Certificate Order Priority

Table 1. Certificate order priority product support

Feature

Product

Release introduced

For configuration details, see VOSS User Guide.

Certificate order priority

Note:

VOSS Releases 6.0 and 6.0.1 do not support this feature.

5520 Series

VOSS 8.2.5

VSP 4450 Series

VOSS 5.1.2

VSP 4900 Series

VOSS 8.1

VSP 7200 Series

VOSS 5.1.2

VSP 7400 Series

VOSS 8.0

VSP 8200 Series

VOSS 5.1.2

VSP 8400 Series

VOSS 5.1.2

VSP 8600 Series

Not Supported

XA1400 Series

VOSS 8.0.50

Use the following information to understand the certificate order priority when the Transport Layer Security (TLS) server and switch connect.

The TLS server selects the server certificate in the following order:

  1. A certificate authority (CA)-signed certificate if the certificate is already present in the /intflash/.cert/ folder on the switch.

  2. A self-signed certificate if the certificate is already present in the /intflash/.cert/ folder on the switch.

If the server certificates are not available, the TLS server generates a new self-signed certificate at startup and uses that by default. The self-signed certificate is available in /.intflash/.cert/.ssl. You can choose to use an online or offline CA-signed certificate, which will take precedence over the self-signed certificate.

SSL-Based Self-Signed Certificate

Some earlier releases use the default certificate available in the /intflash/.ssh folder, which is the open SSL-based self-signed certificate that is named host.cert.

To use the Mocana stack-based self-signed certificate, delete the open SSL self-signed certificate prior to upgrading your software release. The Mocana certificate offers better and stronger encryption than open SSL-based certificates.

If you do not delete the host.cert file in the /intflash/.ssh folder used in earlier releases, you must generate a self-signed certificate automatically during upgrade or post upgrade using the command config ssl certificate.

If you have a subscribed CA-signed certificate renamed as host.cert in folder /intflash/.ssh in a previous release, it cannot be reused.

To use your subscribed CA-signed certificate, upgrade with the Mocana-based self-signed certificate, and then use the digital certificates feature to install a CA-signed certificate through the online or offline method.

You cannot obtain a CA-signed certificate and rename the certificate as host.cert. You must use the online or offline method to obtain a certificate.