download ssl certificate

download ssl ipaddress certificate {ssl-cert | trusted-ca | ocsp-signature-ca | {csr-cert {ocsp [on | off]}} file_name

Description

Permits downloading of certificate file(s) from files stored on a TFTP server.

Syntax Description


`ipaddress`	Specifies the IP address of the TFTP server.
ssl-cert	Specifies SSL/TLS certificate (default).
trusted-ca	Specifies CA certificates.
ocsp-signature-ca	Specifies signature CA files.
`file_name`	Specifies the name of the certificate file.
csr-cert	Specifies an SSL/TLS certificate signed through a Certificate Signing Request (CSR) generated by the switch. Trust chain verification is performed during download.
ocsp	Specifies using or not using Online Certificate Status Protocol (OCSP) for certificate checking.
on	Enables OCSP for SSL/TLS certificate signed through CSR generated by switch.
off	Disables OCSP for SSL/TLS certificate signed through CSR generated by switch (off).

Default

If no option is selected, SSL/TLS certificate (ssl-cert) is the default.

By default, OCSP is disabled.

Usage Guidelines

If the download operation is successful, any existing certificate is overwritten. For SSL/TLS certificates, after a successful download, the software attempts to match the public key in the certificate against the private key stored. If the private and public keys do not match, the switch displays a warning message similar to the following: Warning: The Private Key does not match with the Public Key in the certificate. This warning acts as a reminder to also download the private key.

Note

You can only download a certificate key in the VR-Mgmt virtual router.

Downloaded certificates and keys are not saved across switch reboots unless you save your current switch configuration. After you issue the save command, the downloaded certificate is stored in the configuration file and the private key is stored in the EEPROM.

You can purchase and obtain SSL certificates from Internet security vendors.

Remote IP Address Character Restrictions

This section provides information about the characters supported by the switch for remote IP addresses.

When specifying a remote IP address, the switch permits only the following characters:

Alphabetical letters, upper case and lower case (A-Z, a-z).
Numerals (0-9).
Period ( . ).
Colon ( : ).

When configuring an IP address for your network server, remember the requirements listed above.

Remote File Name Character Restrictions

This section provides information about the characters supported by the switch for remote file names.

When specifying a remote file name, the switch permits only the following characters:

Alphabetical letters, upper case and lower case (A-Z, a-z).
Numerals (0-9).
Period ( . ).
Dash ( - ).
Underscore ( _ ).
Slash ( / ).

When naming a remote file, remember the requirements listed above.

Example

The following command downloads a certificate from a TFTP server with the IP address of 123.45.6.78:

# download ssl 123.45.6.78 certificate g0ethner1

The following command downloads a trusted-ca certificate:

# download ssl 10.120.89.79 certificate trusted-ca cacert.pem

The following command downloads an ocsp-signature-ca certificate:

# download ssl 10.120.89.79 certificate ocsp-signature-ca oscrcert.pem

History

This command was first available in the ExtremeXOS 11.2 and supported with the SSH module.

The trusted-ca and ocsp-signature-ca options were added in ExtremeXOS 22.1.

The csr-cert and ocsp were added in ExtremeXOS 31.2.

Platform Availability

This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, and X695 series switches.