import(CA-signed leaf certificate)

Syntax

import terminal ta-profile[password] importta-profile[password][vrf] importta-profile[password]

Description

Imports a CA-signed leaf certificate and then validates the certificate against the specified TA profile. If the imported data includes a private key, the private key must match the leaf certificate being imported. If the imported data does not include a private key, the certificate must match a CSR that was previously generated with the commandenroll terminaland must be signed by the CA whose root certificate is installed in the specified TA profile. The TA profile must exist and have a TA certificate configured.

Parameters

terminal
Import the certificate by pasting PEM-format data at the console. Upon execution, theconfig-cert-importcontext is entered for certificate pasting. To complete certificate data entry press Control-D in your terminal program. Alternatively, the pasted certificate data can include at its end the delimiterEND_OF_CERTIFICATE(after the-----END CERTIFICATE-----line), making entry of Control-D unnecessary.
ta-profile
Specifies the TA profile name. Range: 1 to 48 alphanumeric characters excluding ".
Specifies a certificate data file on a remote TFTP or SFTP server. The URL syntax is:
{tftp:// | sftp://@} {|} [:] [; blocksize =]/
Available on switch families that provide USB device file import capability, specifies a certificate data file on a USB storage device inserted in the switch USB port. The URL syntax is:
usb:/
password
Specifies the plaintext password used to decrypt the private key in the imported certificate data. When this parameter is omitted, the password is prompted for as required. Range: 1 to 32 alphanumeric characters.
vrf

Specifies the name of the VRF to use for the remote URL file transfer. The default ismgmt.

Command context

config-cert-

Authority

Administrators or local user group members with execution rights for this command.

Usage

  • The imported data must include all the intermediate CA certificates in the certificate chain leading to the certificate imported into the specified TA profile.

  • This command cannot be used with the default certificatelocal-cert.

  • The PEM data format is supported for all import sources. The PKCS#12 data format is supported forand.

  • The PEM data must be delimited with these lines for the certificate data:
    ——开始证书 ----- ----- 在D CERTIFICATE-----
    And the PEM data must be delimited with either of these line pairs for the private key data:
    -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- -----BEGIN ENCRYPTED PRIVATE KEY----- -----END ENCRYPTED PRIVATE KEY-----

Examples

Importing a leaf certificate from the console:

switch(config)#crypto pki certificate leaf-certswitch(config-cert-leaf-cert1)#import terminal ta-profile root-certPaste the certificate in PEM format below, then hit enter and ctrl-D: switch(config-cert-import)# -----BEGIN CERTIFICATE----- switch(config-cert-import)# MIIFRDCCAyygAwIBAgQP8nS2Vp15u0xXMdkDJzANBgkqhkiG9w0Bv switch(config-cert-import)# MQswCQYDVQGEwJVUEOMAwGA1UCgwFXJ1YmDAgNBAMM1Jvb3QgQ0Ew switch(config-cert-import)# HhcNMTkNDEwMjIwNT1WhcjIwMT0MjwNE1WjzQswQDVQQGEwJVUzEL ... switch(config-cert-import)# 1fIYZYGQyla0AwFuPTTxBXHYwRxTPbUYU5umJfRPmE4VY8S9DQgcr switch(config-cert-import)# 1NGNm3NG03GqPScs/TF9bVyFA5BOS5lmmkfRYK8D/kMTfRreSdxis switch(config-cert-import)# YQ1u1NqShps= switch(config-cert-import)# -----END CERTIFICATE----- switch(config-cert-import)# -----BEGIN ENCRYPTED PRIVATE KEY----- switch(config-cert-import)# MIIFDjBABgkqhkiG9wBBQ0wMzAbBgqkw0QwwDQIpJMN7sVGwCAggA switch(config-cert-import)# MBQGCCqGSIb3DQMHAit+2qadNAASCgLYJ4Am3EfhH5p51Ggr86VqS switch(config-cert-import)# IJ6L/UhEtH523nUkdV6gvAgoYaD83PswToAGv5VS8OMFTPttrn5/K ... switch(config-cert-import)# OgSecqZsG6arbx0ESaYBir1c/6rPspcjbx283iD1MWOpeoS2aEmOX switch(config-cert-import)# iKnXnUMpVPfLc74ty2S41DtH0X9gf6aa1jStg+7cND9XfGtjaV2+/ switch(config-cert-import)# cb4= switch(config-cert-import)# -----END ENCRYPTED PRIVATE KEY----- switch(config-cert-import)# Enter import password:*******Leaf certificate is validated with root-cert and imported successfully. switch(config-cert-leaf-cert)#

Importing a leaf certificate from a remote file:

switch(config)#crypto pki certificate leaf-cert2switch(config-cert-leaf-cert2)#import tftp://1.1.1.2/c2.p12 ta-profile root-cert% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3722 100 3722 0 0 391k 0 --:--:-- --:--:-- --:--:-- 391k 100 3722 100 3722 0 0 376k 0 --:--:-- --:--:-- --:--:-- 376k Enter import password:*******Leaf certificate is validated with root-cert and imported successfully. switch(config-cert-leaf-cert2)#