Wired Intelligent Edge (Campus Switching and Routing)

How to upload CA signed certificate using the offline mode on Comware 7 switches.

MVP
MVP
Requirement:

How to upload CA signed certificate using the offline mode on Comware 7 switches.



Solution:

Step 1: Create a set of PKI Keys.

Step 2: Create a PKI entity.

Step 3: Create a PKI domain with the below details.

Step 4: Create a CSR for the said domain.

Step 5: The CSR generated will be displayed on screen, copy the same into a notepad file and get it signed by a CA.

Step 6: Upload the signed certificate and the Root certificate to the switch using the copy commands or the Filesystem’s upload section on the web interface.

Step 7: Install the Root certificate on the switch using the below command.

Step 8: Install the Signed certificate on the switch suing the following command.

Step 9: Use the new domain created for HTTPS server on the switch.



Configuration:

Step 1: Create a set of PKI Keys.

public-key local create rsa name Key-Name

 

Step 2: Create a PKI entity.

pki entity <Entity Name>
 common-name <CN>
 country <COUNTRY>
 locality <LOCALITY>
 organization-unit <ORG-UNIT>
 organization <ORG>
 state <STATE>
 ip <IP-ADDR>

Step 3: Create a PKI domain with the below details.

pki domain <Name>
 ca identifier <CA-CN>
 certificate request entity <Entity Name>
 public-key rsa general name <Key-Name> length 2048
 usage ssl-server
 undo crl check enable

 

Use the “undo crl check enable” if you do not want to use Certificate Revocation List check.

 

Step 4: Create a CSR for the said domain.

pki request-certificate domain <Domain-Name> pkcs10

 

Step 5: The CSR generated will be displayed on screen, copy the same into a notepad file and get it signed by a CA.

 

Step 6: Upload the signed certificate and the Root certificate to the switch using the copy commands or the Filesystem’s upload section on the web interface.

 

Step 7: Install the Root certificate on the switch using the below command.

pki import domain <Domain-Name> <format (der|p12|pem)> ca filename flash:/My_root_ca.cer

Example: pki import domain abc der ca filename flash:/My_root_ca.cer

 

Step 8: Install the Signed certificate on the switch suing the following command.

pki import domain <Domain-Name> <format (der|p12|pem)> local filename flash:/My_Signed.cer

 

Step 9: Use the new domain created for HTTPS server on the switch.

ssl server-policy <Policy-Name>
pki-domain <Domain-Name>

ip https port <TCP-Port-Number>
 ip https ssl-server-policy <Policy-Name>
 ip https enable


Verification
display ip https server
Version history
Revision #:
1 of 1
Last update:
‎05-01-2019 07:34 AM
Updated by:
 
Comments

Great article but also as a suggestion you might want to ensure to add a point before opening the https that the weaker tls and ssl3.0 gets disabled , i wrote a similar article which am attaching here not extensively on PKI like yours but pretty much covers securing the https when it gets opened out of the default state and what to offer and not relying on default weaker cipher suites, with your article i thought i will share mine too which can help broader audience to get the scoop of when opening the https what are the measures they can take care of  and ensure the strongest ssl server policy gets mapped to https when opening out from default:)

 

Hope this helps and thanks for your article.

ssl_server_policy.jpg

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: