crypto ca import-pkcs

Imports a TLS certificate and a private key in PKCS12 format.

Syntax

crypto ca import-pkcs { type pkcs12 cert-type { gNMI-server | https | ldap-client | radius-client | syslog-client } protocol { FTP | SCP } directory dir-name file file-name source-ip source-ip host host-address user user-name password scp-password [ pkcs-passphrase pkcs-export-password ] [ use-vrf vrf-name ] }

no crypto ca import-pkcs type pkcs12 cert-type {gNMI-server | https | ldap-client | radius-client | syslog-client }

Parameters

type pkcs12: Indicates that the private key for the CA certificate is in the <term>pkcs12</term> format.
cert-type {https | gNMI-server | https | ldap-client radius-client | syslog-client }: Indicates that the certificate is used for HTTPS and gNMI server authentication. Additionally, now certificates for LDAP Client, RADIUS Client, and SYSLOG Clients can be imported and used for authentication.
protocol { FTP | SCP }: Specifies the use of either FTP or SCP protocol for accessing the remote certificate file.
directory dir_name: Defines the remote directory where the certificate resides.
file file-name: Defines the file name of the certificate file in .pfx or .p12 format.
host host-address: Defines the host name or IP address of the remote certificate server.
source-ip source-ip: (SCP only) Specifies the source IP address to use in the header.
user user-name: Defines the user name for the remote certificate server.
password scp-password: Defines the password for the user name on the remote certificate server.
Note
When the password is not provided in the CLI command, the user will be prompted for it when the CLI is executed.
pkcs-passphrase pkcs-export-password: Defines the password used at the creation of the .pfx or .p12 certificate file.
use-vrf vrf-name: Defines the VRF to use to reach the remote certificate server.

Modes

Privileged EXEC mode

Usage Guidelines

Use the below mentioned command to import a TLS server certificate and private key (in PKCS12 format) to an SLX device (with no trust point) and establish a secure connection.

Note

Server Certificates are to be imported on the SLX device mandatorily, before configuring gNMI server.

CLI Command:

crypto ca import-pkcs {type pkcs12 cert-type gNMI-server } protocol {FTP | SCP} directory dir-name file file-name source-ip source-ip host host-address user user-name password scp password [ pkcs-passphrase pkcs-export-password ] [ use-vrf vrf-name ]} 
crypto ca import-pkcs {type pkcs12 cert-type https } protocol {FTP | SCP} directory dir-name file file-name source-ip source-ip host host-address user user-name password scp password [ pkcs-passphrase pkcs-export-password ] [ use-vrf vrf-name ]}

Certificates for the following servers can be imported:

HTTPS Server
gNMI Server

Certificates for the following clients can be imported:

LDAP Client
RADIUS Client
SYSLOG Client

Use the no form of the command to remove a certificate and key.

Examples

This example specifies HTTPS authentication and SCP using a VRF named red.

device# crypto ca import-pkcs12 cert-type https protocol SCP host 10.70.12.102 
user fvt directory /users/crypto file pkcs12cert.p12 password ********** 
pkcs-passphrase ******** use-vrf red

This example removes an HTTPS certificate and key.

device# no crypto ca import-pkcs type pkcs12 cert-type https

Example

This example specifies gNMI server authentication.

device# crypto ca import-pkcs type pkcs12 cert-type gNMI-server directory /root/gselvaraj/NH217/ file nh217.pfx protocol SCP host 10.24.12.107 user root password *** pkcs-passphrase ***

Example

This example removes gNMI server certificate and key.

device# no crypto ca import-pkcs type pkcs12 cert-type gNMI-server