Send documentation comments to mdsfeedback-doc@cisco.com
43-18
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-17256-03, Cisco MDS NX-OS Release 4.x
Chapter 43 Configuring Certificate Authorities and Digital Certificates
Example Configurations
Step 6 Download the CA certificate from the CA that you want to add as the trustpoint CA.
Step 7 To authenticate the CA that you want to enroll to the trust point, follow these steps:.
a. Using Device Manager, choose Admin > Flash Files and select Copy and tftp copy the CA
certificate to bootflash.
b. Using Fabric Manager, choose Switches > Security > PKI and select the TrustPoint Actions tab.
c. Select cauth from the Command drop-down menu.
d. Click ... in the URL field and select the CA certificate from bootflash.
e. Click Apply Changes to authenticate the CA that you want to enroll to the trust point.
f. Click the Trust Point Actions tab in the Information Pane.
g. Make a note of the CA certificate fingerprint displayed in the IssuerCert FingerPrint column for the
trust point row in question. Compare the CA certificate fingerprint with the fingerprint already
communicated by the CA (obtained from the CA web site). If the fingerprints match exactly, accept
the CA by performing the certconfirm trust point action. Otherwise, reject the CA by performing
the certnoconfirm trust point action.
h. If you select certconfirm in step g, select the Trust Point Actions tab, select certconfirm from the
command drop-down menu and then click Apply Changes.
i. If you select certnoconfirm in step g, select the Trust Point Actions tab, select the certnoconfirm
from the command drop-down menu and then click Apply Changes.
Step 8 To generate a certificate request for enrolling with that trust point, follow these steps:
a. Select the Trust Point Actions tab in the Information pane.
b. Select certreq from the Command drop-down menu. This generates a pkcs#10 certificate signing
request (CSR) needed for an identity certificate from the CA corresponding to this trust point entry.
c. Enter the output file name for storing the generated certificate request. It should be specified in the
bootflash:filename format and will be used to store the CSR generated in PEM format.
d. Enter the challenge password to be included in the CSR. The challenge password is not saved with
the configuration. This password is required in the event that your certificate needs to be revoked,
so you must remember this password.
e. Click Apply Changes to save the changes.
Step 9 Request an identity certificate from the CA.
Note The CA may require manual verification before issuing the identity certificate.
Step 10 To import the identity certificate, follow these steps:
a. Using Device Manager, choose Admin > Flash Files and select Copy and use TFTP to copy the CA
certificate to bootflash.
b. Using Fabric Manager, choose Switches > Security > PKI and select the TrustPoint Actions tab.
c. Select the certimport option from the Command drop-down menu to import an identity certificate
in this trust point.
Note The identity certificate should be available in PEM format in a file in bootflash.
To Next Page
Loading...
Need help?
General
