Digital certificate configuration examples

This section shows how to obtain an online CA signed certificate, remove the expired certificate, renew the certificate, and install an offline subject certificate.

Obtain an Online CA-signed Subject Certificate

Use the following procedure as an example to obtain an online CA signed subject certificate that the application can use.

About this task

In the following commands, the variable WORD<1-45> refers to the name of the certificate authority and the variable WORD<1-80> refers to the certificate filename.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure the subject:
    certificate subject common-name 822-pki
    certificate subject e-mail 822@extremenetworks.com
    certificate subject unit Engineering 
    certificate subject organization ExtremeNetworks 
    certificate subject locality Salem 
    certificate subject country US
    certificate subject province Massachusetts
    certificate subject subject-name 822
    
    certificate subject common-name 823-pki
    certificate subject e-mail 823@extremenetworks.com
    certificate subject unit Engineering 
    certificate subject organization ExtremeNetworks 
    certificate subject locality Salem 
    certificate subject country US
    certificate subject province Massachusetts
    certificate subject subject-name 823
    Note

    Note

    The values mentioned are for example only.

  3. Generate the key pair:
    certificate generate-keypair {[type rsa size 2048] | [key-name WORD<1-45>]}
  4. Configure the certificate authority (CA):
    certificate ca ej common-name subca5 
    certificate ca ej key-name rsa_2048 
    certificate ca ej ca-url http://192.51.100.9:8080/ejbca/publicweb/apply/scep/test/pkiclient.exe 
    certificate ca ej use-post true
    Note

    Note

    The values mentioned are for example.

  5. Use SCP to upload the Root CA certificate to: /intflash/shared/certs.
  6. Install the Root CA certificate:
    certificate ca WORD<1-45> install-file root-ca-filename WORD<1-80>
  7. Authenticate the CA:
    certificate ca WORD<1-45> action caauth
  8. Enroll the subject certificate by the CA:
    certificate ca WORD<1-45> action enroll
  9. Install the certificate:
    certificate ca WORD<1-45> action install
  10. Optional: If the certificate expires, remove the enrolled subject certificate:
    certificate ca WORD<1-45> action remove
  11. Optional: To obtain the new certificate before the old certificate expires, enter the following command to renew the certificate:
    certificate ca WORD<1-45> action renew

    The Certificate Authority generates a new certificate for the subject.

Install an Offline CA Certificate

Use the following procedure as an example to install an offline CA certificate.

About this task

In the following commands, the variable WORD<1-80> refers to the certificate filename.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure the subject:
    certificate subject common-name 822-pki
    certificate subject e-mail client1@extemenetworks.com
    certificate subject unit Engineering
    certificate subject organization ExtremeNetworks
    certificate subject locality Salem
    certificate subject province Massachusetts
    certificate subject country US
    certificate subject subject-name 822
    Note

    Note

    The values mentioned are for example only.

  3. Generate the certificate signing request to support multiple subject identities on the switch:
    certificate generate-csr subject-name WORD< 1-45> key-name WORD<1-64>
    #certificate generate-csr subject-name 823 key-name mimi 
    Switch:1(config)#1 2021-02-02T13:57:39.716Z SwitchModel CP1 - 0x003a8635 - 00000000 GlobalRouter DIGITALCERT 
    INFO Generate CSR For Digital Certificate successful!
    
  4. Use the generated CSR file to enroll the certificate on the server.
  5. Use SCP to upload the enrolled certificate along with Root certificate and all intermediary certificates to:

    /intflash/shared/certs/

  6. Install the Root CA certificate:
    certificate install-file offline-root-ca-filename WORD<1-80>
    Note

    Note

    If the subject certificate issuer is directly the Root, then Step 7 and 8 are optional. If the subject is issued by Intermediate CA, then Step 7 and 8 are mandatory, also in the certificate chain between Root and Subject, all the Intermediates must be installed using these steps.

  7. Copy and paste the Intermediate CA certificate to:

    /intflash/shared/certs/

  8. Install the intermediate CA:

    certificate install-file offline-ca-filename WORD<1-80>

  9. Install the offline subject filename:
    certificate install-file offline-subject-filename WORD<1-80>
    #certificate install-file offline-subject-filename sd
    
    Error: File Name Not Found in /intflash/shared/certs/ or /intflash/.cert/.offlineCert/
    #certficate install-file offline-subject-filename 823mimi.crt subject-name 823 key-name mimi 
    1 2021-02-02T14:19:01.587Z SwitchModel CP1 - 0x003a864f - 00000000 GlobalRouter DIGITALCERT INFO 
    Performing OCSP Check For Certificate : 823-mimi
    1 2021-02-02T14:19:01.600Z SwitchModel CP1 - 0x003a8603 - 00000000 GlobalRouter DIGITALCERT INFO 
    Subject Certificate obtained offline from CA successfully installed
    1 2021-02-02T14:19:01.622Z SwitchModel CP1 - 0x003a8604 - 00000000 GlobalRouter DIGITALCERT INFO 
    Digital Certificate Module : Configuration Saved
    1 2021-02-02T14:19:01.666Z SwitchModel CP1 - 0x003a8619 - 00000000 GlobalRouter DIGITALCERT INFO 
    Received OCSP Response with SUCCESS Status!
    

Configure X.509 V3 certificates for SSH Two Factor Authentication

Use the following procedure as an example to configure the SSH server on the switch, and the SSH client Secure CRT for two factor authentication using X.509 V3 certificates.

Before you begin

The following certificates must be loaded on the SSH server and SSH client:

  • For the Secure CRT (SSH client):
    • subject certificate from the PIV card.

