5.6 TLS Commands
Configuration Commands
Show Commands
copy file: certificate:
The copy file: certificate: command copies the certificate to certificate: file system. The certificate can be copied from any supported source URLs of the copy command.
Command Mode
Global Configuration
Command Syntax
copy file: file_name certificate:
Parameters
• file_name location or the path of the file or the directory where the certificate is saved.
Guidelines
The following points to be considered while using the copy command:
• Generally a single source file can contain multiple PEM encoded certificates but only one PEM encoded certificate per file is supported. An error occurs when such multiple PEM encoded file is copied and the copy fails and displays an error.
• An error occurs when a source file containing invalid PEM encoded certificate is copied. When such files are copied the copy fails, and displays an error.
• An error occurs when a source files containing a certificate with password protected key is copied. When such files are copied the copy fails, and displays an error.
The following errors occur while copying the certificates:
• When multiple PEM encoded certificates are copied, the copy task fails and the following error is displayed.
switch(config)#copy file:tmp/ssl/multi.crt certificate:
% Error copying file:tmp/ssl/multi.crt to certificate: (Multiple PEM entities in single file not supported)
• When a source file containing invalid PEM encoded certificate is copied, the copy task fails and the following error is displayed.
switch(config)#copy file:tmp/ssl/bad.crt certificate:
% Error copying file:tmp/ssl/bad.crt to certificate: (Invalid certificate)
• When a source file containing a certificate with password protected key is copied, the copy task fails and the following error is displayed.
switch(config)#copy file:tmp/ssl/pass.key sslkey:
% Error copying file:tmp/ssl/pass.key to sslkey: (Password protected keys are not supported)
• Only certificates with RSA public keys are supported. When a certificate without RSA public key is copied the copy fails, and an error is displayed.
switch(config)#copy file:tmp/ssl/dsa.crt certificate:
% Error copying file:tmp/ssl/dsa.crt to certificate: (Certificate does not have RSA key)
Example
• This command copies a server.crt certificate to certificate: file system.
switch(config)#copy file:/tmp/ssl/server.crt certificate:
Copy completed successfully.
copy file: sslkey:
The copy file: sslkey: command copies the SSL key to the sslkey: file system. The key can be copied from any supported source URLs of the copy command.
Command Mode
Global Configuration
Command Syntax
copy file: file_name sslkey:
Parameters
• file_name location or the path of the file or the directory where the key is saved.
Guidelines
The following points to be considered while using the copy command:
• Generally a single source file can contain multiple PEM encoded keys but only one PEM encoded key per file is supported. An error occurs when such multiple PEM encoded file is copied and the copy fails and shows an error.
• An error occurs when a source file containing invalid PEM encoded key is copied. When such files are copied the copy fails, and shows an error.
The following errors occur while copying the certificates:
• When multiple PEM encoded keys are copied, the copy fails and the following error occurs.
switch#copy file:tmp/ssl/multi.key sslkey:
% Error copying file:tmp/ssl/multi.key to sslkey: (Multiple PEM entities in single file not supported)
• When a source file containing invalid PEM encoded key is copied, the following error occurs.
switch#copy file:tmp/ssl/bad.key sslkey:
% Error copying file:tmp/ssl/bad.key to sslkey: (Invalid RSA key)
Example
• This command copies a server.key key to the sslkey: file system.
switch(config)#copy file:/tmp/ssl/server.key sslkey:
Copy completed successfully.
delete certificate:
The delete certificate: command deletes a specified certificate from certificate: file system on the switch.
Command Mode
Global Configuration
Command Syntax
delete certificate: certificate_name
Parameters
• certificate_name name of the certificate to be deleted.
Example
• This command deletes the server.crt certificate from the switch.
switch(config)#delete certificate:server.crt
delete sslkey:
The delete sslkey: command deletes a SSL key from sslkey: file system on a switch.
Command Mode
Global Configuration
Command Syntax
delete sslkey: key_name
Parameters
• key_name name of the key.
Example
• This command deletes the server.key SSL key on the switch.
switch(config)#delete sslkey:server.key
dir certificate:
The dir certificate: command displays the directory output of certificate: file system on the switch.
Command Mode
Global Configuration
Command Syntax
dir certificate:
Example
• This command shows the directory output of certificate: file system on the switch.
switch(config)#dir certificate:
Directory of certificate:/
-rw- 3319 Apr 10 11:50 server.crt
No space information available
dir sslkey:
The dir sslkey: command displays the directory output of sslkey: file system on the switch.
