Local certificate enrollment – manual mode
To enroll a Local certificate using a manual copy and paste method, a key size and the relevant TA profile details are required. The following command manually creates a certificate signature request. Including the subject overrides the configured Identity Profile:
Syntax:
crypto pki create-csr certificate-name <CERT-NAME>
ta-profile <Profile-name>
[usage <openflow | web | all>]
[key-type rsa key-size <1024|2048>]
[key-type ecdsa curve <256|384>]
subject [common-name <CN-Value>]
[org <Org-Value>] [org-unit <Org-unit-value>]
[locality <Location-Value>] [state <state-Value>]
[country <Country-Code>]
[valid-start <date>] [valid-end <date>]
Options
Definitions:
certificate-name
Name of the certificate.
ta-profile
The Trust Anchor Profile associated with the certificate. A profile named ‘default’ is updateable from the web UI.
ta-profile-name
Specify the Switch Id TA profile name.
usage <openflow|web|all>
Intended application for the certificate, the default is web.
valid-start
Certificate validity start date (MM/DD/YY).
valid-end
Certificate validity end date (MM/DD/YY).
Subject fields
- cn-value
Common Name (CN) – must be present, max length 90.
- org-value
Organization Name (O) – preferred, max length 100.
- org-unit value
Organizational Unit Name (OU) – preferred, max length 100.
- location-value
Locality (L) – optional, max length 100.
- state-value
State (ST) – optional, max length 100.
- country-code
To specify the two letter ISO 3166-1 country code. Max length 2.
A CSR created with TA profile name of ‘default’ MUST include usage of either “web” or “all”.
Example: of PEM format output
This command creates a certificate signing request in realtime and then output the result to the console:
-----BEGIN CERTIFICATE REQUEST----- MIIBpDCCAQ0CAQAwZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQH EwlSb3NldmlsbGUxCzAJBgNVBAoTAkhQMQ0wCwYDVQQLEwRFVlBHMRgwFgYDVQQD Ew9UZXN0IE1hY2hpbmUgMDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN7i w3x2gi3tZf4LnXltSicl7RNcVggxYHcZQySWFtCXFTb5uaJ6vA3RdBIThgUKZSpc rgtc7jQmRDUdKAbWLPrqC7wBxMlXbnQYegubvOfzf/dT1CYJXxdUZh5BMN5ob/00 t60m9cM7Odsu0a0dBoQQRI8315KJ0AuHDE6VOe4dAgMBAAGgADANBgkqhkiG9w0B AQUFAAOBgQBQCZar2ox6RXm7F/vVhyrrp0E0YrPimxDvg40jnwqtwOgpQAvns4pt o5RVx4/Q6hzF2QivYqLl3+K8WOVVJ7XLDcHNea8RJgx13t45uMYrsMKWdbhR9+jQ KFzmffQJXRXOnH6rfQSNYBXndg0azhc8saORrOqrTn3Yw3psYSNMbA== -----END CERTIFICATE REQUEST-----
You must manually copy the certificate signing request (CSR) created with the “create-csr” command (above) and have it signed by a CA. The local certificate status is updated to “CSR” after the CSR is created. A pending certificate request is not persistent across a power cycle or reboot. Once the CA-signed certificate response is received, the user executes the following command and pastes the signed certificate provided by CA on the command line.
The switch retains the name of the certificate used when creating the CSR in memory while waiting for the signed certificate to be installed. When the signed certificate is pasted to the command line, the switch matches the certificate to the CSR by matching the public key and then saves the signed certificate to flash. The signed certificate will not be accepted if a CSR does not exist or if the trust chain cannot be verified (for example, if the CA’s root certificate is not installed in the Trust Anchor Profile.)
Syntax:
(config)# crypto pki install-signed-certificate <data>
Intermediate certificate installation is similar to the local certificate installation. When intermediate certificates are to be individually installed, the local-certificate name is used and certificate manager uses this name to build the certificate chain between the root and the leaf certificate of the specified name. Intermediate certificates must be presented in order from the trust anchor to the local (leaf) certificate. The user is prompted to paste the new certificate (PEM-encoded PKCS#7) to the command line. The provided data is parsed internally by Certificate Manager and stored in DER format thus requiring no additional parsing in CLI. The following text appears.
To install a signed certificate, the certificate must match a previously created signing request.
With the cursor at the start of a blank line, when the user presses the Enter key, the user operation is done. Usage of word pad is suggested to copy the certificate and paste it to this command.
show crypto pki local-certificate
Local enrollment is implemented in the web UI; specifically the security — SSL page is updated for the Web UI SSL server application, with web usage. The Web UI does not provide general PKI configurability for all applications (Web UI does not allow creation or management of other device certificates add.)
Self-signed certificate for a specific application (along with the key-pair) is removed once a CA signed local-certificate is installed for that application.