Manage an SSL Certificate

The TLS server selects the server certificate in the following order:

  1. A certificate authority (CA)-signed certificate if the certificate is already present in the /intflash/.cert/ folder on the switch.

  2. A self-signed certificate if the certificate is already present in the /intflash/.cert/ folder on the switch.

If the server certificates are not available, the TLS server generates a new self-signed certificate at startup and uses that by default. The self-signed certificate is available in /.intflash/.cert/.ssl. You can choose to use an online or offline CA-signed certificate, which will take precedence over the self-signed certificate.

For more information about SSL certificate manipulation, see Certificate Order Priority.

About this task

If a certificate is already present, you must confirm that it can be deleted before a new one is created.

After you create a certificate, the system logs one of the following INFO alarms:

  • New default Server Certificate and Key are generated and installed

  • Current Server Certificate and Key are installed

The default certificate key length for a certificate generated on the switch is 2,048 bits.

Note

Note

The ssl certificate [validity-period-in-days <30-3650>] command in this procedure does not require a system reboot.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Create and install a new self-signed certificate:

    ssl certificate [validity-period-in-days <30-3650>]

  3. Delete a certificate:

    no ssl certificate

    Note

    Note

    The certificate loaded in memory remains valid until you use the ssl reset command or reboot the system.

Variable Definitions

The following table defines parameters for the ssl certificate command.

Variable

Value

validity-period-in-days <30-3650>

Specifies an expiration time for the certificate. The default is 365 days.
9036830-00 Rev AD