configure ssl certificate pregenerated

configure ssl certificate pregenerated{ {csr-cert}pregenerated {ocsp {on | off}}}

Description

Obtains the pre-generated certificate from the user.

Syntax Description

ssl SSL.
certificate Certificate.
csr-cert Specifies the SSL/TLS certificate signed through CSR generated by switch. Trust chain verification performed during configuration. Only use this option for CSR-signed certificates.
pregenerated Specifies already having a certificate or private key in Privacy Enhanced Mail (PEM) format.
ocsp Specifies Online Certificate Status Protocol (OCSP). This option is only available if you have selected CSR-signed certificates.
on Enables OCSP for SSL/TLS certificate signed through CSR generated by the switch.
off Disables OCSP for SSL/TLS certificate signed through CSR generated by the switch (default).

Default

For CSR-signed certificates, OCSP is off by default.

Usage Guidelines

You must upload or generate a certificate for SSL server use. With this command, you copy and paste the certificate into the command line followed by a blank line to end the command. The following security algorithms are supported:
  • RSA for public key cryptography (generation of certificate and public-private key pair, certificate signing). RSA key size between 2,048 and 4,096 bits.
  • Symmetric ciphers (for data encryption): RC4, DES, and 3DES.
  • Message Authentication Code (MAC) algorithms: RSA Data Security, Inc. MD5 Message-Digest Algorithm and SHA.

This command is also used when downloading or uploading the configuration. Do not modify the certificate stored in the uploaded configuration file because the certificate is signed using the issuer's private key.

The certificate and private key file should be in PEM format and generated using RSA as the cryptography algorithm.

Only use the csr-cert option for CSR-signed certificates.

When a certificate is imported using this csr-cert option, mandatory trust chain verification and optional revocation check is performed. For a successful import, both verifications should pass. ExtremeXOS supports the revocation checking using the OCSP library. During the import of the switch certificate, if it is with csr-cert option, then if the trust chain verification passes, then the revocation status of the switch certificate and a maximum of 5 intermediate CA certificates (total of 6 certificates). When OCSP on is chosen, a revocation check is performed. The certificate is accepted only when revocation status is good for all certificates (switch and a maximum of 5 intermediate CA). If the revocation status is anything other than good (including unable to connect, no response, revoked, unknown) for any of the above certificates, then that certificate import is rejected. It can be imported though, by selecting OCSP as off.

Example

The following command obtains the pre-generated certificate from the user:

configure ssl certificate pregenerated

Next, you open the certificate, and then copy and paste the certificate into the console/Telnet session, followed by a blank line to end the command.

History

This command was first available in the ExtremeXOS 11.2 and supported with the SSH module.

As of ExtremeXOS 21.1, the SSH XMOD is part of the base image and not available as a separate XMOD module.

Ability to configure CSR-signed certificates was added in ExtremeXOS 31.2.

Platform Availability

This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, X670-G2, X690, X695, X870, 5320, 5420, and 5520 series switches.