Creating Certificate Signing Requests and Private Keys

Secure Socket Layer (SSL) allows you to:

Generate self-signed certificates, which generate private keys and self-signed X509 certificates.
Download SSL private key/certificate using download ssl ipaddress certificate {ssl-cert | trusted-ca | ocsp-signature-ca | {csr-cert {ocsp [on | off]}} file_name command (generally used to download CA signed certificate).
Obtain an SSL private-key/certificate using the configure ssl certificate pregenerated{ {csr-cert}pregenerated {ocsp {on | off}}} command (generally used to obtain the CA signed certificate for copying).

Additionally, you can create certificate signing requests (CSRs)/private key pairs. The CSR can then be taken to a Certificate Authority (CA) for signing. The CA then provides the signed certificate, which can be downloaded to the switch using either of the commands listed previously.

To create a CSR, use the following command:

configure ssl csr privkeylen length country code organization org_name common-name name

To view the CSR any time after creating it, use the following command:

show ssl csr

Note

For enhanced security, the minimum private key length is 2,048 (previously it was 1,024). This length is enforced in both private key/self-signed certificate pairs and private key/CSR pairs.