Manage an SSL Certificate
Note
For certain switches in enhanced secure mode, all sensitive files are protected. You cannot access any sensitive files using Telnet, SSH, FTP, SFTP, TFTP, and SCP connections. For more information, see Sensitive File Protection.
The TLS server selects a certificate authority (CA)-signed certificate if the certificate is already installed in the Digital Certificate module.
If the server certificates are not available, the TLS server generates a new self-signed certificate at startup and uses that by default. You can choose to use an online or an offline CA-signed certificate, which takes precedence over the self-signed certificate.
For more information about SSL certificate manipulation, see Certificate Order Priority.
About this task
If a certificate is already present, you must confirm that it can be deleted before a new one is created.
After you create a certificate, the system logs one of the following INFO alarms:
-
New default Server Certificate and Key are generated and installed
-
Current Server Certificate and Key are installed
The default certificate key length for a certificate generated on the switch is 2,048 bits.
Note
The ssl certificate [validity-period-in-days <30-3650>] command in this procedure does not require a system reboot.
Procedure
Variable Definitions
The following table defines parameters for the ssl certificate command.
Variable |
Value |
---|---|
validity-period-in-days <30-3650> |
Specifies an expiration time for the certificate. The default is 365 days. |