Manage an SSL Certificate

Note

Note

For certain switches in enhanced secure mode, all sensitive files are protected. You cannot access any sensitive files using Telnet, SSH, FTP, SFTP, TFTP, and SCP connections. For more information, see Sensitive File Protection.

The TLS server selects a certificate authority (CA)-signed certificate if the certificate is already installed in the Digital Certificate module.

If the server certificates are not available, the TLS server generates a new self-signed certificate at startup and uses that by default. You can choose to use an online or offline CA-signed certificate, which will take precedence over the self-signed certificate.

For more information about SSL certificate manipulation, see Certificate Order Priority.

About this task

If a certificate is already present, you must confirm that it can be deleted before a new one is created.

After you create a certificate, the system logs one of the following INFO alarms:

  • New default Server Certificate and Key are generated and installed

  • Current Server Certificate and Key are installed

The default certificate key length for a certificate generated on the switch is 2,048 bits.

Note

Note

The ssl certificate [validity-period-in-days <30-3650>] command in this procedure does not require a system reboot.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Create and install a new self-signed certificate:

    ssl certificate [validity-period-in-days <30-3650>]

  3. Delete a certificate:

    no ssl certificate

    Note

    Note

    The certificate loaded in memory remains valid until you use the ssl reset command or reboot the system.

Variable Definitions

The following table defines parameters for the ssl certificate command.

Variable

Value

validity-period-in-days <30-3650>

Specifies an expiration time for the certificate. The default is 365 days.