Manage an SSL Certificate
The TLS server selects the server certificate in the following order:
- 
                    A certificate authority (CA)-signed certificate if the certificate is already present in the /intflash/.cert/ folder on the switch. 
- 
                    A self-signed certificate if the certificate is already present in the /intflash/.cert/ folder on the switch. 
If the server certificates are not available, the TLS server generates a new self-signed certificate at startup and uses that by default. The self-signed certificate is available in /.intflash/.cert/.ssl. You can choose to use an online or offline CA-signed certificate, which will take precedence over the self-signed certificate.
For more information about SSL certificate manipulation, see Certificate Order Priority.
About this task
If a certificate is already present, you must confirm that it can be deleted before a new one is created.
After you create a certificate, the system logs one of the following INFO alarms:
- 
                    New default Server Certificate and Key are generated and installed 
- 
                    Current Server Certificate and Key are installed 
The default certificate key length for a certificate generated on the switch is 2,048 bits.

Note
The ssl certificate [validity-period-in-days <30-3650>] command in this procedure does not require a system reboot.
Procedure
Variable Definitions
The following table defines parameters for the ssl certificate command.
| Variable | Value | 
|---|---|
| validity-period-in-days <30-3650> | Specifies an expiration time for the certificate. The default is 365 days. | 




