TLS Server Certificate and Private Key with No Trust PointNEW!

You can import a TLS server certificate and private key (in PKCS12 format) to an SLX device (with no trust point) and establish a secure connection.

The following is the process for importing the certificate and key and for establishing the secure connection.

• Remove any existing certificate and key from the device.

  

  device# no crypto ca import <trustpoint-name> certificate cert-type <https|ssh-x509v3>
  device# no crypto ca authenticate <trustpoint-name> cert-type <https|ssh-x509v3>
  device# config
  Entering configuration mode terminal
  device(config)# crypto ca trustpoint <trustpoint-name>
  device(config-ca-t1)# no keypair
  device(config-ca-t1)# exit
  device(config)# no crypto ca trustpoint <trustpoint-name>
  device(config)# no crypto key label <key-name>
  device(config)# end
  device#

• Ensure that the certificate to be imported is well formed. In other words, it is a valid signing certificate that has not expired or been tampered with.

  Verify the certificate's creation time with openssl x509 -noout -text -in tlscert.pem | grep 'Not Before'. The time on the device must be later than this time or the import will not work.

• Use the crypto ca import-pkcs command to import the certificate and private key from an external server.

  

  crypto ca import-pkcs type <pkcs12> cert-type <ssh-x509v3|https> directory 
  <dir-name> file <file-name> host <host-name/ip> protocol <SCP|FTP> user <user-name> 
  password <scp-password> [pkcs-passphrase <pkcs export password>] [use-vrf <vrf name>]

• The imported certificate is validated on some parameters to ensure that it is valid. An error message is generated if the certificate is invalid.

  For example, the certificate is validated against the not before and not after time values. If the time on the device is not within this range, validation fails and an error message is generated.

• Import of an HTTPS certificate is not complete until you do one of the following:

  • Restart the HTTPS server with the following commands:
    

    device# configure terminal
    Entering configuration mode terminal
    device(config)# http server use-vrf <VRF Name> sh
    device(config)# no http server use-vrf <VRF Name> sh
    device(config)# end
    device#

  • Reboot the SLX device.

• Import of an SSHx509v3 certificate is not complete until you perform the following commands:

  

  device# configure terminal
  Entering configuration mode terminal
  device(config)# ssh server algorithm hostkey {x509v3-ssh-rsa | x509v3-rsa2048-sha256}
  device(config)# ssh server certificate profile server
  device(ssh-server-cert-profile-server)# trustpoint sign pkcs12
  device(ssh-server-cert-profile-server)# end
  device#