Install the Certificate
Before you begin
To create a PKCS12 container with OpenSSL 3.0, use SHA-1. Certificate installation fails if you use SHA-256.
About this task
Use this procedure to install the following:
-
certificate authority (CA) certificate
-
root CA certificates
-
subject certificates
-
Certificate Revocation List (CRL) file obtained offline from the CA
Procedure
Example
View the installed offline subject certificate:
Switch:1>enable Switch:1#configure terminal Switch:1#certficate install-file offline-subject-filename 823pki.crt subject-name 823 key-name pki 1 2021-02-02T14:19:01.587Z Switch CP1 - 0x003a864f - 00000000 GlobalRouter DIGITALCERT INFO Performing OCSP Check For Certificate : 823-pki 1 2021-02-02T14:19:01.600Z Switch CP1 - 0x003a8603 - 00000000 GlobalRouter DIGITALCERT INFO Subject Certificate obtained offline from CA successfully installed 1 2021-02-02T14:19:01.622Z Switch CP1 - 0x003a8604 - 00000000 GlobalRouter DIGITALCERT INFO Digital Certificate Module : Configuration Saved 1 2021-02-02T14:19:01.666Z Switch CP1 - 0x003a8619 - 00000000 GlobalRouter DIGITALCERT INFO Received OCSP Response with SUCCESS Status!
The following output displays the CA name derived from the subject name and the key name. You use this entry when you configure a specific application to use a specific CA identity.
#show certificate ca CA table entry Name : 823-pki[auto-installed] CommonName : CaA2-1 KeyName : pki SubjectName : 823 CaUrl : UsePost : 0 SubjectCertValidityDays : 0 Action : (null) LastActionStatus : (null) LastActionFailureReason : CA-Auth Sha256Fingerprint : UsedFor :
Variable Definitions
The following table defines parameters for the certificate install-file command.
Variable |
Definition |
---|---|
offline-ca-filename WORD<1–80> |
Specifies the certificate authority (CA) file name obtained from the CA. |
offline-crl-filename WORD<1–80> |
Specifies the CRL file obtained from the CA. |
offline-root-ca-filename WORD<1–80> |
Specifies the root CA file name obtained from the CA. |
offline-subject-filename WORD<1–80> |
Specifies the subject certificate file name obtained from the CA. |
relaxed [pkcs12-password WORD<1-128>] |
Uses the relaxed mode for offline subject certificate installation for less restrictive consistency checks. You can also install a PKCS12 format certificate and secret key in relaxed mode. WORD<1-128> is the password to extract the PKCS12 container. If you do not include this parameter, the supported format is Distinguished Encoding Rules (DER). |
key-name WORD<1-45> |
Refers to the key name of the generated key-pair. |
subject-name WORD<1-45> |
Refers to the subject identity name. |