Ensuring Trust Point Configurations Persist Across Reboots; Monitoring And Maintaining Ca And Certificates Configuration; Exporting And Importing Identity Information In Pkcs#12 Format; Configuring A Crl - Cisco AP775A - Nexus Converged Network Switch 5010 Configuration Manual

Configuring CAs and Digital Certificates
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m

Ensuring Trust Point Configurations Persist Across Reboots

The trust point configuration is a normal Cisco NX-OS configuration that persists across system reboots
only if you copy it explicitly to the startup configuration. The certificates, key-pairs, and CRL associated
with a trust point are automatically persistent if you have already copied the trust point configuration in
the startup configuration. Conversely, if the trust point configuration is not copied to the startup
configuration, the certificates, key-pairs, and CRL associated with it are not persistent since they require
the corresponding trust point configuration after a reboot. Always copy the running configuration to the
startup configuration to ensure the that the configured certificates, key-pairs, and CRLs are persistent.
Also, save the running configuration after deleting a certificate or key-pair to ensure the deletions
permanent.
The certificates and CRL associated with a trust point automatically become persistent when imported
(that is, without an explicitly copying to the startup configuration) if the specific trust point is already
saved in startup configuration.
We also recommend that you create a password protected backup of the identity certificates nd save it to
an external server (see the
on page
Copying the configuration to an external server does include the certificates and key-pairs.
Note

Monitoring and Maintaining CA and Certificates Configuration

The tasks in the section are optional. This section includes the following topics:
•
•
•
•

Exporting and Importing Identity Information in PKCS#12 Format

You can export the identity certificate along with the RSA key-pair and CA certificate of a trust point
to a PKCS#12 file for backup purposes. You can later import the certificate and RSA key-pair to recover
from a system crash on your switch or when you replace the supervisor modules.
Note Only bootflash:filename format is supported when specifying the export and import URL.
To export a certificate and key pair to a PKCS#12-formatted file using Fabric Manager, follow these
steps:
Expand Switches > Security and then select PKI in the Physical Attributes pane.
Step 1
Click the Trust Point Actions tab in the Information Pane (see
Step 2
Select the pkcs12export option in the Command drop-down menu to export the key-pair, identity
Step 3
certificate, and the CA certificate or certificate chain in PKCS#12 format from the selected trust point.
Cisco MDS 9000 Family Fabric Manager Configuration Guide
43-14
"Exporting and Importing Identity Information in PKCS#12 Format" section
43-14).
Exporting and Importing Identity Information in PKCS#12 Format, page 43-14
Configuring a CRL, page 43-15
Deleting Certificates from the CA Configuration, page 43-16
Deleting RSA Key-Pairs from Your Switch, page 43-16
Chapter 43 Configuring Certificate Authorities and Digital Certificates
Figure
OL-17256-03, Cisco MDS NX-OS Release 4.x
43-9).