Use this command to show FIPS mode, Trusted Platform Module (TPM), and external Python scripting support status.
fips-mode | Shows specifically FIPS mode status. |
python | Shows specifically external Python scripting support status. |
tpm | Shows specifically X.509 certificates sorted in the switch's TPM chip. |
N/A
If you select neither keyword option (FIPS/Python), you see status information for both.
If you select keyword tpm and the available certificate option, you will be presented with X.509 certificates that are provisioned in the TPM hardware: the Endorsement Key (EK), the Initial Attestation Key (IAK) and the Initial Device Identifier (IDevID) certificates. The EK is provisioned and signed by the TPM manufacturer, and the IAK and IDevID are provisioned and signed by Extreme Networks.
If the text option is not specified, then the certificate's PEM data will be displayed. If the text option is specified, then a human readable version of the certificate will be displayed.
Note
These certificates are informational only and currently not used.The following example shows both FIPS and Python scripting status:
# show security FIPS Mode (current) : Off FIPS Mode (configured) : On Python (current) : Off Python (configured) : On
# show security python Python (current) : Off Python (configured) : Off
The following example shows the TPM certificate options:
# show security tpm certificate ek Endorsement Key certificate iak Initial Attestation Key certificate idevid Initial Device Identifier certificate
The following is an example EK certificate with both RSA and ECC keys:
# show security tpm certificate ek [Endorsement Key RSA Certificate] -----BEGIN CERTIFICATE----- MIIEjzCCA3egAwIBAgIEJfR5OjANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJE RTEhMB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRMwEQYDVQQLDApP UFRJR0EoVE0pMS8wLQYDVQQDDCZJbmZpbmVvbiBPUFRJR0EoVE0pIFRQTSAyLjAg UlNBIENBIDA0MjAeFw0xOTA5MDMwODM5MTNaFw0zNDA5MDMwODM5MTNaMAAwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0mU058b7ZYZkgAs1djeoYVeFU GBQi1Ce0x3bjAQql7SW6YbeJtZZ8mj8mWENoUO7X31mBNABf040IOBRq+fhqaSlK M0UAiwzgSZjqFuQGLdZsv3aK1g89eKFaBRzZUfqH4bHcqzU6dNBQ+Zj6IpTd0KuS xl1zPqCwBEO39SnUtjalOee72qaHeXqS6GPioNseJSnHOYMI36zM4JVzJ4rTr17J f+js1VnpaghCOzN1bypL7DyzgnbWn2slLxvoN/+0+0g1kzEclPoS/nffT2q4Gnov pmGwPHN8i0OerCKwXkuo7pAjvZ9Q0++06igMiAeEHhui62CxU8bkdEfdINf5AgMB AAGjggGZMIIBlTBbBggrBgEFBQcBAQRPME0wSwYIKwYBBQUHMAKGP2h0dHA6Ly9w a2kuaW5maW5lb24uY29tL09wdGlnYVJzYU1mckNBMDQyL09wdGlnYVJzYU1mckNB MDQyLmNydDAOBgNVHQ8BAf8EBAMCACAwWAYDVR0RAQH/BE4wTKRKMEgxFjAUBgVn gQUCAQwLaWQ6NDk0NjU4MDAxGjAYBgVngQUCAgwPU0xCIDk2NzAgVFBNMi4wMRIw EAYFZ4EFAgMMB2lkOjA3NTUwDAYDVR0TAQH/BAIwADBQBgNVHR8ESTBHMEWgQ6BB hj9odHRwOi8vcGtpLmluZmluZW9uLmNvbS9PcHRpZ2FSc2FNZnJDQTA0Mi9PcHRp Z2FSc2FNZnJDQTA0Mi5jcmwwFQYDVR0gBA4wDDAKBggqghQARAEUATAfBgNVHSME GDAWgBRdCBWVH19gY4pp5yUvPsS+zXVUsjAQBgNVHSUECTAHBgVngQUIATAiBgNV HQkEGzAZMBcGBWeBBQIQMQ4wDAwDMi4wAgEAAgIAijANBgkqhkiG9w0BAQsFAAOC AQEAT7fhElXcMITmsF6pC2xtryszIu2Gq76l8+fDoiOIm8Qvvc2pD4BK5i+UtjCW UwfJxB9v86tSs9Fvh2PWmC36k58+Gkz/04yBlr15vLcgnkEr38dFKr4PkQULkbiK