Install the Certificate

About this task

Use this procedure to install the following:

certificate authority (CA) certificate
root CA certificates
subject certificates
Certificate Revocation List (CRL) file obtained offline from the CA

Procedure

Enter Global Configuration mode:

enable

configure terminal
Install the offline CA certificate:

certificate install-file offline-ca-filename WORD<1-80>
Install the CRL offline file:

certificate install-file offline-crl-filename WORD<1-80>
Install the root CA offline certificate:

certificate install-file offline-root-ca-filename WORD<1-80>
Install the subject offline certificate:

certificate install-file offline-subject-filename WORD<1-80> [relaxed] [key-name WORD<1-45>] [subject-name WORD<1-45>]

Note

To obtain the offline subject certificate, you must first generate a certificate signing request (CSR).
Optional: Install the subject offline certificate with PKCS12-format:

certificate install-file offline-subject-filename WORD<1-80> relaxed pkcs12-password WORD<1-128>

Example

View the installed offline subject certificate:

Switch:1>enable
Switch:1#configure terminal
Switch:1#certficate install-file offline-subject-filename 823pki.crt subject-name 823 key-name pki 
1 2021-02-02T14:19:01.587Z Switch CP1 - 0x003a864f - 00000000 GlobalRouter DIGITALCERT INFO Performing OCSP Check For Certificate : 823-pki
1 2021-02-02T14:19:01.600Z Switch CP1 - 0x003a8603 - 00000000 GlobalRouter DIGITALCERT INFO Subject Certificate obtained offline from CA successfully installed
1 2021-02-02T14:19:01.622Z Switch CP1 - 0x003a8604 - 00000000 GlobalRouter DIGITALCERT INFO Digital Certificate Module : Configuration Saved
1 2021-02-02T14:19:01.666Z Switch CP1 - 0x003a8619 - 00000000 GlobalRouter DIGITALCERT INFO Received OCSP Response with SUCCESS Status!

The following output displays the CA name derived from the subject name and the key name. You use this entry when you configure a specific application to use a specific CA identity.

#show certificate ca 

CA table entry
Name                      :   823-pki[auto-installed]
CommonName                :   CaA2-1
KeyName                   :   pki
SubjectName               :   823
CaUrl                     :   
UsePost                   :   0
SubjectCertValidityDays   :   0
Action                    :   (null)
LastActionStatus          :   (null)
LastActionFailureReason   :   
CA-Auth Sha256Fingerprint :   
UsedFor                   :

Variable Definitions

The following table defines parameters for the certificate install-file command.


Variable	Definition
offline-ca-filename `WORD<1–80>`	Specifies the certificate authority (CA) file name obtained from the CA.
offline-crl-filename`WORD<1–80>`	Specifies the CRL file obtained from the CA.
offline-root-ca-filename `WORD<1–80>`	Specifies the root CA file name obtained from the CA.
offline-subject-filename `WORD<1–80>`	Specifies the subject certificate file name obtained from the CA.
relaxed [pkcs12-password WORD<1-128>] Note: Exception: not supported on VSP 8600 Series.	Uses the relaxed mode for offline subject certificate installation for less restrictive consistency checks. You can also install a PKCS12 format certificate and secret key in relaxed mode. `WORD<1-128>` is the password to extract the PKCS12 container. If you do not include this parameter, the supported format is Distinguished Encoding Rules (DER).
key-name `WORD<1-45>` Note: Exception: Not supported on VSP 8600 Series.	Refers to the key name of the generated key-pair.
subject-name `WORD<1-45>` Note: Exception: Not supported on VSP 8600 Series.	Refers to the subject identity name.