Installing a CA-signed leaf certificate (initiated in the switch)
This procedure describes how to create and install an X.509 leaf certificate that is initiated inside the switch but signed outside the switch by a CA. And then associate the certificate with one of the following switch features: syslog client, RadSec client, HTTPS server, or HSC (hardware switch controller).
Prerequisites
- Root CA certificate
root-certinstalled as described inInstalling a certificate of a root CA.
Procedure
- Create a leaf certificate context with the command
crypto pki certificatewhich then switches to the created leaf certificate configuration context. - Define leaf certificate properties with the command
subject. - Set the encryption key type for the leaf certificate with the command
key-type. - Generate the certificate signing request (CSR) with the command
enroll terminal. - Use the CSR to obtain a leaf certificate from the root CA, using the root CA directly as the signer CA.
- Import the leaf certificate into the switch with the command
import(CA-signed leaf certificate). - Exit the leaf certificate context with the command
exit. - Associate the leaf certificate with a switch feature (syslog client, RadSec client, HTTPS server, or HSC) with the command
crypto pki application.
Example
This example:
- Creates the leaf certificate context.
Defines the leaf certificate characteristics.
- 生成叶证书签名请求the switch for getting signed outside the switch by a CA.
- Imports the CA-signed leaf certificate into the switch.
- Associates the leaf certificate with the syslog client (application) on the switch.
switch(config)#crypto pki certificate lcertswitch(config-cert-lcert)#subject common-name Leaf country US state CA locality Rocklin org Company org-unit Siteswitch(config-cert-lcert)#key-type rsa key-size 3072switch(config-cert-lcert)#enroll terminalYou are enrolling a certificate with the following attributes: Subject: C=US, ST=CA, L=Rocklin, O=Company, OU=Site CN=Leaf Key Type: RSA (2048) Continue (y/n)?y-----BEGIN CERTIFICATE REQUEST----- MIIBozCCAQwCAQAwYzEVMBMGA1UEAxMMcG9kMDEtODQwMC0xMQ4wDAYDV nViYTEMMAoGA1UEChMDSFBFMRIwEAYDVQQHEwlSb3NldmlsbGUxCzAJBg NBMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYE ... GBAJ4L3lFFfWBEL+KAKpOGjZcVmwlBMqSKFtOFNF9nzmUmONmU3SKy6dz 7Au22mf3lWDxzrtCC/dj5RtWJeJekxp2LCIK/3eRXUwbYveQDKcxH7j9Z ace+2tA68F2vlgRCQ/hcQH0YmNuaq4Ne3w0dhm7HlUrx -----END CERTIFICATE REQUEST----- switch(config-cert-lcert)#import terminal ta-profile root-certPaste the certificate in PEM format below, then hit enter and ctrl-D: switch(config-cert-import)# -----BEGIN CERTIFICATE----- switch(config-cert-import)# MIIFRDCCAyygwIBAgIQPnnS2Vp5u07XMdktDJzANBgkqhkiG9w0Bv switch(config-cert-import)# MQswCQYDVQGEwJVEOMAwG1UECgwFJ1YmxDAOgNBMMB1Jvb3QgQ0Ew switch(config-cert-import)# HhcNMTkNDEwMjIwNTWcjIwMTA0MjwNE1WBzQswQYDVQQGEwJVUzEL ... switch(config-cert-import)# 1fIYZYGQyla0AwFuTTxBXYwRxPbUYU5tumrfwRPmE4OVY8S9DQgcr switch(config-cert-import)# 1NGNm3NG03GqPcs/T9bVyF5BOrS5lmm7kNfRYl8D/kMTfRreSdxis switch(config-cert-import)# YQ1u1NqShps= switch(config-cert-import)# -----END CERTIFICATE----- switch(config-cert-import)# Leaf certificate is validated with root-cert and imported successfully. switch(config-cert-lcert)#exitswitch(config)#crypto pki application syslog-client certificate lcert