Send documentation comments to mdsfeedback-doc@cisco.com
24-11
Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x
OL-9285-05
Chapter 24 Troubleshooting Digital Certificates
Digital Certificate Issues
Importing Certificate and RSA Key Pairs from Backup Using Fabric Manager
To import certificates and RSA key pairs from a PKCS#12 backup file using Fabric Manager, follow
these steps:
Step 1 Choose Switches > Security > PKI and select the TrustPointDetails tab to verify that the trust point is
empty.
Step 2 Optionally, follow these steps to empty the trust point:
a. Choose Switches > Security > PKI and select the TrustPoint tab.
b. Delete the RSA key pair from the Key Pair Name field and click Apply Changes.
c. Choose Switches > Security > PKI and select the TrustPoint Actions tab.
d. Select cadelete from the Command drop-down menu and click Apply Changes to delete the CA
certificate.
e. Select forcecertdelete from the Command drop-down menu and click Apply Changes to delete the
identity certificates.
Step 3 In Device Manager, choose Admin > Flash Files and select Copy to copy the PKCS#12 format file to
the switch bootflash.
Step 4 In Fabric Manager, choose Switches > Security > PKI and select the TrustPoint Actions tab.
Step 5 Select the pkcs12import option from the Command drop-down menu to import the key pair, identity
certificate, and the CA certificate or certificate chain in PKCS#12 format to the selected trust point.
Step 6 Enter the input in bootflash:filename format, for the PKCS#12 file.
Step 7 Enter the required password. The password is set for decoding the PKCS#12 data. On completion, the
imported data is available in bootflash in the specified file.
Step 8 Click Apply Changes to save the changes.
On completion the trust point is created in the RSA key pair table corresponding to the imported key
pair. The certificate information is updated in the trust point.
Note The trust point should be empty (no RSA key pair associated with it and no CA is associated with it using
CA authentication) for the PKCS#12 import to succeed.
Importing Certificate and RSA Key Pairs from Backup Using the CLI
To import certificates and RSA key pairs from a PKCS#12 backup file using the CLI, follow these steps:
Step 1 Use the show crypto ca trustpoints command to verify that the trust point is empty.
Step 2 Optionally, use the delete ca-certificate command in trust point config submode to remove the CA
certificate from the trust point.
switch(config)# crypto ca trustpoint myCA
switch(config-trustpoint)# delete ca-certificate