Installing a leaf certificate for the syslog client

This procedure describes how to install an X.509 leaf certificate and associate it with the syslog client.

Prerequisites
  • Root certificate of the CA that will issue the leaf certificate.
Procedure
  1. Create a TA profile with the command crypto pki ta-profile. This switches to the TA configuration context. The TA profile is where the switch stores the root certificate of the CA that will issue the leaf certificate for the syslog client.
  2. Optionally enable certificate revocation checking with the command revocation-check ocsp.
  3. Most certificates contain certificate revocation checking URLs for OCSP. If you want to override these URLs, configure custom revocation checking URLs with the command ocsp url.
  4. Import the root certificate of the CA that will issue the leaf certificate for the syslog client with the command ta-certificate.
  5. Exit the TA profile context with the command exit.
  6. Create a leaf certificate with the command crypto pki certificate. This switches to the leaf certificate configuration context.
  7. Define leaf certificate properties with the command subject.
  8. Set the encryption key type for the leaf certificate with the command key-type.
  9. Generate the certificate signing request (CSR) with the command enroll terminal.
  10. Use the CSR to obtain a leaf certificate from the CA for which the root certificate was imported in step 4.
  11. Import the leaf certificate into the switch with the command import terminal.
  12. Exit the leaf certificate context with the command exit.
  13. Associate the leaf certificate with the syslog client feature on the switch with the command crypto pki application.

Example

This example:

  • Creates a TA profile named syslog-root-cert.
  • Generates a CSR for the leaf certificate syslog-cert with common name MyLeaf and RSA key size of 3072.
  • Imports the leaf certificate into the TA profile.
  • Associates the leaf certificate with the syslog application on the switch.
switch(config)# crypto pki ta-profile syslog-root-cert
switch(config-ta-syslog-root-cert)# revocation-check ocsp
switch(config-ta-syslog-root-cert)# ocsp url primary http://ocsp-server.my-ca.com
switch(config-ta-syslog-root-cert)# exit
switch(config)# crypto pki certificate syslog-cert
switch(config-cert-syslog-cert)# subject common-name MyLeaf country USA locality NY org MyCompany org-unit UNIT1 state NY
switch(config-cert-syslog-cert)# key-type rsa key-size 3072
switch(config-cert-syslog-cert)# enroll terminal
You are enrolling a certificate with the following attributes:
Subject: C=US, ST=NY, L=NY, OU=UnitA, O=MyCompany,
         CN=MyLeaf01
Key Type: RSA (2048 bits)

