Dell EMC SmartFabric OS10 User Guide Release 10.5.0

Request and install host certificates

OS10 also supports the switch obtaining its own X.509v3 host certificate. In this procedure, you generate a certificate signing request (CSR) and a private key. Store the private key locally in a secure location. Copy the CSR file to a certificate authority. The CA generates a host certificate for an OS10 switch by digitally signing the switch certificate contained in the CSR.

The administrator then copies the CA-signed host certificate to the home directory on the switch. Because a local private key is created when the CSR is generated, it is not necessary to install a private key using an uploaded file.

The switch presents its own host certificate to clients that require authentication, such as Syslog and RADIUS servers over TLS and HTTPS connections. The certificate is digitally signed with the private key of the OS10 switch. OS10 supports multiple host certificates so that you can use different certificates with different applications. For more information, see Security profiles.

Generate a certificate signing request and private key

• Create a private key and a CSR in EXEC mode. Store the CSR file in the home directory or flash: so that you can later copy it to a CA server. Specify a keypath to store the device.key file in a secure persistent location, such as the home directory, or use the private option to store the key file in a private hidden location in the internal file system that is not visible to users.

  crypto cert generate request [cert-file cert-path key-file {private | keypath}]
  [country 2-letter code] [state state] [locality city] [organization organization-name]
  [orgunit unit-name] [cname common-name] [email email-address] [validity days] 
  [length length] [altname alt-name]

  If you enter the cert-file option, you must enter all the required parameters, such as the local paths where the certificate and private key are stored, country code, state, locality, and other values.

  If you do not specify the cert-file option, you are prompted to fill in the other parameter values for the certificate interactively; for example:

  You are about to be asked to enter information that will be incorporated into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank.
  For some fields there will be a default value; if you enter '.', the field will be left blank.
  Country Name (2 letter code) [US]:
  State or Province Name (full name) [Some-State]:California
  Locality Name (eg, city) []:San Francisco
  Organization Name (eg, company) []:Starfleet Command
  Organizational Unit Name (eg, section) []:NCC-1701A
  Common Name (eg, YOUR name) [hostname]:S4148-001
  Email Address []:scotty@starfleet.com

  The switch uses SHA-256 as the digest algorithm. The public key algorithm is RSA with a 2048-bit modulus. The KeyUsage bits of the certificate assert keyEncipherment (bit 2) and keyAgreement (bit 4). The keyCertSign bit (bit 5) is NOT set. The ExtendedKeyUsage fields indicate serverAuth and clientAuth.

  The attribute CA:FALSE is set in the Extensions section of the certificate. The certificate is NOT used to validate other certificates.

• If necessary, re-enter the command to generate multiple certificate-key pairs for different applications on the switch. You can configure a certificate-key pair in a security profile. Using different certificate-key pairs is necessary if you want to change the certificate-key pair for a specified application without out interrupting other critical services. For example, RADIUS over TLS may use a different certificate-key pair than SmartFabric services.

Copy CSR to the CA server

OS10# copy home://DellHost.pem  scp:///tftpuser@10.11.178.103:/tftpboot/certs/DellHost.pem
password:

The CA server signs the CSR with its private key. The CA server then makes the signed certificate available for the OS10 switch to download and install.

Install host certificate

1. Use the copy command to download an X.509v3 certificate signed by a CA server to the local home directory using a secure method, such as HTTPS, SCP, or SFTP.
2. Use the crypto cert install command to install the certificate and the private key generated with the CSR.

• Install a trusted certificate and key file in EXEC mode.

  crypto cert install cert-file home://cert-filepath key-file {key-path | private} 
  [password passphrase] [fips]

  • cert-file cert-filepath specifies a source location for a downloaded certificate; for example, home://s4048-001-cert.pem or usb://s4048-001-cert.pem.
  • key-file {key-path | private} specifies the local path to retrieve the downloaded or locally generated private key. Enter private to install the key from a local hidden location and rename the key file with the certificate name.
  • password passphrase specifies the password used to decrypt the private key if it was generated using a password.
  • fips installs the certificate-key pair as FIPS-compliant. Enter fips to install a certificate-key pair that is used by a FIPS-aware application, such as RADIUS over TLS. If you do not enter fips, the certificate-key pair is stored as a non-FIPS-compliant pair.
    NOTE You determine if the certificate-key pair is generated as FIPS-compliant. Do not use FIPS-compliant certificate-key pairs outside of FIPS mode. When FIPS mode is enabled, you can still generate CSRs for non-FIPS certificates for use with non-FIPS applications. Be sure to install these certificates as non-FIPS with the crypto cert install command.
  • If you enter fips after using the key-file private option in the crypto cert generate request command, a FIPS-compliant private key is stored in a hidden location in the internal file system that is not visible to users.

