email protected] 2. Install a self-signed certificate and key file in EXEC mode. crypto cert install cert-file home://cert-filename key-file {key-path | private} [password passphrase] [fips] • cert-file cert-path specifies a source location for a downloaded certificate; for example, home://s4048-001cert.pem or usb://s4048-001-cert.pem. • key-file {key-path | private} specifies the local path to retrieve the downloaded or locally generated private key. Enter private to install the key from a local hidden location and rename the key file with the certificate name. • password passphrase specifies the password used to decrypt the private key if it was generated using a password. 3. fips installs the certificate-key pair as FIPS-compliant. Enter fips to install a certificate-key pair that is used by a FIPS-aware application, such as RADIUS over TLS. If you do not enter fips, the certificate-key pair is stored as a non-FIPS compliant pair. NOTE: You determine if the certificate-key pair is generated as FIPS-compliant. Do not use FIPS-compliant certificate-key pairs outside of FIPS mode. 4. If you enter fips after using the key-file private option in the crypto cert generate request command, a FIPScompliant private key is stored in a hidden location in the internal file system that is not visible to users. If the certificate installation is successful, the file name of the self-signed certificate and its common name are displayed. Use the file name to configure the certificate in a security profile using the crypto security-profile command. OS10 security best practices 23