Command Mode
Global Configuration
Command Syntax
dir sslkey:
Example
• This command shows the directory output of sslkey: file system on the switch.
switch(config)#dir sslkey:
Directory of sslkey:/
-rw- 1675 Apr 10 12:55 server.key
No space information available
reset ssl diffie-hellman parameters
The reset ssl diffie-hellman parameters command resets the Diffie-Hellman parameters file after a system reboot.
Command Mode
Global Configuration
Command Syntax
reset ssl diffie-hellman parameters
Example
• This command resets the Diffie-Hellman parameters file.
switch(config)#reset ssl diffie-hellman parameters
security pki certificate generate
The security pki certificate generate command is used to generate a self-signed certificate or a certificate signing request (CSR) certificate. The generated CSR is displayed on the CLI, whereas a self-signed certificate is saved to the certificate: file system.
Many other parameters can be entered and applied to the certificate as shown in the following examples below.
Command Mode
Global Configuration
Command Syntax
security pki certificate generate {self-signed | signing-request} certificate_name Key key_name
Parameters
• certificate_name name of the certificate to generate. Options includes.
• self-signed request to generate self-signed certificate.
• signing-request request to generate signing-request.
• digest signs the certificate or key with the following cryptographic hash algorithm (sha256, sha384, sha512).
• key_name name of the key to modify.
• parameters signing request parameters for a certificate. Option includes.
• common-name common name for use in subject.
• country two-letter country code for use in subject
• email email address for use in subject
• locality locality name for use in subject
• organization organization name for use in subject
• organization-unit organization Unit Name for use in subject
• state state for use in subject
• subject-alternative-name subject alternative name extension
• validity validity of the certificate in days. Value ranges from 1 to 30000 .
Examples
• This command generates a self-signed certificate or CSR certificate. In the example below an existing private key (test.key) is used to generate the certificates.
switch(config)#security pki certificate generate self-signed test.crt key test.key
• This command specifies the digest and the validity (in days) of the certificate or key.
switch(config)#security pki certificate generate signing-request key test.key digest sha256 validity 365
• This command adds the certificate parameters such as common-name, country, email, and others.
switch(config)#security pki certificate generate signing-request key test.key parameters common-name Test [country US ...]
security pki key generate
The security pki key generate command generates a RSA key used to validate a specific certificate.
The key generated can be modified and saved by entering the value of the length in generate rsa <length> parameter.
Command Mode
Global Configuration
Command Syntax
security pki key generate rsa key_name
Parameters
• rsa use Rivest-Shamir-Adleman (RSA) algorithm. Options include.
• 2048 Use 2048-bit keys
• 3072 Use 3072-bit keys
• 4096 Use 4096-bit keys
• key_name name of the key to generate.
Examples
• This command generates a a 2048-bit long RSA private key(test.key) and save it to sslkey:test.key.
switch(config)#security pki key generate rsa 2048 test.key
• This command modifies the generated RSA key length value.
switch(config)#security pki certificate generate self-signed test.crt key test.key generate rsa 4096
switch(config)#security pki certificate generate signing-request key test.key generate rsa 2048
ssl profile
The ssl profile command places the switch in the SSL profile configuration mode. Various SSL profile management configurations are allowed in this mode. For example, this mode allows to configure a SSL profile with a certificate and its corresponding RSA key.
Similarly, other configurations such as trust certificate, chain certificate, crl, tls, cipher-list can be configured to a SSL profile in this mode.
The no form of the command deletes the SSL profile management configuration from running-config.
Command Mode
Management Security Mode
SSL Profile Mode
Command Syntax
ssl profile profile_name
Parameter
• profile_name name of the profile.
Examples
• These commands place the switch in SSL profile mode.
switch#config
switch(config)#management security
switch(config-mgmt-security)#ssl profile server
switch(config-mgmt-sec-ssl-profile-server)#
• These commands configure SSL profile server with a certificate and its corresponding RSA key. The no command deletes the certificate configuration.
switch#config
switch(config)#management security
switch(config-mgmt-security)#ssl profile server
switch(config-mgmt-sec-ssl-profile-server)#certificate server.crt key server.key
switch(config-mgmt-sec-ssl-profile-server)#no certificate server.crt key
server.key
• These commands configure the trust certificate “ca1.crt” to an SSL profile. The no command deletes a trusted certificate configuration.
switch#config
switch(config)#management security
switch(config-mgmt-security)#ssl profile server
switch(config-mgmt-sec-ssl-profile-server)#trust certificate ca1.crt
switch(config-mgmt-sec-ssl-profile-server)#no trust certificate ca1.crt
• These commands configure the intermediate.crt chain certificate to a SSL profile. The no command deletes a chain certificate configuration.
