Configuration Examples

This section shows an example of the tasks you can use to configure certificates and CRLs on the Cisco MDS 9000 Family switches using the Microsoft Windows Certificate server.This section includes the following topics:

• Downloading a CA Certificate
• Requesting an Identity Certificate
• Revoking a Certificate
• Generating and Publishing the CRL
• Downloading the CRL
• Importing the CRL

To configure certificates on an MDS switch, follow these steps:

1. Choose Switches and set the LogicalName field to configure the switch host name.
2. Choose Switches > Interfaces > Management > DNS and set the DefaultDomainName field to configure.
3. To create an RSA key-pair for the switch, follow these steps:
1. Choose Switches > Security > PKI and select the RSA Key-Pair tab.
2. Click Create Row and set the name and size field.
3. Check the Exportable check box and click Create.
4. To create a trust point and associate the RSA key-pairs with it, follow these steps:
1. Choose Switches > Security > PKI and select the Trustpoints tab.
2. Click Create Row and set the TrustPointName field.
3. Select the RSA key-pairs from the KeyPairName drop-down menu.
4. Select the certificates revocation method from the CARevoke drop-down menu.
5. Click Create.
5. Choose Switches > Copy Configuration and click Apply Changes to copy the running to startup configuration and save the trustpoint and key pair.
6. Download the CA certificate from the CA that you want to add as the trustpoint CA.
7. To authenticate the CA that you want to enroll to the trust point, follow these steps:.
1. Using Device Manager, choose Admin > Flash Files and select Copy and tftp copy the CA certificate to bootflash.
2. Using DCNM-SAN, choose Switches > Security > PKI and select the TrustPoint Actions tab.
3. Select cauth from the Command drop-down menu.
4. Click ... in the URL field and select the CA certificate from bootflash.
5. Click Apply Changes to authenticate the CA that you want to enroll to the trust point.
6. Click the Trust Point Actions tab in the Information Pane.
7. Make a note of the CA certificate fingerprint displayed in the IssuerCert FingerPrint column for the trust point row in question. Compare the CA certificate fingerprint with the fingerprint already communicated by the CA (obtained from the CA web site). If the fingerprints match exactly, accept the CA by performing the certconfirm trust point action. Otherwise, reject the CA by performing the certnoconfirm trust point action.
8. If you select certconfirm in step g, click the Trust Point Actions tab, select certconfirm from the command drop-down menu, and then click Apply Changes.
9. If you select certnoconfirm in step g, click the Trust Point Actions tab, select the certnoconfirm from the command drop-down menu and then click Apply Changes.
8. To generate a certificate request for enrolling with that trust point, follow these steps:
1. Click the Trust Point Actions tab in the Information pane.
2. Select certreq from the Command drop-down menu. This generates a PKCS#10 certificate signing request (CSR) needed for an identity certificate from the CA corresponding to this trust point entry.
3. Enter the output file name for storing the generated certificate request. It should be specified in the bootflash:filename format and will be used to store the CSR generated in PEM format.
4. Enter the challenge password to be included in the CSR. The challenge password is not saved with the configuration. This password is required in the event that your certificate needs to be revoked, so you must remember this password.
5. Click Apply Changes to save the changes.
9. Request an identity certificate from the CA.

Note     The CA may require manual verification before issuing the identity certificate.

10. To import the identity certificate, follow these steps:
1. Using Device Manager, choose Admin > Flash Files and select Copy and use TFTP to copy the CA certificate to bootflash.
2. Using DCNM-SAN, choose Switches > Security > PKI and click the TrustPoint Actions tab.
3. Select the certimport option from the Command drop-down menu to import an identity certificate in this trust point.

Note     The identity certificate should be available in PEM format in a file in bootflash.

4. Enter the name of the certificate file which was copied to bootflash, in the URL field in the bootflash:filename format.
5. Click Apply Changes to save your changes.

If successful, the values of the identity certificate and its related objects, like the certificate file name, are automatically updated with the appropriate values as per the corresponding attributes in the identity certificate.

---

Copyright 2010-2013, Cisco Systems, Inc. All rights reserved.