Cisco 9134 - MDS Multilayer Fabric Switch Troubleshooting Manual page 480
Mds 9000 family
Hide thumbs
Also See for 9134 - MDS Multilayer Fabric Switch:
- Release notes (10 pages) ,
- Configuration manual (1484 pages) ,
- Installation manual (108 pages)
Table of Contents
Advertisement
Digital Certificate Issues
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Follow these steps to create a trust point and associate the RSA key pairs with it:
Step 4
Choose Switches > Security > PKI and select the Trust Point tab.
a.
Click Create Row and set the TrustPointName field.
b.
Select the RSA key pairs from the KeyPairName drop-down menu.
c.
Select the certificates revocation method from the RevokeCheckMethods drop-down menu.
d.
Click Create.
e.
Choose Switches > Copy Configuration and click Apply Changes to copy the running-config to
Step 5
startup-config and save the trust point and key pair.
Download the CA certificate from the CA that you want to add as the trustpoint CA.
Step 6
Follow these steps to authenticate the CA that you want to enroll to the trust point:
Step 7
In Device Manager, choose Admin > Flash Files and select Copy and then select tftp from the
a.
Protocols radio button to copy the CA certificate to bootflash.
In Fabric Manager, choose Switches > Security > PKI and select the TrustPoint Actions tab.
b.
Select cauth from the Command drop-down menu.
c.
Click... in the URL field and select the CA certificate from bootflash.
d.
Click Apply Changes to authenticate the CA that you want to enroll to the trust point.
e.
Click the Trust Point Actions tab in the Information Pane.
f.
Make a note of the CA certificate fingerprint displayed in the IssuerCert FingerPrint column for the
g.
trust point row in question. Compare the CA certificate fingerprint with the fingerprint already
communicated by the CA (obtained from the CA web site). If the fingerprints match exactly, accept
the CA by selecting the certconfirm trust point action. Otherwise, reject the CA by selecting the
certnoconfirm trust point action.
If you selected certconfirm in step g, select the Trust Point Actions tab, select certconfirm from
h.
the Command drop-down menu and then click Apply Changes.
If you selected certnoconfirm inStep g, select the Trust Point Actions tab, select certnoconfirm
i.
from the Command drop-down menu, and then click Apply Changes.
Step 8
Follow these steps to generate a certificate request for enrolling with that trust point:
Select the Trust Point Actions tab in the Information pane.
a.
Select certreq from the Command drop-down menu. This generates a PKCS#10 certificate signing
b.
request (CSR) needed for an identity certificate from the CA corresponding to this trust point entry.
c.
Enter the output file name for storing the generated certificate request. It should be specified in the
bootflash:filename format and will be used to store the CSR generated in PEM format.
d.
Enter the challenge password to be included in the CSR. The challenge password is not saved with
the configuration. This password is required in the event that your certificate needs to be revoked,
so you must remember this password.
Click Apply Changes to save the changes.
e.
Request an identity certificate from the CA.
Step 9
Note
The CA may require manual verification before issuing the identity certificate.
Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x
24-6
Chapter 24
Troubleshooting Digital Certificates
OL-9285-05
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
