Creating Certificate Signing Requests and Private Keys
Secure Socket Layer (SSL) allows you to:
- Generate self-signed certificates, which generate private keys and self-signed X509 certificates.
- Download SSL private key/certificate using download ssl ipaddress certificate {ssl-cert | trusted-ca | ocsp-signature-ca | {csr-cert {ocsp [on | off]}} file_name command (generally used to download CA signed certificate).
- Obtain an SSL private-key/certificate using the configure ssl certificate pregenerated{ {csr-cert}pregenerated {ocsp {on | off}}} command (generally used to obtain the CA signed certificate for copying).
Additionally, you can create certificate signing requests (CSRs)/private key pairs. The CSR can then be taken to a Certificate Authority (CA) for signing. The CA then provides the signed certificate, which can be downloaded to the switch using either of the commands listed previously.
To create a CSR, use the following command:
configure ssl csr privkeylen length country code organization org_name common-name name
To view the CSR any time after creating it, use the following command:
show ssl csr

Note
For enhanced security, the minimum private key length is 2,048 (previously it was 1,024). This length is enforced in both private key/self-signed certificate pairs and private key/CSR pairs.