During the initial TLS protocol negotiation, both participating parties also check to see if the other’s certificate is revoked by the CA. To do
this check, the devices query the CA’s designated OCSP responder on the network. The OCSP responder information is included in the
presented certificate, the Intermediate CA inserts the info upon signing it, or it may be statically configured on the host.
Information about installing CA certificates
Dell Networking OS enables you to download and install X.509v3 certificates from Certificate Authorities (CAs).
In a data center environment, CA certificates are created by trusted hosts on the network. By digitally signing devices' certificates with the
CA's private key, trust can be established among all devices in a network. These CA certificates, installed on each of the devices, are used
to verify certificates presented by clients and servers such as the Syslog servers.
Dell Networking OS allows you to download CA certificates using the
crypto ca-cert install
command. In this command, you can
specify:
•
That the certificate is a CA certificate
•
The location from which to download the certificate and the protocol to use. For example,
tftp://192.168.1.100/
certificates/CAcert.pem
. Locations can be usbflash, built-in flash, TFTP, FTP, or SCP hosts.
After you download a CA certificate, the system verifies the following aspects of the CA certificate:
•
The system checks if “CA:TRUE” is specified in the certificate’s extensions section and the keyCertSign bit (bit 5) is set in the
KeyUsage bit string extension. If these extensions are not set, the system does not install the certificate.
•
The system checks if the Issuer and Subject fields are the same. If these fields are the same, then the certificate is a self-signed
certificate. These certificates are also called the root CA certificates, as they are not signed by another CA. The system verifies the
certificate with its own public key and install the certificate.
•
If the Issuer and Subjects fields differ, then the certificate is signed by another CA farther up the chain. These certificates are also
called intermediate certificates. If a higher CA certificate is installed on the switch, then the system verifies the downloaded certificate
with the CA's public key. The system repeats this process until the root certificate is reached. The certificate is rejected if the signature
verification fails.
•
If a higher CA certificate is not installed on the switch, the system rejects the intermediate CA certificate and logs the attempt. The
system also displays a message indicating the reason for the failure of CA certificate installation. The system checks the “not before”
and “not after” fields against the current system date to ensure that the certificate has not expired.
The verified CA certificate is installed on the switch by adding it to an existing file that contains trusted certificates. The certificate is
inserted into the certificate file that stores certificates in a root-last order. Meaning, the downloaded certificate is fit into the file before its
own issuer but following any certificates that it may have issued. This way, the system ensures that the CA certificates file is kept in a root-
last order. The file may contain multiple certificates in PEM format concatenated together. This file is stored in a private and persistent
location on the device such as the
flash://ADMIN_DIR
folder.
After the CA certificate is installed, the system can secure communications with TLS servers by verifying certificates that are signed by the
CA.
Installing CA certificate
To install a CA certificate, enter the
crypto ca-cert install {
path
}
command in Global Configuration mode.
Information about Creating Certificate Signing
Requests (CSR)
Certificate Signing Request (CSR) enables a device to get a X.509v3 certificate from a CA.
In order for a device to get a X.509v3 certificate, the device first requests a certificate from a CA through a Certificate Signing Request
(CSR). While creating a CSR, you need to provide the information about the certificate and the private key details. Dell Networking OS
enable you to create a private key and a CSR for a device using a single command.
X.509v3
1141
Содержание S4048T-ON
Страница 1: ...Dell Configuration Guide for the S4048 ON System 9 11 2 1 ...
Страница 148: ...Figure 10 BFD Three Way Handshake State Changes 148 Bidirectional Forwarding Detection BFD ...
Страница 251: ...Dell Control Plane Policing CoPP 251 ...
Страница 363: ... RPM Synchronization GARP VLAN Registration Protocol GVRP 363 ...
Страница 511: ...Figure 64 Inspecting the LAG Configuration Link Aggregation Control Protocol LACP 511 ...
Страница 512: ...Figure 65 Inspecting Configuration of LAG 10 on ALPHA 512 Link Aggregation Control Protocol LACP ...
Страница 515: ...Figure 67 Inspecting a LAG Port on BRAVO Using the show interface Command Link Aggregation Control Protocol LACP 515 ...
Страница 516: ...Figure 68 Inspecting LAG 10 Using the show interfaces port channel Command 516 Link Aggregation Control Protocol LACP ...
Страница 558: ...Figure 84 Configuring Interfaces for MSDP 558 Multicast Source Discovery Protocol MSDP ...
Страница 559: ...Figure 85 Configuring OSPF and BGP for MSDP Multicast Source Discovery Protocol MSDP 559 ...
Страница 560: ...Figure 86 Configuring PIM in Multiple Routing Domains 560 Multicast Source Discovery Protocol MSDP ...
Страница 564: ...Figure 88 MSDP Default Peer Scenario 2 564 Multicast Source Discovery Protocol MSDP ...
Страница 565: ...Figure 89 MSDP Default Peer Scenario 3 Multicast Source Discovery Protocol MSDP 565 ...
Страница 729: ...protocol spanning tree pvst no disable vlan 300 bridge priority 4096 Per VLAN Spanning Tree Plus PVST 729 ...
Страница 841: ...Figure 115 Single and Double Tag TPID Match Service Provider Bridging 841 ...
Страница 842: ...Figure 116 Single and Double Tag First byte TPID Match 842 Service Provider Bridging ...