PKI on the switch

The switch provides for installation of certificate authority (CA) certificates and the generation and installation of leaf certificates.

Trust anchor profiles

The switch supports 10 trust anchor (TA) profiles. Each TA profile stores a trusted CA certificate. The certificate can be either a root CA certificate, which must be self-signed, or an intermediate CA certificate that is issued by another CA.

NOTE:

The certificate must have its BasicConstraints field with CA key set to true, and its KeyUsage extension field set with keyCertSign and/or cRLSign.

CA certificates are used to:
  • Validate the certificates that remote peers present when attempting to establish a secure connection with a service on the switch, for example, the SSH server.

  • Validate leaf certificates installed on the switch that are used, for example, by the syslog client, the Web UI, or REST API.

The TA profile also enables configuration of real-time checking of certificate revocation (through OCSP).

Leaf certificates

Leaf certificates can be installed on the switch for use by features such as the syslog client, the Web UI, or REST API. If you are purchasing a certificate from a trusted CA, the switch can generate the certificate signing request (CSR) that is used to obtain the certificate. The switch can also directly generate self-signed certificates. Alternatively, the certificate and private key can be generated outside the switch and then imported. X509 certificate management software such as OpenSSL can be used to generate the private key and CSR and then combine the certificate and private key into one PEM or PKCS#12 file suitable for importation into the switch.