t1FATPMbbj9NY4xJlLxwOcTsrzn0EkCqLUiVDUH3ohMpjQMpIKL/zS/t/aiAUsOQ 8po3cNkuPv/hUgKzhPPEtKUpIVzlNLatmz052N5kqabjd4EwDLkXrDVoOIR8SRWa 8xHBGBxTkwqAgv/UVgl6kDF0JsteDvH//oU5+MbAx9PWQv3cddQgcZiKeO1qNHMb 0Tj4FREumRw7Ll1Qb3/hUkIH0Q== -----END CERTIFICATE----- [Endorsement Key ECC Certificate] -----BEGIN CERTIFICATE----- MIIDBDCCAqmgAwIBAgIERslzNTAKBggqhkjOPQQDAjB2MQswCQYDVQQGEwJERTEh MB8GA1UECgwYSW5maW5lb24gVGVjaG5vbG9naWVzIEFHMRMwEQYDVQQLDApPUFRJ R0EoVE0pMS8wLQYDVQQDDCZJbmZpbmVvbiBPUFRJR0EoVE0pIFRQTSAyLjAgRUND IENBIDA0MjAeFw0xOTA5MDMwODM4NTNaFw0zNDA5MDMwODM4NTNaMAAwWTATBgcq hkjOPQIBBggqhkjOPQMBBwNCAAQC24h7AgT0ZL/wOgwN+47R8NJhTddRnyroa1sk /x/m4mLdEXqGD7913Tt/d9QhGAfOoUkgIsOVLNfw4fy0ZNPvo4IBmTCCAZUwWwYI KwYBBQUHAQEETzBNMEsGCCsGAQUFBzAChj9odHRwOi8vcGtpLmluZmluZW9uLmNv bS9PcHRpZ2FFY2NNZnJDQTA0Mi9PcHRpZ2FFY2NNZnJDQTA0Mi5jcnQwDgYDVR0P AQH/BAQDAgAIMFgGA1UdEQEB/wROMEykSjBIMRYwFAYFZ4EFAgEMC2lkOjQ5NDY1 ODAwMRowGAYFZ4EFAgIMD1NMQiA5NjcwIFRQTTIuMDESMBAGBWeBBQIDDAdpZDow NzU1MAwGA1UdEwEB/wQCMAAwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDovL3BraS5p bmZpbmVvbi5jb20vT3B0aWdhRWNjTWZyQ0EwNDIvT3B0aWdhRWNjTWZyQ0EwNDIu Y3JsMBUGA1UdIAQOMAwwCgYIKoIUAEQBFAEwHwYDVR0jBBgwFoAUsR8zzKYGVrol nC6QWjtUP1JEl5EwEAYDVR0lBAkwBwYFZ4EFCAEwIgYDVR0JBBswGTAXBgVngQUC EDEOMAwMAzIuMAIBAAICAIowCgYIKoZIzj0EAwIDSQAwRgIhAL//3+inIwQg/gOh cWotTy2FaQ8NdpYDi4LYPtFwIpXpAiEAx2m6Q4oIvf0EIwKqzD684kkezcoubrm/ KbaiagUA4x8= -----END CERTIFICATE-----
The following is an example EK certificate with the human-readable text option with both RSA and ECC keys:
# show security tpm certificate ek text [Endorsement Key RSA Certificate] Certificate: Data: Version: 3 (0x2) Serial Number: 636778810 (0x25f4793a) Signature Algorithm: sha256WithRSAEncryption Issuer: C=DE, O=Infineon Technologies AG, OU=OPTIGA(TM), CN=Infineon OPTIGA(TM) TPM 2.0 RSA CA 042 Validity Not Before: Sep 3 08:39:13 2019 GMT Not After : Sep 3 08:39:13 2034 GMT Subject: Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b4:99:4d:39:f1:be:d9:61:99:20:02:cd:5d:8d: ea:18:55:e1:54:18:14:22:d4:27:b4:c7:76:e3:01: 0a:a5:ed:25:ba:61:b7:89:b5:96:7c:9a:3f:26:58: 43:68:50:ee:d7:df:59:81:34:00:5f:d3:8d:08:38: 14:6a:f9:f8:6a:69:29:4a:33:45:00:8b:0c:e0:49: 98:ea:16:e4:06:2d:d6:6c:bf:76:8a:d6:0f:3d:78: a1:5a:05:1c:d9:51:fa:87:e1:b1:dc:ab:35:3a:74: d0:50:f9:98:fa:22:94:dd:d0:ab:92:c6:5d:73:3e: a0:b0:04:43:b7:f5:29:d4:b6:36:a5:39:e7:bb:da: a6:87:79:7a:92:e8:63:e2:a0:db:1e:25:29:c7:39: 83:08:df:ac:cc:e0:95:73:27:8a:d3:af:5e:c9:7f: e8:ec:d5:59:e9:6a:08:42:3b:33:75:6f:2a:4b:ec: 3c:b3:82:76:d6:9f:6b:25:2f:1b:e8:37:ff:b4:fb: 48:35:93:31:1c:94:fa:12:fe:77:df:4f:6a:b8:1a: 7a:2f:a6:61:b0:3c:73:7c:8b:43:9e:ac:22:b0:5e: 4b:a8:ee:90:23:bd:9f:50:d3:ef:b4:ea:28:0c:88: 07:84:1e:1b:a2:eb:60:b1:53:c6:e4:74:47:dd:20: d7:f9 Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: CA Issuers - URI:http://pki.infineon.com/OptigaRsaMfrCA042/OptigaRsaMfrCA042.crt X509v3 Key Usage: critical Key Encipherment X509v3 Subject Alternative Name: critical DirName:/2.23.133.2.1=id:49465800/2.23.133.2.2=SLB 9670 TPM2.0/2.23.133.2.3=id:0755 