Manually Generating Self-Signed Certificates on Switches (CLI Procedure)
EX Series switches allow you to generate custom self-signed certificates and store them in the file system. The certificate you generate manually can coexist with the automatically generated self-signed certificate on the switch. To enable secure access to the switch over SSL, you can use either the system-generated self-signed certificate or a certificate you have generated manually.
To generate self-signed certificates manually, you must complete the following tasks:
Generating a Public-Private Key Pair on Switches
A digital certificate has an associated cryptographic key pair that is used to sign the certificate digitally. The cryptographic key pair comprises a public key and a private key. When you generate a self-signed certificate, you must provide a public-private key pair that can be used to sign the self-signed certificate. Therefore, you must generate a public-private key pair before you can generate a self-signed certificate.
To generate a public-private key pair:
user@switch> request security pki generate-key-pair
certificate-id certificate-id-name | Note: Optionally, you can specify the encryption algorithm and the size of the encryption key. If you do not specify the encryption algorithm and encryption key size, default values are used. The default encryption algorithm is RSA, and the default encryption key size is 1024 bits. |
After the public-private key pair is generated, the switch displays the following:
Generating Self-Signed Certificates on Switches
To generate the self-signed certificate manually, include the certificate ID name, the subject of the distinguished name (DN), the domain name, the IP address of the switch, and the e-mail address of the certificate holder:
user@switch> request security pki local-certificate
generate-self-signed certificate-id certificate-id-name domain-name domain-name email email-address ip-address switch-ip-address subject subject-of-distinguished-name The certificate you have generated is stored in the switch’s file system. The certificate ID you have specified while generating the certificate is a unique identifier that you can use to enable the HTTPS or XNM-SSL services.
To verify that the certificate was generated and loaded properly, enter the show security pki local-certificate operational command.
