Digital certificate configuration examples

This section shows how to obtain an online CA signed certificate, remove the expired certificate, renew the certificate, and install an offline subject certificate.

Obtain an Online CA-signed Subject Certificate

Use the following procedure as an example to obtain an online CA signed subject certificate that the application can use.

About this task

In the following commands, the variable WORD<1-45> refers to the name of the certificate authority and the variable WORD<1-80> refers to the certificate filename.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure the subject:
    certificate subject common-name 822-pki
    certificate subject e-mail 822@extremenetworks.com
    certificate subject unit Engineering 
    certificate subject organization ExtremeNetworks 
    certificate subject locality Salem 
    certificate subject country US
    certificate subject province Massachusetts
    certificate subject subject-name 822
    
    certificate subject common-name 823-pki
    certificate subject e-mail 823@extremenetworks.com
    certificate subject unit Engineering 
    certificate subject organization ExtremeNetworks 
    certificate subject locality Salem 
    certificate subject country US
    certificate subject province Massachusetts
    certificate subject subject-name 823
    Note

    Note

    The values mentioned are for example only.

  3. Generate the key pair:
    certificate generate-keypair {[type rsa size 2048] | [key-name WORD<1-45>]}
  4. Configure the certificate authority (CA):
    certificate ca ej common-name subca5 
    certificate ca ej key-name rsa_2048 
    certificate ca ej ca-url http://192.51.100.9:8080/ejbca/publicweb/apply/scep/test/pkiclient.exe 
    certificate ca ej use-post true
    Note

    Note

    The values mentioned are for example.

  5. Use SCP to upload the Root CA certificate to: /intflash/shared/certs.
  6. Install the Root CA certificate:
    certificate ca WORD<1-45> install-file root-ca-filename WORD<1-80>
  7. Authenticate the CA:
    certificate ca WORD<1-45> action caauth
  8. Enroll the subject certificate by the CA:
    certificate ca WORD<1-45> action enroll
  9. Install the certificate:
    certificate ca WORD<1-45> action install
  10. Optional: If the certificate expires, remove the enrolled subject certificate:
    certificate ca WORD<1-45> action remove
  11. Optional: To obtain the new certificate before the old certificate expires, enter the following command to renew the certificate:
    certificate ca WORD<1-45> action renew

    The Certificate Authority generates a new certificate for the subject.

Install an Offline CA Certificate

Use the following procedure as an example to install an offline CA certificate.

About this task

In the following commands, the variable WORD<1-80> refers to the certificate filename.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure the subject:
    certificate subject common-name 822-pki
    certificate subject e-mail client1@extemenetworks.com
    certificate subject unit Engineering
    certificate subject organization ExtremeNetworks
    certificate subject locality Salem
    certificate subject province Massachusetts
    certificate subject country US
    certificate subject subject-name 822
    Note

    Note

    The values mentioned are for example only.

  3. Generate the certificate signing request to support multiple subject identities on the switch:
    certificate generate-csr subject-name WORD< 1-45> key-name WORD<1-64>
    #certificate generate-csr subject-name 823 key-name mimi 
    Switch:1(config)#1 2021-02-02T13:57:39.716Z VSP-8284XSQ CP1 - 0x003a8635 - 00000000 GlobalRouter DIGITALCERT 
    INFO Generate CSR For Digital Certificate successful!
    
  4. Use the generated CSR file to enroll the certificate on the server.
  5. Use SCP to upload the enrolled certificate along with Root certificate and all intermediary certificates to:

    /intflash/shared/certs/

  6. Install the Root CA certificate:
    certificate install-file offline-root-ca-filename WORD<1-80>
    Note

    Note

    If the subject certificate issuer is directly the Root, then Step 7 and 8 are optional. If the subject is issued by Intermediate CA, then Step 7 and 8 are mandatory, also in the certificate chain between Root and Subject, all the Intermediates must be installed using these steps.

  7. Copy and paste the Intermediate CA certificate to:

    /intflash/shared/certs/

  8. Install the intermediate CA:

    certificate install-file offline-ca-filename WORD<1-80>

  9. Install the offline subject filename:
    certificate install-file offline-subject-filename WORD<1-80>
    #certificate install-file offline-subject-filename sd
    
    Error: File Name Not Found in /intflash/shared/certs/ or /intflash/.cert/.offlineCert/
    #certficate install-file offline-subject-filename 823mimi.crt subject-name 823 key-name mimi 
    1 2021-02-02T14:19:01.587Z VSP-8284XSQ CP1 - 0x003a864f - 00000000 GlobalRouter DIGITALCERT INFO 
    Performing OCSP Check For Certificate : 823-mimi
    1 2021-02-02T14:19:01.600Z VSP-8284XSQ CP1 - 0x003a8603 - 00000000 GlobalRouter DIGITALCERT INFO 
    Subject Certificate obtained offline from CA successfully installed
    1 2021-02-02T14:19:01.622Z VSP-8284XSQ CP1 - 0x003a8604 - 00000000 GlobalRouter DIGITALCERT INFO 
    Digital Certificate Module : Configuration Saved
    1 2021-02-02T14:19:01.666Z VSP-8284XSQ CP1 - 0x003a8619 - 00000000 GlobalRouter DIGITALCERT INFO 
    Received OCSP Response with SUCCESS Status!
    