Continue (y/n)? y

-----BEGIN CERTIFICATE REQUEST-----
MIIBozCCAQwCAQAwYzEVMBMGA1UEAxMMcG9kMDEtODQwMC0xMQ4wDAYDVQQLEwVBc
nViYTEMMAoGA1UEChMDSFBFMRIwEAYDVQQHEwlSb3NldmlsbGUxCzAJBgNVBAgTAk
NBMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtKcLScp
M4qUbU1Qj669RWJm1qhxz/SI36QrzRHaiTDwglr0Lu9E3YgoofrBFothWebBk17ST
Xl65S/fSTf3ma9dvyVBM0VgTdOJ0wuFgCi6vnVJG+QyOKlWom0rgZ+ZKMqSfHAShh
invnquCIYDg7lfYKnPhNcVS1su+yGPltgkCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4
GBAJ4L3lFFfWBEL+KAKpOGjZcVmwlBMqSKFtOFNF9nzmUmONmU3SKy6dzQ+6ynREO
7Au22mf3lWDxzrtCC/dj5RtWJeJekxp2LCIK/3eRXUwbYveQDKcxH7j9ZB+BAp2C1
ace+2tA68F2vlgRCQ/hcQH0YmNuaq4Ne3w0dhm7HlUrx
-----END CERTIFICATE REQUEST-----
switch(config-cert-ssh-cert)# import terminal ta-profile syslog-cert
Paste the certificate in PEM format below, then hit enter and ctrl-D:
switch(config-cert-import)# -----BEGIN CERTIFICATE-----
switch(config-cert-import)# MIIDsDCCApgCCQDJotuPPj9GCDANBgkqhkiG9w0BAQsFADCBqzELMAkGA1UEBh
switch(config-cert-import)# VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEDAOBgNVBAcMB1JvY2tsaW4xDDAKBg
switch(config-cert-import)# BAoMA0hQTjEVMBMGA1UECwwMSFBOUm9zZXZpbGxlMSowKAYDVQQDDCFocG5zdz
switch(config-cert-import)# OTQucm9zZS5yZGxhYnMuaHBlY29ycC5uZXQxJDAiBgkqhkiG9w0BCQEWFWZyZW
switch(config-cert-import)# YW4uaHVhbmdAaHBlLmNvbTAeFw0xODAxMTIyMzM2NTdaFw0yMDExMDEyMzM2NT
switch(config-cert-import)# MIGHMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEDAOBgNVBAcMB1JvY2tsaW
switch(config-cert-import)# DDAKBgNVBAoMA0hQTjEVMBMGA1UECwwMSFBOUm9zZXZpbGxlMQ4wDAYDVQQDDA
switch(config-cert-import)# NDAwWDEkMCIGCSqGSIb3DQEJARYVZnJlZW1hbi5odWFuZ0BocGUuY29tMIIBIj
switch(config-cert-import)# BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoM3vG/m4vTn8eg4AF/IrcthO1N
switch(config-cert-import)# Nso6+QUF1+PRlylx5jO4u47wPqbkSvh5ooNnZts5OkUYVp5+xoHVy3uJIwPpbK
switch(config-cert-import)# QvFbsiuBWSO973fOqS062y3fVND+YV0QuEOmbUbwA5vjccTCv5YSkfMXTj547W
switch(config-cert-import)# y96hb4JabnKNYL8AubekvggvPPnWWqqk+1KutzghcGX9aCH1mr4buXFVZgKUGk
switch(config-cert-import)# pVCccAM7H4tLtrESR+U+1vD6s5PJrEzdtpOqGntZxaiUISz4CbTjp7vovZiGVW
switch(config-cert-import)# 3S1eaT0kmGjkDdr+3dmgr1lHUrQ0Bq8DHTMww4X+XOcZf4Y6siG46O2DCQIDAQ
switch(config-cert-import)# MA0GCSqGSIb3DQEBCwUAA4IBAQA59gOGA9kFYTklXw11zAW+BH5MoxML8B6vaA
switch(config-cert-import)# n+1Itl5WjFNGW8mk4LC8MUunXQrtfJzmvx7AyU9QzPb/PtEWrQ9+GuzU1vsp1A
switch(config-cert-import)# raB62AzTqtubEeMwS0jRWLg5ipAenwqmSf87TaLYeBWNYgZ4VDkBTeSHBLO9Zp
switch(config-cert-import)# MioDy0096DvSMPsnOaI+jnZ3AozN8y+nLgotXUsg36pO/Ncc51oQhyUdcAbgA1
switch(config-cert-import)# rzSLgyTnpXZKumvlaoTk3pzrIf7m5V103GTbgHGSFCzgO6QWxVxu9d7ju1o59S
switch(config-cert-import)# aOIT7JSsYI5LsLpVz9ZqS599rj/lLoH+rLNlRDVXpS+J51ig
switch(config-cert-import)# -----END CERTIFICATE-----
switch(config-cert-import)#
0 Issuer:  C=US, ST=California, L=Rocklin, O=HPN, OU=HPNRoseville,
           CN=hpnsw4494.rose.rdlabs.hpecorp.net/emailAddress=freeman.huang@hpe.com
  Subject: C=US, ST=California, L=Rocklin, O=HPN, OU=HPN Roseville,
           CN=switch/emailAddress=freeman.huang@hpe.com
1 Issuer:  C=US, ST=California, L=Rocklin, O=HPN, OU=HPNRoseville,
           CN=hpnsw4494.rose.rdlabs.hpecorp.net/emailAddress=freeman.huang@hpe.com
  Subject: C=US, ST=California, L=Rocklin, O=HPN, OU=HPN Roseville,
           CN=hpnsw4494.rose.rdlabs.hpecorp.net/emailAddress=freeman.huang@hpe.com
Leaf certificate is validated with vm4494-root and imported successfully.
switch(config-cert-syslog-cert)# exit
switch(config)# crypto pki application syslog-client certificate syslog-cert