Example including the use of an intermediate certificate

该示例显示如下:

  • Installing a root CA as a TA profile.

  • Creating a CSR for a leaf certificate.

  • Installing the signed leaf certificate issued by an intermediate CA. The intermediate CA certificate is included after the signed leaf certificate.

Each section in the below example is preceded by descriptive text.

Example

================================================================================Install root CA as a TA profile================================================================================ switch(config)#crypto pki ta-profile root开关(config-ta-root)#ta-certificate import terminalPaste the certificate in PEM format below, then hit enter and ctrl-D: switch(config-ta-cert)# -----BEGIN CERTIFICATE----- switch(config-ta-cert)# MIIGATCCA+mgAwIBAgIJAL/JIZfJ0GpcMA0GCSqGSIUAMIGOMQswCQYD switch(config-ta-cert)# VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESBwwJUm9zZXZpbGxl switch(config-ta-cert)# MQwwCgYDVQQKDANIUEUxEzARBgNVBAsMCk5ldmcxFTATBgNVBAMMDFRl ... switch(config-ta-cert)# rvadRXSAsUlevJRNNOyINrEJyOfUX2hAfLaiBYP+In6gKTAwVh1xLiXn switch(config-ta-cert)# LlryAb2/go4BTYjil3eJyXxweUHheuBeesEslBawLv0cPCQPTTdbc97O switch(config-ta-cert)# iWbyAmfSpD/TS3AgCLnBFPKEKsms0f0LF3/C9dRUXjIHT/LDBr+lgzY3 switch(config-ta-cert)# m2NCvxY= switch(config-ta-cert)# -----END CERTIFICATE----- switch(config-ta-cert)# The certificate you are importing has the following attributes: Subject: C = US, ST = California, L = Roseville, O = HPE, OU = Networking, CN = Test CA root, emailAddress = generic@corp.com Issuer: C = US, ST = California, L = Roseville, O = HPE, OU = Networking, CN =Test CA root, emailAddress = generic@corp.com Serial Number: 0xBFC92197xxxxxxxx TA certificate import is allowed only once for a TA profile Do you want to accept this certificate (y/n)?y开关(config-ta-root)#exit================================================================================Create a CSR for a leaf certificate================================================================================ switch(config)#crypto pki certificate leaf开关(config-cert-leaf)#主题Do you want to use the switch serial number as the common name (y/n)?yCommon Name: SG9Zxxxxxx Org Unit: Org Name: Locality: State: Country: switch(config-cert-leaf)#enroll terminalYou are enrolling a certificate with the following attributes: Subject: C=, ST=, L=, OU=, O=, CN=SG9Zxxxxxx Key Type: RSA (2048) Continue (y/n)?y-----BEGIN CERTIFICATE REQUEST----- MIICWjCCAUICAQIwFTETMBEGA1UEAwwKU0c5WktONDAwSoZIhvcN AQEBBQADggEPADCCAQoCggEBAMKdtoucDEMeuZjPGvCcWTm4D39A WBA8K/bduJvM1E2B/uirU2TX7mF6lN30akClSxZOoofZAmBPCzI3 ... wZtb5c8fYCSR+TpLwZAdoXrvGJqJ1aGzV6/kVfb7rM6ulBksfBo/ JwO+7x8Vn5h1dGCrsl9CPJienni/fq24+1CJzspMbY9BKu9EIL+P 5ND9BmN0IzEmDO26F+Ip74DqFCIYjXtl3uPJk4cwJkXq121hlcrG UlatpvjNEpZOtfoEryDJSs0pHXky7VjltYABIuDy -----END CERTIFICATE REQUEST----- ================================================================================Install the signed leaf certificate issued by an intermediate CA. The 1intermediate CA certificate is included after the signed leaf certificate.================================================================================ switch(config-cert-leaf)#import terminal ta-profile rootPaste the certificate in PEM format below, then hit enter and ctrl-D: switch(config-cert-import)# -----BEGIN CERTIFICATE----- switch(config-cert-import)# MIIEKTCCAhGgAwIBAgIJAO1LSoBmKxtbMA0GCSqGSIYxCzAJBgNV switch(config-cert-import)# BAYTAkFVMRUwEwYDVQQIDAxJbnRlcm1lZGNVBAoMGEludGVybmV0 switch(config-cert-import)# IFdpZGdpdHMgUHR5IEx0ZDENMAsGA1UEAw0yMDA1MTQyMDI3MTla ... switch(config-cert-import)# axnZcIaNp4eNi95in+TvckXA0eMLScNyR7IF+Wjn56H0fQKYsHp/ switch(config-cert-import)# jllbCkyB1xKnn6IpzIj/hvAx3NpA0jXx/qJA+V/cltaAL6+QPZmI switch(config-cert-import)# vr5GZsoV72BHFOXxoteZlmWMUdVldYXXP2DzEUbttr9zojwz0MyK switch(config-cert-import)# Qz5tc0BlGfJAtghykw== switch(config-cert-import)# -----END CERTIFICATE----- switch(config-cert-import)# -----BEGIN CERTIFICATE----- switch(config-cert-import)# MIIFyzCCA7OgAwIBAgIJAO1LSoBmKxtwMA0GCSqGCIGOMQswCQYD switch(config-cert-import)# VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvc1UEBwwJUm9zZXZpbGxl switch(config-cert-import)# MQwwCgYDVQQKDANIUEUxEzARBgNVBAsMCmcxFTATBgNVBAMMDFRl ... switch(config-cert-import)# LM9DV3YNWOM4UMMP2HXaDDfqxZPX9Zsj6Gl/stRCh8SVfsF2duYR switch(config-cert-import)# 5brLfEpiDhXrZVXxF9lljRABO2JPLSUufg7xr6M/K5aCujxVYzK7 switch(config-cert-import)# DQaCEw5NlmC1vpYlY2TG3dlUQPZDeQOAHwuBd4HewqDHWfp/T04= switch(config-cert-import)# -----END CERTIFICATE----- switch(config-cert-import)# Leaf certificate is validated with root and imported successfully. switch(config-cert-leaf)#