Configuring X.509 V3 certificates for SSH Two Factor Authentication

Note

Note

DEMO FEATURE - Two-Factor Authentication–X.509v3 Certificates for SSH is a demonstration feature on some products. Demonstration features are provided for testing purposes. Demonstration features are for lab use only and are not for use in a production environment. For more information on feature support, see Fabric Engine and VOSS Feature Support Matrix.

Use the following procedure as an example to configure the SSH server on the switch, and the SSH client Secure CRT for two factor authentication using X.509 V3 certificates.

Before you begin

The following certificates must be loaded on the SSH server and SSH client:

  • For the Secure CRT (SSH client):
    • subject certificate from the PIV card.

  • For the switch (SSH server):

    • CAC-server.pem - the subject certificate

    • ca.cert.pem - the root CA certificate

    • Self-signedTrustAnchorCertificate.cer - the root CA certificate that signed the intermediate certificate

    • RSA2048IssuingCACertificate.cer - the intermediate certificate signed by the pervious root CA that signed the subject certificate.

About this task

Use the following steps as an example to configure the SSH server on the switch, the RADIUS Windows server, and the SSH client Secure CRT.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Ensure the switch is running in Enhanced Secure Mode:
    Switch:1(config)#show boot config flags
    flags enhancedsecure-mode true
    Note

    Note

    This shows a partial output of only the relevant entry.

  3. Ensure the switch clock is synchronized:
    Switch:1#show clock
    System Clock time : Fri Oct 12 19:36:36 2018 UTC
  4. Provision PKI with certificates.

    For information about provisioning PKI with certificates, see the following sections:

X.509 Authentication Username Option Example

Use the following procedure as an example to configure username authentication options using X.509 V3 certificates.

Procedure

  1. Enable X.509 V3 authentication username override:
    Switch:1(config)# ssh x509v3-auth username overwrite

    The switch disregards the username sent by the SSH client and uses the principal name from the client‘s certificate for authentication. If RADIUS authentication is configured, the username is sent after you type the RADIUS password. For example, if you configure the SSH client with the username "John" and enable x509v3-auth username overwrite on the device, the switch sends the principal name 1403824387@mil to the RADIUS server for authorization.

    Test CAC John Smith
     Issuer: CN=DOD JITC ID CA-49, OU=PKI, OU=DoD, O=U.S. Government, C=US
     NotBefore: 12/19/2017 7:00 PM
     NotAfter: 12/19/2020 6:59 PM
     Subject: CN=SMITH.JOHN.1403824387, OU=USAF, OU=PKI, OU=DoD, O=U.S.
     Government, C=US
     Serial: 019ab3
     SubjectAltName: Other Name:Principal Name=1403824387@mil, Other
     Name:2.16.840.1.101.3.6.6=04 19 d4 f8 10 da 08 26 6c 10 e7 22 e5 83 68 5a 04 0e 44 82 64 5c 85 78 10 93 ee
     Cert: 8066aec3484d3740d7d99ec2f5ed1983365bb1
  2. Enable X.509 V3 authentication username strip:
    Switch:1(config)#ssh x509v3-auth username strip-domain

    If x509v3-auth username strip-domain is configured, the switch sends the principal name without the domain to the RADIUS for authorization. The username is sent after you type the RADIUS password. For example: If you select principal name 1403824387@mil, the switch sends the principal name 1403824387 without the domain to the RADIUS server for authorization.

    Test CAC John Smith
     Issuer: CN=DOD JITC ID CA-49, OU=PKI, OU=DoD, O=U.S. Government, C=US
     NotBefore: 12/19/2017 7:00 PM
     NotAfter: 12/19/2020 6:59
     PM Subject: CN=SMITH.JOHN.1403824387, OU=USAF, OU=PKI, OU=DoD, O=U.S.
     Government, C=US
     Serial: 019ab3
     SubjectAltName: Other Name:Principal Name=1403824387@mil, Other
     Name:2.16.840.1.101.3.6.6=04 19 d4 f8 10 da 08 26 6c 10 e7 22 e5 83 68 5a 04 0e 44 82 64 5c 85 78 10 93 ee
     Cert: 8066aec3484d3740d7d99ec2f5ed1983365bb129
  3. Enable X.509 V3 authentication username use-domain:
    Switch:1(config)ssh x509v3-auth username use-domain extreme.com

    If you select the username as the principal name, the switch sends the principal name from the certificate with the domain configured on the switch to the RADIUS for authorization. The username is sent after typing the RADIUS password. For example: If you configure use-domain “extreme.com” on the switch and you configure the username to be the principal name 1403824387@mil, the switch sends the username 1403824387@extreme.com to the RADIUS server for authorization.

