Local certificate enrollment – manual mode

To enroll a Local certificate using a manual copy and paste method, a key size and the relevant TA profile details are required. The following command manually creates a certificate signature request. Including the subject overrides the configured Identity Profile:


crypto pki create-csr certificate-name <CERT-NAME>
  ta-profile <Profile-name>
  [usage <openflow | web | all>]
  [key-type rsa key-size <1024|2048>]
  [key-type ecdsa curve <256|384>]
  subject [common-name <CN-Value>]
  [org <Org-Value>] [org-unit <Org-unit-value>]
  [locality <Location-Value>] [state <state-Value>]
  [country <Country-Code>]
  [valid-start <date>] [valid-end <date>]


key-size [1024|2048]

The length of the RSA key, default is 1024 bits.



Name of the certificate.


The Trust Anchor Profile associated with the certificate. A profile named ‘default’ is updateable from the web UI.


Specify the Switch Id TA profile name.

usage <openflow|web|all>

Intended application for the certificate, the default is web.


Certificate validity start date (MM/DD/YY).


Certificate validity end date (MM/DD/YY).

Subject fields


Common Name (CN) – must be present, max length 90.


Organization Name (O) – preferred, max length 100.

org-unit value

Organizational Unit Name (OU) – preferred, max length 100.


Locality (L) – optional, max length 100.


State (ST) – optional, max length 100.


To specify the two letter ISO 3166-1 country code. Max length 2.


A CSR created with TA profile name of ‘default’ MUST include usage of either “web” or “all”.

Example: of PEM format output

This command creates a certificate signing request in realtime and then output the result to the console:


You must manually copy the certificate signing request (CSR) created with the “create-csr” command (above) and have it signed by a CA. The local certificate status is updated to “CSR” after the CSR is created. A pending certificate request is not persistent across a power cycle or reboot. Once the CA-signed certificate response is received, the user executes the following command and pastes the signed certificate provided by CA on the command line.

The switch retains the name of the certificate used when creating the CSR in memory while waiting for the signed certificate to be installed. When the signed certificate is pasted to the command line, the switch matches the certificate to the CSR by matching the public key and then saves the signed certificate to flash. The signed certificate will not be accepted if a CSR does not exist or if the trust chain cannot be verified (for example, if the CA’s root certificate is not installed in the Trust Anchor Profile.)


(config)# crypto pki install-signed-certificate <data>

Intermediate certificate installation is similar to the local certificate installation. When intermediate certificates are to be individually installed, the local-certificate name is used and certificate manager uses this name to build the certificate chain between the root and the leaf certificate of the specified name. Intermediate certificates must be presented in order from the trust anchor to the local (leaf) certificate. The user is prompted to paste the new certificate (PEM-encoded PKCS#7) to the command line. The provided data is parsed internally by Certificate Manager and stored in DER format thus requiring no additional parsing in CLI. The following text appears.


To install a signed certificate, the certificate must match a previously created signing request.

With the cursor at the start of a blank line, when the user presses the Enter key, the user operation is done. Usage of word pad is suggested to copy the certificate and paste it to this command.

To check the CSR status, enter:
show crypto pki local-certificate

Local enrollment is implemented in the web UI; specifically the security — SSL page is updated for the Web UI SSL server application, with web usage. The Web UI does not provide general PKI configurability for all applications (Web UI does not allow creation or management of other device certificates add.)


Self-signed certificate for a specific application (along with the key-pair) is removed once a CA signed local-certificate is installed for that application.