switch#config
switch(config)#management security
switch(config-mgmt-security)#ssl profile server
switch(config-mgmt-sec-ssl-profile-server)#certificate server.crt key server.key
switch(config-mgmt-sec-ssl-profile-server)#chain certificate intermediate.crt
switch(config-mgmt-sec-ssl-profile-server)#no chain certificate intermediate.crt
• These commands provides certificate revocation list (CRL) to a SSL profile to check the revocation status of the certificate chain. The no command deletes the crl configuration.
switch#config
switch(config)#management security
switch(config-mgmt-security)#ssl profile server
switch(config-mgmt-sec-ssl-profile-server)#crl intermediate.crl
switch(config-mgmt-sec-ssl-profile-server)#crl ca.crl
switch(config-mgmt-sec-ssl-profile-server)#no crl ca.crl
• These commands configure TLSv1.2 to be used in the SSL profile.
switch#config
switch(config)#management security
switch(config-mgmt-security)#ssl profile server
switch(config-mgmt-sec-ssl-profile-server)#tls versions 1.2
• These commands build a cipher suite list.
switch#config
switch(config)#management security
switch(config-mgmt-security)#ssl profile server
switch(config-mgmt-sec-ssl-profile-server)#cipher-list AESGCM
switch(config-mgmt-sec-ssl-profile-server)#cipher-list SHA256:SHA38
switch(config-mgmt-sec-ssl-profile-server)#cipher-list
ECDHE-ECDSA-AES256-GCM-SHA384
• This command check that the certificate has an extended key usage attribute.
switch(config-mgmt-sec-ssl-profile-client)#certificate requirement
extended-key-usage
• These commands check that all the trusted certificates or certificates in the chain have a CA basic constraints set to true.
switch(config-mgmt-sec-ssl-profile-client)#trust certificate requirement
basic-constraints ca true
switch(config-mgmt-sec-ssl-profile-client)#chain certificate requirement
basic-constraints ca true
• This command enables the Federal Information Processing Standards (FIPS) mode for a SSL profile.
switch(config-mgmt-sec-ssl-profile-client)#fips restrictions
show management security ssl certificate
The show management security ssl certificate command displays information about the certificate. Provide the name of the certificate if you want to view more information of the certificate. If no name is provided, this command displays information of all the certificates.
Command Mode
EXEC
Command Syntax
show management security ssl certificate [certificate_name]
Parameter
• certificate_name name of the certificate. This is optional.
Example
• This command displays the server.crt certificate information.
switch#show management security ssl certificate server.crt
Certificate server.crt:
Version: 1
Serial Number: 9
Issuer:
Common name: ca
Email address: ca@foo.com
Organizational unit: Foo Org
Organization: Foo
Locality: SC
State: CA
Country: US
Validity:
Not before: Aug 11 21:44:17 2014 GMT
Not After: May 14 21:44:17 2069 GMT
Subject:
Common name: server
Email address: server@arista.com
Organizational unit: Foo Org
Organization: Foo
Locality: SC
State: CA
Country: US
Subject public key info:
Encryption Algorithm: RSA
Size: 2048 bits
Public exponent: 65537
Modulus: e04e3ff8e1c64dbcb141fe96133f998e90a322c671b9f28307bf873
2239f69804a77fbb8f146841eb6253b7bb50bf6c66bbf3097ec695b
0d7985cfdd939c9913b4ba4f6cb8655b208ed0254a269ecab574987
9f54c8c7f0b3a57a7ab826870119083222ad5ee76d40f3fae49d36e
b502f8c3f541fa3bae59743cced6e6ca04f6ca6c9268744add79c3a
c08af6b451455b4a61071f4c0b3ec3553585312783e9381f65bb0e2
ea5ee80085f5216d303cf704372b2fa1aae62756c3762441fcc1c04
97ee6190586ed28c0e376f48e53f05a40c7e1f3a65e3c6165bae5df
f8178d12dd744ddf5db100b33c46b40e53f0a1c7d49f83488976c5d
635a831d5ec96d841
show management security ssl crl
The show management security ssl crl command displays the basic information on the installed certificate revocation list (CRLs).To view information of a specific CRL provide the name of the CRL. If no name is provided, this command shows information of all the CRLs.
Note The command only shows basic information and does not show any information on the revocation status of certificates.
