Dell EMC SmartFabric OS10 User Guide Release 10.5.0

Public key infrastructure

To use X.509v3 certificates for secure communication and user authentication on OS10 switches in a network, a public key infrastructure (PKI) with a certificate authority (CA) is required. The CA signs certificates that prove the trustworthiness of network devices.

When an organization wants to assure customers that the connection to their network is secure, it may pay a commercial Certificate Authority, such as VeriSign or DigiCert, to sign a certificate for their domain. However, to implement an X.509v3 infrastructure, you can act as your own CA. While acting as your own CA, you can set up CAs to issue certificates to hosts in the same trusted domain to authenticate each other.

X.509v3 public key infrastructure

To set up a PKI using X.509v3 certificates, Dell EMC Networking recommends:

1. Configure a root CA that generates a private key and a self-signed CA certificate.
2. Configure one or more intermediate CAs that generate a private key and a certificate signing request (CSR), and send the CSR to the root CA.
   • Using its private key, the root CA signs an intermediate CA’s CSR and generates a CA certificate for the intermediate CA.
   • The intermediate CA downloads and installs the CA certificate. Afterwards, the intermediate CA can sign certificates for hosts in the network and for other intermediate CAs that are lower in the PKI hierarchy.
   • The root and intermediate CA certificates, but not the corresponding private keys, are made publicly available on the network for network hosts to download.
   • Whenever possible, store private keys offline or in a location restricted from general access.
3. Generate private keys and create CSRs on OS10 switches using the crypto cert generate request command. A switch uploads a CSR to an intermediate CA. To store the private key in a local hidden location, Dell EMC Networking recommends using the key-file private parameter with the command.
4. Download and install a CA certificate on a host using the crypto ca-cert install command. After you install a CA certificate, a host trusts any certificates that are signed by the CA and presented by other network devices. You must first download a certificate to the home directory, and then install the certificate using the crypto ca-cert install command.
5. Download and install a signed host certificate and private key from an intermediate CA on an OS10 switch. Then install them using the crypto cert install command. After you install the host certificate, OS10 applications use the certificate to secure communication with network devices. The private key is installed in the internal file system on the switch and cannot be exported or viewed.