    Test CAC John Smith
     Issuer: CN=DOD JITC ID CA-49, OU=PKI, OU=DoD, O=U.S. Government, C=US
     NotBefore: 12/19/2017 7:00 PM
     NotAfter: 12/19/2020 6:59 PM
     Subject: CN=SMITH.JOHN.1403824387, OU=USAF, OU=PKI, OU=DoD, O=U.S.
     Government, C=US
     Serial: 019ab3
     SubjectAltName: Other Name:Principal Name=1403824387@mil, Other
     Name:2.16.840.1.101.3.6.6=04 19 d4 f8 10 da 08 26 6c 10 e7 22 e5 83 68 5a 04 0e 44 82 64 5c 85 78 10 93 ee
     Cert: 8066aec3484d3740d7d99ec2f5ed1983365bb129
  4. RADIUS server is not configured:
    If the Radius server is not configured, the authorization fallbacks locally on the switch, for the username. You must configure the usernames on the switch. You are prompted for the password. For example: If you select the principal name 1403824387@mil, the switch authorizes locally the username as 1403824387@mil or 1403824387 if strip domain is enabled. You are prompted for the password.
    Test CAC John Smith
     Issuer: CN=DOD JITC ID CA-49, OU=PKI, OU=DoD, O=U.S. Government, C=US
     NotBefore: 12/19/2017 7:00 PM
     NotAfter: 12/19/2020 6:59 PM
     Subject: CN=SMITH.JOHN.1403824387, OU=USAF, OU=PKI, OU=DoD, O=U.S.
     Government, C=US
     Serial: 019ab3
     SubjectAltName: Other Name:Principal Name=1403824387@mil, Other
     Name:2.16.840.1.101.3.6.6=04 19 d4 f8 10 da 08 26 6c 10 e7 22 e5 83 68 5a 04 0e 44 82 64 5c 85 78 10 93 ee
     Cert: 8066aec3484d3740d7d99ec2f5ed1983365bb129

Install Online Certificates for Fabric Extend with IPsec

Use the following procedure as an example to install subject certificates for switches that use Fabric Extend with IPsec. After you complete the certificate configuration, you must configure the IPsec authentication method for the Fabric Extend tunnel. For more information about IPsec configuration, see IPsec configuration using CLI. For more information about Fabric Extend, see Fabric Extend configuration using the CLI.

Note

Note

The values mentioned are for example only.

Before you begin

Configure the Fabric Extend tunnels between the branch and hub switches.

Procedure

  1. Configure the CA instance:
    Switch:1(config)#certificate ca aaa common-name CaAaa
    Switch:1(config)#certificate ca aaa key-name rsa_2048 
    Switch:1(config)#certificate ca aaa ca-url http://192.0.2.9:8080/ejbca/publicweb/apply/scep/test/pkiclient.exe 
    Switch:1(config)#certificate ca aaa use-post true
    Switch:1(config)#certificate ca aaa sha256-fingerprint EEA68F35CC6195CBB038073F520AA385A5A78F42
    
  2. Authenticate the CA TrustPoint:
    Switch:1(config)# certificate ca aaa action caauth
    1 2020-06-10T15:07:16.814Z XA1440 CP1 - 0x003a863d - 00000000 GlobalRouter DIGITALCERT INFO Sent SCEP Request To CA : aaa
    1 2020-06-10T15:07:16.921Z XA1440 CP1 - 0x003a8615 - 00000000 GlobalRouter DIGITALCERT INFO Received SCEP Response With SUCCESS status!
    1 2020-06-10T15:07:16.924Z XA1440 CP1 - 0x003a860e - 00000000 GlobalRouter DIGITALCERT INFO CA Certificate obtained online successfully installed
    1 2020-06-10T15:07:16.929Z XA1440 CP1 - 0x003a863d - 00000000 GlobalRouter DIGITALCERT INFO Sent SCEP Request To CA : aaa
    1 2020-06-10T15:07:17.218Z XA1440 CP1 - 0x003a8615 - 00000000 GlobalRouter DIGITALCERT INFO Received SCEP Response With SUCCESS status!
    1 2020-06-10T15:07:17.235Z XA1440 CP1 - 0x003a864f - 00000000 GlobalRouter DIGITALCERT INFO Performing OCSP Check For Certificate : CaAaa
    1 2020-06-10T15:07:17.430Z XA1440 CP1 - 0x003a8619 - 00000000 GlobalRouter DIGITALCERT INFO Received OCSP Response with SUCCESS Status!
    1 2020-06-10T15:07:17.432Z XA1440 CP1 - 0x003a8610 - 00000000 GlobalRouter DIGITALCERT INFO Get CA Certificate Successful!
    1 2020-06-10T15:07:17.433Z XA1440 CP1 - 0x003a8604 - 00000000 GlobalRouter DIGITALCERT INFO Digital Certificate Module : Configuration Saved
    