  • For the switch (SSH server):

    • CAC-server.pem - the subject certificate

    • ca.cert.pem - the root CA certificate

    • Self-signedTrustAnchorCertificate.cer - the root CA certificate that signed the intermediate certificate

    • RSA2048IssuingCACertificate.cer - the intermediate certificate signed by the pervious root CA that signed the subject certificate.

About this task

Use the following steps as an example to configure the SSH server on the switch, the RADIUS Windows server, and the SSH client Secure CRT.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Ensure the switch is running in Enhanced Secure Mode:
    Switch:1(config)#show boot config flags
    flags enhancedsecure-mode true
    Note

    Note

    This shows a partial output of only the relevant entry.

  3. Ensure the switch clock is synchronized:
    Switch:1#show clock
    System Clock time : Fri Oct 12 19:36:36 2018 UTC
  4. Provision PKI with certificates.

    For information about provisioning PKI with certificates, see the following sections:

X.509 Authentication Username Option Example

Use the following procedure as an example to configure username authentication options using X.509 V3 certificates.

Procedure

  1. Enable X.509 V3 authentication username override:
    Switch:1(config)# ssh x509v3-auth username overwrite

    The switch disregards the username sent by the SSH client and uses the principal name from the client‘s certificate for authentication. If RADIUS authentication is configured, the username is sent after you type the RADIUS password. For example, if you configure the SSH client with the username "John" and enable x509v3-auth username overwrite on the device, the switch sends the principal name 1403824387@mil to the RADIUS server for authorization.

    Test CAC John Smith
     Issuer: CN=DOD JITC ID CA-49, OU=PKI, OU=DoD, O=U.S. Government, C=US
     NotBefore: 12/19/2017 7:00 PM
     NotAfter: 12/19/2020 6:59 PM
     Subject: CN=SMITH.JOHN.1403824387, OU=USAF, OU=PKI, OU=DoD, O=U.S.
     Government, C=US
     Serial: 019ab3
     SubjectAltName: Other Name:Principal Name=1403824387@mil, Other
     Name:2.16.840.1.101.3.6.6=04 19 d4 f8 10 da 08 26 6c 10 e7 22 e5 83 68 5a 04 0e 44 82 64 5c 85 78 10 93 ee
     Cert: 8066aec3484d3740d7d99ec2f5ed1983365bb1
  2. Enable X.509 V3 authentication username strip:
    Switch:1(config)#ssh x509v3-auth username strip-domain

    If x509v3-auth username strip-domain is configured, the switch sends the principal name without the domain to the RADIUS for authorization. The username is sent after you type the RADIUS password. For example: If you select principal name 1403824387@mil, the switch sends the principal name 1403824387 without the domain to the RADIUS server for authorization.

    Test CAC John Smith
     Issuer: CN=DOD JITC ID CA-49, OU=PKI, OU=DoD, O=U.S. Government, C=US
     NotBefore: 12/19/2017 7:00 PM
     NotAfter: 12/19/2020 6:59
     PM Subject: CN=SMITH.JOHN.1403824387, OU=USAF, OU=PKI, OU=DoD, O=U.S.
     Government, C=US
     Serial: 019ab3
     SubjectAltName: Other Name:Principal Name=1403824387@mil, Other
     Name:2.16.840.1.101.3.6.6=04 19 d4 f8 10 da 08 26 6c 10 e7 22 e5 83 68 5a 04 0e 44 82 64 5c 85 78 10 93 ee
     Cert: 8066aec3484d3740d7d99ec2f5ed1983365bb129
  3. Enable X.509 V3 authentication username use-domain:
    Switch:1(config)ssh x509v3-auth username use-domain extreme.com

    If you select the username as the principal name, the switch sends the principal name from the certificate with the domain configured on the switch to the RADIUS for authorization. The username is sent after typing the RADIUS password. For example: If you configure use-domain “extreme.com” on the switch and you configure the username to be the principal name 1403824387@mil, the switch sends the username 1403824387@extreme.com to the RADIUS server for authorization.

    Test CAC John Smith
     Issuer: CN=DOD JITC ID CA-49, OU=PKI, OU=DoD, O=U.S. Government, C=US
     NotBefore: 12/19/2017 7:00 PM
     NotAfter: 12/19/2020 6:59 PM
     Subject: CN=SMITH.JOHN.1403824387, OU=USAF, OU=PKI, OU=DoD, O=U.S.
     Government, C=US
     Serial: 019ab3
     SubjectAltName: Other Name:Principal Name=1403824387@mil, Other
     Name:2.16.840.1.101.3.6.6=04 19 d4 f8 10 da 08 26 6c 10 e7 22 e5 83 68 5a 04 0e 44 82 64 5c 85 78 10 93 ee
     Cert: 8066aec3484d3740d7d99ec2f5ed1983365bb129
  4. RADIUS server is not configured:
    If the Radius server is not configured, the authorization fallbacks locally on the switch, for the username. You must configure the usernames on the switch. You are prompted for the password. For example: If you select the principal name 1403824387@mil, the switch authorizes locally the username as 1403824387@mil or 1403824387 if strip domain is enabled. You are prompted for the password.
    Test CAC John Smith
     Issuer: CN=DOD JITC ID CA-49, OU=PKI, OU=DoD, O=U.S. Government, C=US
     NotBefore: 12/19/2017 7:00 PM
     NotAfter: 12/19/2020 6:59 PM
     Subject: CN=SMITH.JOHN.1403824387, OU=USAF, OU=PKI, OU=DoD, O=U.S.
     Government, C=US
     Serial: 019ab3
     SubjectAltName: Other Name:Principal Name=1403824387@mil, Other
     Name:2.16.840.1.101.3.6.6=04 19 d4 f8 10 da 08 26 6c 10 e7 22 e5 83 68 5a 04 0e 44 82 64 5c 85 78 10 93 ee
     Cert: 8066aec3484d3740d7d99ec2f5ed1983365bb129