Users Guide

Table Of Contents
Certificate
revocation list
(CRL)
A CA-signed document that contains a list of certificates that are no longer valid, even though they have
not yet expired. For example, when a new certificate is generated for a server, and the old certificate is
no longer supported.
Certificate
signing request
(CSR)
After generating a key pair, a switch signs a request to obtain a certificate using its secret private key,
and sends the request to a certificate authority. The CSR contains information that identifies the switch
and its public key. This public key is used to verify the private signature of the CSR and the distinguished
name (DN) of the switch. A CSR is signed by a CA and returned to a host for use as a signed host
certificate.
Privacy
Enhanced Mail
(PEM)
PKI standard used to format X.509v3 data in a secure message exchange; described in RFC 1421.
Public key
infrastructure
(PKI)
Application that manages the generation of private and public encryption keys, and the download,
installation, and exchange of CA-signed certificates with network devices.
X.509v3 Standard for the public key infrastructure that manages digital certificates and public key encryption.
Public key infrastructure
To use X.509v3 certificates for secure communication and user authentication on OS10 switches in a network, a public key
infrastructure (PKI) with a certificate authority (CA) is required. The CA signs certificates that prove the trustworthiness of
network devices.
When an organization wants to assure customers that the connection to their network is secure, it may pay a commercial
Certificate Authority, such as VeriSign or DigiCert, to sign a certificate for their domain. However, to implement an X.509v3
infrastructure, you can act as your own CA. While acting as your own CA, you can set up CAs to issue certificates to hosts in
the same trusted domain to authenticate each other.
X.509v3 public key infrastructure
To set up a PKI using X.509v3 certificates, Dell EMC Networking recommends:
1. Configure a root CA that generates a private key and a self-signed CA certificate.
2. Configure one or more intermediate CAs that generate a private key and a certificate signing request (CSR), and send the
CSR to the root CA.
Using its private key, the root CA signs an intermediate CAs CSR and generates a CA certificate for the intermediate CA.
The intermediate CA downloads and installs the CA certificate. Afterwards, the intermediate CA can sign certificates for
hosts in the network and for other intermediate CAs that are lower in the PKI hierarchy.
The root and intermediate CA certificates, but not the corresponding private keys, are made publicly available on the
network for network hosts to download.
Whenever possible, store private keys offline or in a location restricted from general access.
3. Generate private keys and create CSRs on OS10 switches using the crypto cert generate request command. A
switch uploads a CSR to an intermediate CA. To store the private key in a local hidden location, Dell EMC Networking
recommends using the key-file private parameter with the command.
4. Download and install a CA certificate on a host using the crypto ca-cert install command. After you install a CA
certificate, a host trusts any certificates that are signed by the CA and presented by other network devices. You must first
download a certificate to the home directory, and then install the certificate using the crypto ca-cert install
command.
5. Download and install a signed host certificate and private key from an intermediate CA on an OS10 switch. Then install them
using the crypto cert install command. After you install the host certificate, OS10 applications use the certificate to
secure communication with network devices. The private key is installed in the internal file system on the switch and cannot
be exported or viewed.
Manage CA certificates
OS10 supports the download and installation of public X.509v3 certificates from external certificate authorities.
In a data center environment, trusted CA servers can create CA certificates. A host operates as a trusted CA server. Network
hosts install certificates that are digitally signed with the CA's private key to establish trust between participating devices in the
network. The certificate on an OS10 switch is used to verify the certificates presented by clients and servers, such as Syslog
and RADIUS servers, to establish a secure connection with these devices.
1166
Security