Installing a leaf certificate for the syslog client
This procedure describes how to install an X.509 leaf certificate and associate it with the syslog client.
Prerequisites
- Root certificate of the CA that will issue the leaf certificate.
Procedure
-
Create a TA profile with the command
crypto pki ta-profile
. This switches to the TA configuration context. The TA profile is where the switch stores the root certificate of the CA that will issue the leaf certificate for the syslog client. -
Optionally enable certificate revocation checking with the command
revocation-check ocsp
. -
Most certificates contain certificate revocation checking URLs for OCSP. If you want to override these URLs, configure custom revocation checking URLs with the command
ocsp url
. -
Import the root certificate of the CA that will issue the leaf certificate for the syslog client with the command
ta-certificate
. -
Exit the TA profile context with the command
exit
. -
Create a leaf certificate with the command
. This switches to the leaf certificate configuration context.crypto pki certificate
-
Define leaf certificate properties with the command
subject
. -
Set the encryption key type for the leaf certificate with the command
key-type
. -
Generate the certificate signing request (CSR) with the command
enroll terminal
. - Use the CSR to obtain a leaf certificate from the CA for which the root certificate was imported in step 4.
-
Import the leaf certificate into the switch with the command
import terminal
. -
Exit the leaf certificate context with the command
exit
. -
Associate the leaf certificate with the syslog client feature on the switch with the command
crypto pki application
.
Example
This example:
- Creates a TA profile named syslog-root-cert.
- Generates a CSR for the leaf certificate syslog-cert with common name MyLeaf and RSA key size of 3072.
- Imports the leaf certificate into the TA profile.
- Associates the leaf certificate with the syslog application on the switch.
switch(config)# crypto pki ta-profile syslog-root-cert switch(config-ta-syslog-root-cert)# revocation-check ocsp switch(config-ta-syslog-root-cert)# ocsp url primary http://ocsp-server.my-ca.com switch(config-ta-syslog-root-cert)# exit switch(config)# crypto pki certificate syslog-cert switch(config-cert-syslog-cert)# subject common-name MyLeaf country USA locality NY org MyCompany org-unit UNIT1 state NY switch(config-cert-syslog-cert)# key-type rsa key-size 3072 switch(config-cert-syslog-cert)# enroll terminal You are enrolling a certificate with the following attributes: Subject: C=US, ST=NY, L=NY, OU=UnitA, O=MyCompany, CN=MyLeaf01 Key Type: RSA (2048 bits) Continue (y/n)? y -----BEGIN CERTIFICATE REQUEST----- MIIBozCCAQwCAQAwYzEVMBMGA1UEAxMMcG9kMDEtODQwMC0xMQ4wDAYDVQQLEwVBc nViYTEMMAoGA1UEChMDSFBFMRIwEAYDVQQHEwlSb3NldmlsbGUxCzAJBgNVBAgTAk NBMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtKcLScp M4qUbU1Qj669RWJm1qhxz/SI36QrzRHaiTDwglr0Lu9E3YgoofrBFothWebBk17ST Xl65S/fSTf3ma9dvyVBM0VgTdOJ0wuFgCi6vnVJG+QyOKlWom0rgZ+ZKMqSfHAShh invnquCIYDg7lfYKnPhNcVS1su+yGPltgkCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4 