Command Mode
EXEC
Command Syntax
show management security ssl crl
Example
• This command displays the basic information of the intermediate.crl CRL.
switch#show management security ssl crl intermediate.crl
CRL intermediate.crl:
CRL Number: 11
Issuer:
Common name: intermediate
Email address: intermediate@foo.com
Organizational unit: Foo Org
Organization: Foo
State: CA
Country: US
Validity:
Last Update: Jul 19 19:27:34 2016 GMT
Next Update: Dec 05 19:27:34 2043 GMT
show management security ssl diffie-hellman
The show management security ssl diffie-hellman command displays the Diffie-Hellman parameter information.
Command Mode
EXEC
Command Syntax
show management security ssl diffie-hellman
Example
• This command displays the Diffie-Hellman parameter information.
switch#show management security ssl diffie-hellman
Last successful reset on Apr 10 16:18:08 2015
Diffie-Hellman Parameters 1024 bits
Generator: 2
Prime: dc47b5edc0d2b41451432f79f45efab452bba7b1ab118c194d671d6752ed1c550
664ed8f052ad0fdad623c1d54ae5aee5e728d2bd7a6221636b787a4c08d1fef8c
6dcd10759d38f8b70b47d1c7972d69b0b295a2ee6ab44cfc7352cb133e85197c8
9f1fc27aac7e8e02afb4fb01ca1cb05558a7bef505b73a8d06cdfe403576b
show management security ssl key
The show management security ssl key command displays the RSA key information. To view information of a specific key, provide the name of the key in the command. If no name is provided, this command displays information of all the keys.
Note For security reasons, only the public part of the key is shown.
Command Mode
EXEC
Command Syntax
show management security ssl key [key_name]
Parameter
• key_name name of the key. This is optional.
Example
• This command displays the server.key key information.
switch#show management security ssl key server.key
Key server.key:
Encryption Algorithm: RSA
Size: 2048 bits
Public exponent: 65537
Modulus: e04e3ff8e1c64dbcb141fe96133f998e90a322c671b9f28307bf873
2239f69804a77fbb8f146841eb6253b7bb50bf6c66bbf3097ec695b
0d7985cfdd939c9913b4ba4f6cb8655b208ed0254a269ecab574987
9f54c8c7f0b3a57a7ab826870119083222ad5ee76d40f3fae49d36e
b502f8c3f541fa3bae59743cced6e6ca04f6ca6c9268744add79c3a
c08af6b451455b4a61071f4c0b3ec3553585312783e9381f65bb0e2
ea5ee80085f5216d303cf704372b2fa1aae62756c3762441fcc1c04
97ee6190586ed28c0e376f48e53f05a40c7e1f3a65e3c6165bae5df
f8178d12dd744ddf5db100b33c46b40e53f0a1c7d49f83488976c5d
635a831d5ec96d841
show management security ssl profile
The show management security ssl profile command displays the SSL profile status information. To display information of a specific SSL profile, provide the name of the profile. If no name is provided, this command displays profile status of all the SSL profiles.
If there are any errors in the SSL profile, the state is shown ‘invalid’ and the errors are listed in the third column as shown in the example below.
Command Mode
EXEC
Command Syntax
show management security ssl profile [profile_name]
Parameter
• profile_name name of the SSL profile, this is optional.
Example
• This command displays the SSL profile status of profile server.
switch#show management security ssl profile server
Profile State
------------- -----------
server valid
• If the certificate 'server.crt' does not match with the key the following error occurs.
switch#show management security ssl profile server
Profile State Error
------------- ------------- ----------------------------------------
server invalid Certificate 'server.crt' does not match
with key
• If a trusted certificate 'ca2.crt' does not exist the following error occurs.
switch#show management security ssl profile server
Profile State Error
------------- ------------- ----------------------------------------
server invalid Certificate 'ca2.crt' does not exist
• If a trusted certificate 'foo.crt' is not self-signed root certificate the following error occurs.
switch#show management security ssl profile server
Profile State Error
------------- ------------- ----------------------------------------
server invalid Certificate 'foo.crt' is trusted and not
a root certificate
• If the certificate 'server.crt' is expired the following error occurs.
switch#show management security ssl profile server
Profile State Error
------------- ------------- ----------------------------------------
server invalid Certificate 'server.crt' has expired
• If the certificate chain is missing an intermediate certificate the following error occurs.
switch#show management security ssl profile server
Profile State Error
-------------- ------------- ---------------------------------------------
server invalid Profile has invalid certificate chain
Certificate 'intermediate.crt' does not exist