certificate
This subcommand lets you do various actions on currently installed TLS certificates and lets you create certificates.
Syntax
(config-network)# tls <Index>
(tls-<Index>)# certificate {create|current-installed}
|
Command |
Description |
|---|---|
|
Index |
Defines the table row index. |
|
create |
Creates a certificate signing request and a new self-signed certificate. |
|
display |
Displays the X.509 fields configuration for CSR and new self signed certificates. |
|
self-signed |
Creates a self-signed certificate (by the device) with the current key. |
|
set-extended-key-usage {add|clear} |
Defines or deletes the extended key usage X.509 field for CSR and new self-signed certificates. The add option provides the following sub-commands to define the key (string) and optionally, to define the key as critical: set-extended-key-usage add <String> [critical] |
|
set-key-usage {add|clear} |
Defines or deletes the key usage X.509 field for CSR and new self-signed certificates. The add option provides the following sub-commands to define the key (string) and optionally, to define the key as critical: set-extended-key-usage add <String> [critical] |
|
set-authority-information-access-ocsp {add|clear} |
Defines or deletes the Authority Information Access (AIA) extension field for CSR and new self-signed certificates with the URL of the server where the client can check the validity of the device's certificate during the TLS handshake. |
|
set-signature-algorithm {sha-256|sha-512} |
Defines the signature algorithm for CSR and new self-signed certificates. |
|
set-subject {add|clear|copy} |
Defines, deletes or copies the certificate subject name for CSR and new self-signed certificates. The add option provides the following sub-commands to define the subject: certificate create set-subject add {common-name|country|locality|org-unit|organization|state} |
|
set-subject-alternative-name {add|clear} |
Defines or deletes the Subject Alternative Name (SAN) fields, which can be a DNS, e-mail, IP address or URI. The add option provides the following sub-commands to define the SAN fields: certificate create set-subject-alternative-name add {dns|email|ip-addr|uri} |
|
set-subject-key-identifier {add|clear} |
Defines or deletes the subject key identifier (SKI) X.509 field for CSR and new self-signed certificates. The add option provides the following sub-commands to define the SKI: certificate create set-subject-key-identifier add {<HEX STRING>|hash-sha1|hash-sha1-60lsb} |
|
signing-request |
Creates a certificate signing request with the current key, which needs to be sent to the CA. To view more of the output of the CSR text, press Enter (from "BEGIN CERTIFICATE REQUEST" to "END CERTIFICATE REQUEST"). To send the CSR to a remote server, type the URL with a CSR file name, and then press Enter (see bold text): (tls-1)# certificate create signing-request |
|
current-installed |
Performs various actions on the currently installed TLS certificate. |
|
display |
Displays certificate information of currently installed certificate. |
|
export |
Exports the currently installed certificate in PEM format. |
|
import |
Imports a certificate in textual PEM format. Note: The imported certificate replaces the currently installed certificate. |
|
status |
Displays status of currently installed certificate (e.g., expiration day). |
Command Mode
Privileged User
Example
This example displays the status of a currently installed TLS certificate (TLS Context 0):
(tls-0)# certificate current-installed statusSecurity context #0 - default Certificate subject: /CN=ACL_5967925 Certificate issuer : /CN=ACL_5967925 Time to expiration : 5625 days Key size: 2048 bits Active sockets: 0 The currently-loaded private key matches this certificate..