Dell S6100 Configuration Manual page 1075

The Root CA generates a private key and a self-signed CA certificate.
The Intermediate CA generates a private key and a Certificate Signing Request (CSR).
Using its private key, the root CA signs the intermediate CA's CSR generating a CA certificate for the Intermediate CA. This intermediate
CA can then sign certificates for hosts in the network and also for further intermediate CAs. These CA certificates (root CA and any
intermediate CAs), but not the corresponding private keys, are made publicly available on the network.
NOTE: CA certificates may also be bundled together for ease of installation. Their .PEM files are concatenated in order from the
"lowest" ranking CA certificate to the Root CA certificate. Dell Networking OS handles installation of bundled certificate files.
The other hosts on the network, such as the SUT switch, syslog server, and OCSP server, generate private keys and create Certificate
Signing Requests (CSRs). The hosts then upload the CSRs to the Intermediate CA or make the CSRs available for the Intermediate CA to
download. Dell Networking OS generates a CSR using the crypto cert generate request command.
The hosts on the network (SUT, syslog, OCSP...) also download and install the CA certificates from the Root and Intermediate CAs. By
installing these CA certificates, the hosts trust any certificates signed by these CAs.
NOTE: You can download and install CA certificates in one step using the crypto ca-cert install
command.
The intermediate CA signs the CSRs and makes the resulting certificates available for download through FTP root or otherwise.
Alternatively, the Intermediate CA can also generate private keys and certificates for the hosts. The CA then makes the private key or
certificate pairs available for each host to download. You can password-encrypt the private key for additional security and then decrypt it
with a password using the crypto cert install command.
The hosts on the network (SUT, syslog, OCSP...) download and install their corresponding signed certificates. These hosts can also verify
whether they have their own certificates using the private key that they have previously generated.
NOTE: When you use the crypto cert install command to download and install certificates, Dell Networking OS automatically
verifies whether a device has its own certificate.
Now that the X.509v3 certificates are installed on the SUT and Syslog server, these certificates can be used during TLS protocol
negotiations so that the devices can verify each other's trustworthiness and exchange session keys to protect session data. The devices
verify each other's certificates using the CA certificates they installed earlier. The SUT enables Syslog-over-TLS by configuring the
secure keyword in the logging configuration. For example, logging 10.11.178.1 secure 6514.
X.509v3 1075