Ensuring Trust Point Configurations Persist Across Reboots; Monitoring And Maintaining Ca And Certificates Configuration; Exporting And Importing Identity Information In Pkcs#12 Format - HP Cisco MDS 9216 - Fabric Switch Configuration Manual

Configuring CAs and Digital Certificates
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m

Ensuring Trust Point Configurations Persist Across Reboots

The trust point configuration is a normal Cisco SAN-OS configuration that persists across system
reboots only if you copy it explicitly to the startup configuration. The certificates, key-pairs, and CRL
associated with a trust point are automatically persistent if you have already copied the trust point
configuration in the startup configuration. Conversely, if the trust point configuration is not copied to the
startup configuration, the certificates, key-pairs, and CRL associated with it are not persistent since they
require the corresponding trust point configuration after a reboot. Always copy the running configuration
to the startup configuration to ensure the that the configured certificates, key-pairs, and CRLs are
persistent. Also, save the running configuration after deleting a certificate or key-pair to ensure the
deletions permanent.
The certificates and CRL associated with a trust point automatically become persistent when imported
(that is, without an explicitly copying to the startup configuration) if the specific trust point is already
saved in startup configuration.
We also recommend that you create a password protected backup of the identity certificates nd save it to
an external server (see the
on page
Copying the configuration to an external server does include the certificates and key-pairs.
Note

Monitoring and Maintaining CA and Certificates Configuration

The tasks in the section are optional. This section includes the following topics:
•
•
•
•

Exporting and Importing Identity Information in PKCS#12 Format

You can export the identity certificate along with the RSA key-pair and CA certificate of a trust point
to a PKCS#12 file for backup purposes. You can later import the certificate and RSA key-pair to recover
from a system crash on your switch or when you replace the supervisor modules.
Note Only bootflash:filename format is supported when specifying the export and import URL.
To export a certificate and key pair to a PKCS#12-formatted file using Fabric Manager, follow these
steps:
Expand Switches > Security and then select PKI in the Physical Attributes pane.
Step 1
Click the Trust Point Actions tab in the Information Pane (see
Step 2
Select the pkcs12export option in the Command drop-down menu to export the key-pair, identity
Step 3
certificate, and the CA certificate or certificate chain in PKCS#12 format from the selected trust point.
Cisco MDS 9000 Family CLI Configuration Guide
43-14
"Exporting and Importing Identity Information in PKCS#12 Format" section
43-14).
Exporting and Importing Identity Information in PKCS#12 Format, page 43-14
Configuring a CRL, page 43-15
Deleting Certificates from the CA Configuration, page 43-16
Deleting RSA Key-Pairs from Your Switch, page 43-16
Chapter 43 Configuring Certificate Authorities and Digital Certificates
Figure
OL-16184-01, Cisco MDS SAN-OS Release 3.x
43-9).