X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name: URI:http://pki.infineon.com/OptigaRsaMfrCA042/OptigaRsaMfrCA042.crl X509v3 Certificate Policies: Policy: 1.2.276.0.68.1.20.1 X509v3 Authority Key Identifier: keyid:5D:08:15:95:1F:5F:60:63:8A:69:E7:25:2F:3E:C4:BE:CD:75:54:B2 X509v3 Extended Key Usage: 2.23.133.8.1 X509v3 Subject Directory Attributes: 0.0...g....1.0...2.0....... Signature Algorithm: sha256WithRSAEncryption 4f:b7:e1:12:55:dc:30:84:e6:b0:5e:a9:0b:6c:6d:af:2b:33: 22:ed:86:ab:be:a5:f3:e7:c3:a2:23:88:9b:c4:2f:bd:cd:a9: 0f:80:4a:e6:2f:94:b6:30:96:53:07:c9:c4:1f:6f:f3:ab:52: b3:d1:6f:87:63:d6:98:2d:fa:93:9f:3e:1a:4c:ff:d3:8c:81: 96:bd:79:bc:b7:20:9e:41:2b:df:c7:45:2a:be:0f:91:05:0b: 91:b8:8a:b7:51:40:4c:f3:1b:6e:3f:4d:63:8c:49:94:bc:70: 39:c4:ec:af:39:f4:12:40:aa:2d:48:95:0d:41:f7:a2:13:29: 8d:03:29:20:a2:ff:cd:2f:ed:fd:a8:80:52:c3:90:f2:9a:37: 70:d9:2e:3e:ff:e1:52:02:b3:84:f3:c4:b4:a5:29:21:5c:e5: 34:b6:ad:9b:3d:39:d8:de:64:a9:a6:e3:77:81:30:0c:b9:17: ac:35:68:38:84:7c:49:15:9a:f3:11:c1:18:1c:53:93:0a:80: 82:ff:d4:56:09:7a:90:31:74:26:cb:5e:0e:f1:ff:fe:85:39: f8:c6:c0:c7:d3:d6:42:fd:dc:75:d4:20:71:98:8a:78:ed:6a: 34:73:1b:d1:38:f8:15:11:2e:99:1c:3b:2e:5d:50:6f:7f:e1: 52:42:07:d1 [Endorsement Key ECC Certificate] Certificate: Data: Version: 3 (0x2) Serial Number: 1187607349 (0x46c97335) Signature Algorithm: ecdsa-with-SHA256 Issuer: C=DE, O=Infineon Technologies AG, OU=OPTIGA(TM), CN=Infineon OPTIGA(TM) TPM 2.0 ECC CA 042 Validity Not Before: Sep 3 08:38:53 2019 GMT Not After : Sep 3 08:38:53 2034 GMT Subject: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:02:db:88:7b:02:04:f4:64:bf:f0:3a:0c:0d:fb: 8e:d1:f0:d2:61:4d:d7:51:9f:2a:e8:6b:5b:24:ff: 1f:e6:e2:62:dd:11:7a:86:0f:bf:75:dd:3b:7f:77: d4:21:18:07:ce:a1:49:20:22:c3:95:2c:d7:f0:e1: fc:b4:64:d3:ef ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: Authority Information Access: CA Issuers - URI:http://pki.infineon.com/OptigaEccMfrCA042/OptigaEccMfrCA042.crt X509v3 Key Usage: critical Key Agreement X509v3 Subject Alternative Name: critical DirName:/2.23.133.2.1=id:49465800/2.23.133.2.2=SLB 9670 TPM2.0/2.23.133.2.3=id:0755 X509v3 Basic Constraints: critical CA:FALSE X509v3 CRL Distribution Points: Full Name: URI:http://pki.infineon.com/OptigaEccMfrCA042/OptigaEccMfrCA042.crl X509v3 Certificate Policies: Policy: 1.2.276.0.68.1.20.1 X509v3 Authority Key Identifier: keyid:B1:1F:33:CC:A6:06:56:BA:25:9C:2E:90:5A:3B:54:3F:52:44:97:91 X509v3 Extended Key Usage: 2.23.133.8.1 X509v3 Subject Directory Attributes: 0.0...g....1.0...2.0....... Signature Algorithm: ecdsa-with-SHA256 30:46:02:21:00:bf:ff:df:e8:a7:23:04:20:fe:03:a1:71:6a: 2d:4f:2d:85:69:0f:0d:76:96:03:8b:82:d8:3e:d1:70:22:95: e9:02:21:00:c7:69:ba:43:8a:08:bd:fd:04:23:02:aa:cc:3e: bc:e2:49:1e:cd:ca:2e:6e:b9:bf:29:b6:a2:6a:05:00:e3:1f
This command was first available in ExtremeXOS 21.1.
External Python scripting support status was added in ExtremeXOS 33.1.1.
The tpm option was added in ExtremeXOS 31.5.
This command is available on all Universal switches supported in this document.