  3. Enroll the subject certificate by the CA and install it:
    Switch:1(config)#certificate ca aaa action enroll 
    
     Enter the Challenge Password: ****
    1 2020-06-10T15:12:01.715Z XA1440 CP1 - 0x003a861b - 00000000 GlobalRouter DIGITALCERT INFO Enroll Digital Certificate With SUCCESS Status!
    1 2020-06-10T15:12:01.715Z XA1440 CP1 - 0x003a8604 - 00000000 GlobalRouter DIGITALCERT INFO Digital Certificate Module : Configuration Saved
    Switch:1(config)#certificate ca aaa action install 
    Switch:1(config)#show certificate cert-type online-subject-cert 
    
    CERT table entry
    Certificate Type                :   Online Subject Certificate
    VersionNumber                   :   X.509 v3
    SerialNumber                    :   22420c203796db8e
    IssuerName                      :   CN:CaAaa, EM:, OU:, O:, L:, P:, C:
    ValidityPeriodNotBefore         :   03/09/2020 16:12:10
    ValidityPeriodNotAfter          :   03/09/2023 16:12:10
    CertificateSignatureAlgorithm   :   sha256withRSAEncryption
    CertificateSignature            :   2b8a93f4a1c9a97a69372342df1368a4fda77607251d1efc468184983223deca788919e1b1d9897044e7bffbda90d9625b7d607a1c04423bdbec0775cab0e9fd9c70244134e1b3831dbd6e7136e4a283d0ea9dbf06f0e0e28239dfd239506f6ce48acad5426bdad362916730dd4a76c3f97902230686c2e5982b2aab52d3f14b2a050644eccf463f21c953a1fe0264892854c72120656285da9dba7c98dd1658016784ee158d425fc8c1788576a1dc6df355bfd01f3007466b84802c9270ce602d5980fa434b1f13cb3c873f63f2411c295631bdacf62ad9a5f5001f765f8437bf8f2e8f38396add2d0bc49a77a46eca02faf548633360f7fcba24db144a49b6
    Subject                         :   CN:Branch1, EM:, OU:, O:, L:, P:, C:
    SubjectPublicKeyAlgorithm       :   rsaEncryption
    SubjectPublicKey                :   00000000000000020000000100000000300d06092a864886f70d0101010500000000000000010d02000000000301000100000100db8df9204793924ad595f7c2b46e6a62d66f75d7f5db8bd64d0a348608b5ae77558a1b2dbd13d6961690b50df0a7b08223b58e4b62aa59532bec5327ee5c2770640d3ca0222088fda57d46a82faa6235d432f53a0d3e286a78053b565d31d8ea7068dd59fae9567230457dcd33a3e08c42e3b613c31c5bdfd59ca153480e5f6ddca8b8b3f4ee9e2cb262c71b7e4cc4e563ba6c815b9195170bcc15feb0f14d25b1cb58544e11e007fe2906e77a8a09008363ff3f856a8a92cadd09a438216f9fd5b43917559889429161ab7d0f5b3b4fab7c37c42c6ee87debb9ac31c06da8177d7e5997313b785d3e1ebef591b968826135d9fb423275de798ad077a3819c13
    HasBasicConstraint              :   1
    HasKeyUsage                     :   1
    IsCa                            :   1
    KeyUsage                        :   117 digitalSignature  keyEncipherment  keyAgreement  keyCertSign  cRLSign 
    ExtendedKeyUsage                :   TLS Web Client Authentication, OCSP Signing, TLS Web Server Authentication, 
    CDPUrl                          :   http://198.51.100.1:8080/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=CN=CaAaa
    OCSPUrl                         :   http://198.51.100.1:8080/ejbca/publicweb/status/ocsp
    
  4. Configure the IPsec authentication-method:
    Switch:1(config-isis-1-192.0.2.74)#ipsec auth-method rsa-sig