If the certificate installation is successful, the file name of the host certificate and its common name are displayed. Use the filename to configure the certificate in a security profile using the crypto security-profile command.

Example: Generate CSR and upload to server

OS10# crypto cert generate request cert-file home://DellHost.pem key-file home://DellHost.key email admin@dell.com length 1024 altname DNS:dell.domain.com
Processing certificate ...
Successfully created CSR file /home/admin/DellHost.pem and key

OS10# copy home://DellHost.pem  scp:///tftpuser@10.11.178.103:/tftpboot/certs/DellHost.pem
password:

Host certificate tip

When administering a large number of switches, you may choose to not generate numerous CSRs for all switches. An alternate method to installing a host certificate on each switch is to generate both the private key file and CSR offline; for example, on the CA server. The CSR is signed by the CA, which generates both a certificate and key file. You then copy the trusted certificate and key file to the switch using the copy command and install them using the crypto cert install cert-file home://cert-filename key-file home://key-filename command.

Example: Download and install trusted certificate and private key

OS10# copy scp:///tftpuser@10.11.178.103:/tftpboot/certs/Dell_host1_CA1.pem home://Dell_host1_CA1.pem
password:

OS10# copy scp:///tftpuser@10.11.178.103:/tftpboot/certs/Dell_host1_CA1.key home://Dell_host1_CA1.key
password:

OS10# crypto cert install cert-file home://Dell_host1_CA1.pem key-file home://Dell_host1_CA1.key
Processing certificate ...
Certificate and keys were successfully installed as "Dell_host1_CA1.pem" that may be used in a 
security profile. CN = Dell_host1_CA1

Display trusted certificates

OS10# show crypto cert
 --------------------------------------
|    Installed non-FIPS certificates    |
 --------------------------------------
Dell_host1_CA1.pem
 --------------------------------------
|    Installed FIPS certificates    |
 --------------------------------------

OS10# show crypto cert Dell_host1_CA1.pem
 ------------ Non FIPS certificate -----------------
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4096 (0x1000)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = California, O = Dell EMC, OU = Networking, CN = Dell_interCA1
        Validity
            Not Before: Jul 25 19:11:19 2018 GMT
            Not After : Jul 22 19:11:19 2028 GMT
        Subject: C = US, ST = California, L = Santa Clara, O = Dell EMC, OU = Networking, CN = Dell_host1_CA1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e7:81:4b:4a:12:8d:ce:88:e6:73:3f:da:19:03:
                    c6:56:01:19:b2:02:61:3f:5b:1e:33:28:a1:ed:e3:
                    85:bc:56:fb:18:d5:16:2e:a0:e7:3a:f9:34:b4:df:
                    37:97:93:a9:b9:94:b2:9f:69:af:fa:31:77:68:06:
                    89:7b:6d:fc:91:14:4a:c8:7b:23:93:f5:44:5a:0a:
                    3f:ce:9b:af:a6:9b:49:29:fd:fd:cb:34:40:c4:02:
                    30:95:37:28:50:d8:81:fb:1f:83:88:d9:1f:a3:0e:
                    49:a1:b3:df:90:15:d4:98:2b:b2:38:98:6e:04:aa:
                    bd:92:1b:98:48:4d:08:49:69:41:4e:6a:ee:63:d8:
                    2a:9f:e6:15:e2:1d:c3:89:f5:f0:d0:fb:c1:9c:46:
                    92:a9:37:b9:2f:a0:73:cf:e7:d1:88:96:b8:4a:84:
                    91:83:8c:f0:9a:e0:8c:6e:7a:fa:6e:7e:99:3a:c3:
                    2c:04:f9:06:8e:05:21:5f:aa:6e:9f:b7:10:37:29:
                    0c:03:14:a0:9d:73:1f:95:41:39:9b:96:30:9d:0a:
                    cb:d0:65:c3:59:23:01:f7:f5:3a:33:b9:e9:95:11:
                    0c:51:f4:e9:1e:a5:9d:f7:95:84:9c:25:74:0c:21:
                    4f:8b:07:29:2f:e3:47:14:50:8b:03:c1:fb:83:85:
                    dc:bb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Client, S/MIME
            Netscape Comment:
                OpenSSL Generated Client Certificate
            X509v3 Subject Key Identifier:
                4A:20:AA:E1:69:BF:BE:C5:66:2E:22:71:70:B4:7E:32:6F:E0:05:28
            X509v3 Authority Key Identifier:
                keyid:A3:39:CB:C7:76:86:3B:05:44:34:C2:6F:90:73:1F:5F:64:55:5C:76
            X509v3 Key Usage: critical

Delete trusted certificate

OS10# OS10# crypto cert delete Dell_host1_CA1.pem
Certificate and keys were successfully deleted. CN = Dell_host1_CA1