Local certificate enrollment — manual mode
You must manually copy the certificate signing request (CSR) created with the “create-csr” command (above) and have it signed by a CA. The local certificate status is updated to “CSR” after the CSR is created. A pending certificate request is not persistent across a power cycle or reboot. Once the CA-signed certificate response is received, the user executes the following command and pastes the signed certificate provided by CA on the command line.
The switch retains the name of the certificate used when creating the CSR in memory while waiting for the signed certificate to be installed. When the signed certificate is pasted to the command line, the switch matches the certificate to the CSR by matching the public key and then saves the signed certificate to flash. The signed certificate will not be accepted if a CSR does not exist or if the trust chain cannot be verified (for example if the CA’s root certificate is not installed in the Trust Anchor Profile.)
Syntax
Intermediate certificate installation is similar to the local certificate installation. When intermediate certificates are to be individually installed, the local-certificate name is used and certificate manager uses this name to build the certificate chain between the root and the leaf certificate of the specified name. Intermediate certificates must be presented in order from the trust anchor to the local (leaf) certificate. The user is prompted to paste the new certificate (PEM-encoded PKCS#7) to the command line. The provided data is parsed internally by Certificate Manager and stored in DER format thus requiring no additional parsing in CLI. The following text appears.
![[NOTE: ]](images/note.gif) | NOTE: To install a signed certificate, the certificate must match a previously created signing request. With the cursor at the start of a blank line, when the user presses the Enter key, the user operation is done. Usage of word pad is suggested to copy the certificate and paste it to this command. |
To check the CSR status, enter:
show crypto pki local-certificate
Local enrollment is implemented in the web UI; specifically the security — SSL page is updated for the Web UI SSL server application, with web usage. The Web UI does not provide general PKI configurability for all applications (Web UI does not allow creation or management of other device certificates add.)
| NOTE: Self-signed certificate for a specific application (along with the key-pair) is removed once a CA signed local-certificate is installed for that application. |
Self-signed certificate enrollment
This certificate installation method may be used when a Certificate Authority is not available. A self-signed certificate provides the relying party no assurance of identity, so this is not as secure as using a CA-signed certificate. A self-signed certificate may be useful, but its use is not recommended.
A self-signed certificate many only be installed on the “default” TA-Profile, so the ta-profile-name parameter is not present in the command.
To enroll a local certificate in self-signed mode, the user must specify the subject information and key-size. The details specific to the certificate “subject” are obtained from id-profile if not specified here.
Syntax
[no]
crypto pki enroll-self-signed certificate-nameCERT-NAME[subject [command-nameCN-Value] [orgOrg-Value] [org-unitOrg-unit-value] [localityLocation-Value] [statestate-Value] [countryCountry-Code] [valid-startdatevalid-enddate] [usage <openflow | web | all>][key-type rsa key-size <1024|2048>] [key-type ecdsa curve <256|384>]Options
Subject Fields
The following prompts appear if these required fields are not given as arguments.
Enter Common Name(CN) : Enter Org Unit(OU) : Enter Org Name(O) : Enter Locality(L) : Enter State(ST) : Enter Country(C) :
Self-Signed certificate
A self-signed certificate uses the “default” TA profile, which is created automatically if it does not already exist and one of the ten available TA profiles is not yet assigned.
Syntax
[no]crypto pki enroll-self-signed certificate-name [name]subject common-name cn-valueorg org-valueorg-unit org-unit-valuelocality location-valuestate state-valuecountry country-code
To create and install a self-signed local certificate
the certificate subject may be configured with the crypto
pki identity-profile command.
Options
key-size [1024|2048]
The length of the key; default is 1024 bits.
subject [field <field value>]
Subject fields of the certificate; the default values are specified in the identity profile.
usage [<openflow|web|all>]
Intended application for the certificate; the default is web.
Subject Fields
Following are the prompts appear if these required fields are not given as arguments.
Enter Common Name(CN) : Enter Org Unit(OU) : Enter Org Name(O) : Enter Locality(L) : Enter State(ST) : Enter Country(C) :Definitions
certificate-nameName of the certificate.
ta-profileThe Trust Anchor Profile associated with the certificate. A profile named ‘default’ is updateable from the web UI.
ta-profile-nameSpecify the Switch Id TA profile name.
cn-valueCommon Name (CN) – must be present, max length 90.
org-valueOrganization Name (O) – preferred, max length 100.
org-unit valueOrganizational Unit Name (OU) – preferred, max length 100.
location-valueLocality (L) – optional, max length 100.
state-valueState (ST) – optional, max length 100.
country-codeTo specify the two letter ISO 3166-1 country code. Max length 2.
valid-startCertificate validity start date (MM/DD/YYYY).
valid-endCertificate validity end date (MM/DD/YYYY).
The default value for start date is the current date and the default value for the end date is the current date plus one year.
Local enrollment is implemented in the web UI and the security — SSL page is updated for the web UI SSL server application. The Web UI does not provide general PKI configurability for all applications creation or management of other device certificates.