Certificate Order Priority

The TLS server selects the server certificate in the following order:

1. A certificate authority (CA)-signed certificate if the certificate is already present in the /intflash/.cert/ folder on the switch.

2. A self-signed certificate if the certificate is already present in the /intflash/.cert/ folder on the switch.

If the server certificates are not available, the TLS server generates a new self-signed certificate at startup and uses that by default. The self-signed certificate is available in /.intflash/.cert/.ssl. You can choose to use an online or offline CA-signed certificate, which will take precedence over the self-signed certificate.

SSL-Based Self-Signed Certificate

Some earlier releases use the default certificate available in the /intflash/.ssh folder, which is the open SSL-based self-signed certificate that is named host.cert.

To use the Mocana stack-based self-signed certificate, delete the open SSL self-signed certificate prior to upgrading your software release. The Mocana certificate offers better and stronger encryption than open SSL-based certificates.

If you do not delete the host.cert file in the /intflash/.ssh folder used in earlier releases, you must generate a self-signed certificate automatically during upgrade or post upgrade using the command config ssl certificate.

If you have a subscribed CA-signed certificate renamed as host.cert in folder /intflash/.ssh in a previous release, it cannot be reused.

To use your subscribed CA-signed certificate, upgrade with the Mocana-based self-signed certificate, and then use the digital certificates feature to install a CA-signed certificate through the online or offline method.

You cannot obtain a CA-signed certificate and rename the certificate as host.cert. You must use the online or offline method to obtain a certificate.