To enroll a Local certificate using a manual copy and paste method, a key size and the relevant TA profile details are required. The following command manually creates a certificate signature request. Including the subject overrides the configured Identity Profile:
Syntax:
crypto pki create-csr certificate-name<CERT-NAME>ta-profile<Profile-name>[usage <openflow | web | all>] [key-type rsa key-size <1024|2048>] [key-type ecdsa curve <256|384>] subject [common-name<CN-Value>] [org<Org-Value>][org-unit<Org-unit-value>] [locality<Location-Value>] [state<state-Value>][country<Country-Code>][valid-start<date>][valid-end<date>]Options
Definitions:
The Trust Anchor Profile associated with the certificate. A profile named ‘default’ is updateable from the web UI.
Intended application for the certificate, the default is web.
Subject fields
NOTE: A CSR created with TA profile name of ‘default’ MUST include usage of either “web” or “all”.
Example: of PEM format output
This command creates a certificate signing request in realtime and then output the result to the console:
-----BEGIN CERTIFICATE REQUEST----- MIIBpDCCAQ0CAQAwZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQH EwlSb3NldmlsbGUxCzAJBgNVBAoTAkhQMQ0wCwYDVQQLEwRFVlBHMRgwFgYDVQQD Ew9UZXN0IE1hY2hpbmUgMDEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN7i w3x2gi3tZf4LnXltSicl7RNcVggxYHcZQySWFtCXFTb5uaJ6vA3RdBIThgUKZSpc rgtc7jQmRDUdKAbWLPrqC7wBxMlXbnQYegubvOfzf/dT1CYJXxdUZh5BMN5ob/00 t60m9cM7Odsu0a0dBoQQRI8315KJ0AuHDE6VOe4dAgMBAAGgADANBgkqhkiG9w0B AQUFAAOBgQBQCZar2ox6RXm7F/vVhyrrp0E0YrPimxDvg40jnwqtwOgpQAvns4pt o5RVx4/Q6hzF2QivYqLl3+K8WOVVJ7XLDcHNea8RJgx13t45uMYrsMKWdbhR9+jQ KFzmffQJXRXOnH6rfQSNYBXndg0azhc8saORrOqrTn3Yw3psYSNMbA== -----END CERTIFICATE REQUEST-----
You must manually copy the certificate signing request (CSR) created with the “create-csr” command (above) and have it signed by a CA. The local certificate status is updated to “CSR” after the CSR is created. A pending certificate request is not persistent across a power cycle or reboot. Once the CA-signed certificate response is received, the user executes the following command and pastes the signed certificate provided by CA on the command line.
The switch retains the name of the certificate used when creating the CSR in memory while waiting for the signed certificate to be installed. When the signed certificate is pasted to the command line, the switch matches the certificate to the CSR by matching the public key and then saves the signed certificate to flash. The signed certificate will not be accepted if a CSR does not exist or if the trust chain cannot be verified (for example, if the CA’s root certificate is not installed in the Trust Anchor Profile.)
Syntax:
Intermediate certificate installation is similar to the local certificate installation. When intermediate certificates are to be individually installed, the local-certificate name is used and certificate manager uses this name to build the certificate chain between the root and the leaf certificate of the specified name. Intermediate certificates must be presented in order from the trust anchor to the local (leaf) certificate. The user is prompted to paste the new certificate (PEM-encoded PKCS#7) to the command line. The provided data is parsed internally by Certificate Manager and stored in DER format thus requiring no additional parsing in CLI. The following text appears.
To check the CSR status, enter:
show crypto pki local-certificate
Local enrollment is implemented in the web UI; specifically the security — SSL page is updated for the Web UI SSL server application, with web usage. The Web UI does not provide general PKI configurability for all applications (Web UI does not allow creation or management of other device certificates add.)
|
|
|
![[NOTE: ]](images/note.gif) |
NOTE: Self-signed certificate for a specific application (along with the key-pair) is removed once a CA signed local-certificate is installed for that application. |
|
|
This certificate installation method may be used when a Certificate Authority is not available. A self-signed certificate provides the relying party no assurance of identity, so this is not as secure as using a CA-signed certificate. A self-signed certificate may be useful, but its use is not recommended.
A self-signed certificate many only be installed on the “default” TA-Profile, so the ta-profile-name parameter is not present in the command.
To enroll a local certificate in self-signed mode, the user must specify the subject information and key-size. The details specific to the certificate “subject” are obtained from id-profile if not specified here.
Syntax:
[no]
crypto pki enroll-self-signed certificate-name<CERT-NAME>subject [common-name<CN-Value>] [org<Org-Value>][org-unit<Org-unit-value>] [locality<Location-Value>] [state<state-Value>][country<Country-Code>][valid-start<date>][valid-end<date>] [usage <openflow | web | all>] [key-type rsa key-size <1024|2048>] [key-type ecdsa curve <256|384>]Options
Subject Fields
The following prompts appear if these required fields are not given as arguments.
Enter Common Name(CN) : Enter Org Unit(OU) : Enter Org Name(O) : Enter Locality(L) : Enter State(ST) : Enter Country(C) :
A self-signed certificate uses the “default” TA profile, which is created automatically if it does not already exist and one of the ten available TA Profiles is not yet assigned.
Syntax:
[no] crypto pki create-self-signed certificate-name [name] subject [common-name cn-value] [org org-value] [org-unit org-unit-value] [locality location-value] [state state-value] [country country-code]]
To create and installl a self-signed local certificate the certificate subject may be configured with the
crypto pki identity-profilecommand.Options
Subject fields of the certificate; the default values are specified in the identity profile.
Intended application for the certificate; the default is
web.Subject Fields
Following are the prompts appear if these required fields are not given as arguments.
Enter Common Name(CN) : Enter Org Unit(OU) : Enter Org Name(O) : Enter Locality(L) : Enter State(ST) : Enter Country(C) :Definitions:
The default value for start date is the current date and the default value for the end date is the current date plus one year.
Local enrollment is implemented in the web UI and the security — SSL page is updated for the web UI SSL server application. The Web UI does not provide general PKI configurability for all applications creation or management of other device certificates.