Obtains the pre-generated certificate from the user.
ssl | SSL. |
certificate | Certificate. |
csr-cert | Specifies the SSL/TLS certificate signed through CSR generated by switch. Trust chain verification performed during configuration. Only use this option for CSR-signed certificates. |
pregenerated | Specifies already having a certificate or private key in Privacy Enhanced Mail (PEM) format. |
ocsp | Specifies Online Certificate Status Protocol (OCSP). This option is only available if you have selected CSR-signed certificates. |
on | Enables OCSP for SSL/TLS certificate signed through CSR generated by the switch. |
off | Disables OCSP for SSL/TLS certificate signed through CSR generated by the switch (default). |
For CSR-signed certificates, OCSP is off by default.
This command is also used when downloading or uploading the configuration. Do not modify the certificate stored in the uploaded configuration file because the certificate is signed using the issuer's private key.
The certificate and private key file should be in PEM format and generated using RSA as the cryptography algorithm.
Only use the csr-cert option for CSR-signed certificates.
When a certificate is imported using this csr-cert option, mandatory trust chain verification and optional revocation check is performed. For a successful import, both verifications should pass. ExtremeXOS supports the revocation checking using the OCSP library. During the import of the switch certificate, if it is with csr-cert option, then if the trust chain verification passes, then the revocation status of the switch certificate and a maximum of 5 intermediate CA certificates (total of 6 certificates). When OCSP on is chosen, a revocation check is performed. The certificate is accepted only when revocation status is good for all certificates (switch and a maximum of 5 intermediate CA). If the revocation status is anything other than good (including unable to connect, no response, revoked, unknown) for any of the above certificates, then that certificate import is rejected. It can be imported though, by selecting OCSP as off.
The following command obtains the pre-generated certificate from the user:
configure ssl certificate pregenerated
Next, you open the certificate, and then copy and paste the certificate into the console/Telnet session, followed by a blank line to end the command.
This command was first available in the ExtremeXOS 11.2 and supported with the SSH module.
As of ExtremeXOS 21.1, the SSH XMOD is part of the base image and not available as a separate XMOD module.
Ability to configure CSR-signed certificates was added in ExtremeXOS 31.2.
This command is available on all Universal switches supported in this document.