GBAJ4L3lFFfWBEL+KAKpOGjZcVmwlBMqSKFtOFNF9nzmUmONmU3SKy6dzQ+6ynREO 7Au22mf3lWDxzrtCC/dj5RtWJeJekxp2LCIK/3eRXUwbYveQDKcxH7j9ZB+BAp2C1 ace+2tA68F2vlgRCQ/hcQH0YmNuaq4Ne3w0dhm7HlUrx -----END CERTIFICATE REQUEST----- switch(config-cert-ssh-cert)# import terminal ta-profile syslog-cert Paste the certificate in PEM format below, then hit enter and ctrl-D: switch(config-cert-import)# -----BEGIN CERTIFICATE----- switch(config-cert-import)# MIIDsDCCApgCCQDJotuPPj9GCDANBgkqhkiG9w0BAQsFADCBqzELMAkGA1UEBh switch(config-cert-import)# VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAcMB1JvY2tsaW4xDDAKBg switch(config-cert-import)# BAoMA0hQTjEVMBMGA1UECwwMSFBOUm9zZXZpbGxlMSowKAYDVQQDDCFocG5zdz switch(config-cert-import)# OTQucm9zZS5yZGxhYnMuaHBlY29ycC5uZXQxJDAiBgkqhkiG9w0BCQEWFWZyZW switch(config-cert-import)# YW4uaHVhbmdAaHBlLmNvbTAeFw0xODAxMTIyMzM2NTdaFw0yMDExMDEyMzM2NT switch(config-cert-import)# MIGHMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEDAOBgNVBAcMB1JvY2tsaW switch(config-cert-import)# DDAKBgNVBAoMA0hQTjEVMBMGA1UECwwMSFBOUm9zZXZpbGxlMQ4wDAYDVQQDDA switch(config-cert-import)# NDAwWDEkMCIGCSqGSIb3DQEJARYVZnJlZW1hbi5odWFuZ0BocGUuY29tMIIBIj switch(config-cert-import)# BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoM3vG/m4vTn8eg4AF/IrcthO1N switch(config-cert-import)# Nso6+QUF1+PRlylx5jO4u47wPqbkSvh5ooNnZts5OkUYVp5+xoHVy3uJIwPpbK switch(config-cert-import)# QvFbsiuBWSO973fOqS062y3fVND+YV0QuEOmbUbwA5vjccTCv5YSkfMXTj547W switch(config-cert-import)# y96hb4JabnKNYL8AubekvggvPPnWWqqk+1KutzghcGX9aCH1mr4buXFVZgKUGk switch(config-cert-import)# pVCccAM7H4tLtrESR+U+1vD6s5PJrEzdtpOqGntZxaiUISz4CbTjp7vovZiGVW switch(config-cert-import)# 3S1eaT0kmGjkDdr+3dmgr1lHUrQ0Bq8DHTMww4X+XOcZf4Y6siG46O2DCQIDAQ switch(config-cert-import)# MA0GCSqGSIb3DQEBCwUAA4IBAQA59gOGA9kFYTklXw11zAW+BH5MoxML8B6vaA switch(config-cert-import)# n+1Itl5WjFNGW8mk4LC8MUunXQrtfJzmvx7AyU9QzPb/PtEWrQ9+GuzU1vsp1A switch(config-cert-import)# raB62AzTqtubEeMwS0jRWLg5ipAenwqmSf87TaLYeBWNYgZ4VDkBTeSHBLO9Zp switch(config-cert-import)# MioDy0096DvSMPsnOaI+jnZ3AozN8y+nLgotXUsg36pO/Ncc51oQhyUdcAbgA1 switch(config-cert-import)# rzSLgyTnpXZKumvlaoTk3pzrIf7m5V103GTbgHGSFCzgO6QWxVxu9d7ju1o59S switch(config-cert-import)# aOIT7JSsYI5LsLpVz9ZqS599rj/lLoH+rLNlRDVXpS+J51ig switch(config-cert-import)# -----END CERTIFICATE----- switch(config-cert-import)# 0 Issuer: C=US, ST=California, L=Rocklin, O=HPN, OU=HPNRoseville, CN=hpnsw4494.rose.rdlabs.hpecorp.net/emailAddress=freeman.huang@hpe.com Subject: C=US, ST=California, L=Rocklin, O=HPN, OU=HPN Roseville, CN=switch/emailAddress=freeman.huang@hpe.com 1 Issuer: C=US, ST=California, L=Rocklin, O=HPN, OU=HPNRoseville, CN=hpnsw4494.rose.rdlabs.hpecorp.net/emailAddress=freeman.huang@hpe.com Subject: C=US, ST=California, L=Rocklin, O=HPN, OU=HPN Roseville, CN=hpnsw4494.rose.rdlabs.hpecorp.net/emailAddress=freeman.huang@hpe.com Leaf certificate is validated with vm4494-root and imported successfully. switch(config-cert-syslog-cert)# exit switch(config)# crypto pki application syslog-client certificate syslog-cert