5.6 TLS Commands
Configuration Commands
Show Commands
copy file: certificate:
The copy file: certificate: command copies the certificate to certificate: file system. The certificate can be copied from any supported source URLs of the copy command.
Command Mode
Global Configuration
Command Syntax
copy file: file_name certificate:
Parameters
file_name     location or the path of the file or the directory where the certificate is saved.
Guidelines
The following points to be considered while using the copy command:
Generally a single source file can contain multiple PEM encoded certificates but only one PEM encoded certificate per file is supported. An error occurs when such multiple PEM encoded file is copied and the copy fails and displays an error.
An error occurs when a source file containing invalid PEM encoded certificate is copied. When such files are copied the copy fails, and displays an error.
An error occurs when a source files containing a certificate with password protected key is copied. When such files are copied the copy fails, and displays an error.
The following errors occur while copying the certificates:
When multiple PEM encoded certificates are copied, the copy task fails and the following error is displayed.
switch(config)#copy file:tmp/ssl/multi.crt certificate:
% Error copying file:tmp/ssl/multi.crt to certificate: (Multiple PEM entities in single file not supported)
When a source file containing invalid PEM encoded certificate is copied, the copy task fails and the following error is displayed.
switch(config)#copy file:tmp/ssl/bad.crt certificate:
% Error copying file:tmp/ssl/bad.crt to certificate: (Invalid certificate)
When a source file containing a certificate with password protected key is copied, the copy task fails and the following error is displayed.
switch(config)#copy file:tmp/ssl/pass.key sslkey:
% Error copying file:tmp/ssl/pass.key to sslkey: (Password protected keys are not supported)
Only certificates with RSA public keys are supported. When a certificate without RSA public key is copied the copy fails, and an error is displayed.
switch(config)#copy file:tmp/ssl/dsa.crt certificate:
% Error copying file:tmp/ssl/dsa.crt to certificate: (Certificate does not have RSA key)
Example
This command copies a server.crt certificate to certificate: file system.
switch(config)#copy file:/tmp/ssl/server.crt certificate:
Copy completed successfully.
copy file: sslkey:
The copy file: sslkey: command copies the SSL key to the sslkey: file system. The key can be copied from any supported source URLs of the copy command.
Command Mode
Global Configuration
Command Syntax
copy file: file_name sslkey:
Parameters
file_name     location or the path of the file or the directory where the key is saved.
Guidelines
The following points to be considered while using the copy command:
Generally a single source file can contain multiple PEM encoded keys but only one PEM encoded key per file is supported. An error occurs when such multiple PEM encoded file is copied and the copy fails and shows an error.
An error occurs when a source file containing invalid PEM encoded key is copied. When such files are copied the copy fails, and shows an error.
The following errors occur while copying the certificates:
When multiple PEM encoded keys are copied, the copy fails and the following error occurs.
switch#copy file:tmp/ssl/multi.key sslkey:
% Error copying file:tmp/ssl/multi.key to sslkey: (Multiple PEM entities in single file not supported)
When a source file containing invalid PEM encoded key is copied, the following error occurs.
switch#copy file:tmp/ssl/bad.key sslkey:
% Error copying file:tmp/ssl/bad.key to sslkey: (Invalid RSA key)
Example
This command copies a server.key key to the sslkey: file system.
switch(config)#copy file:/tmp/ssl/server.key sslkey:
Copy completed successfully.
delete certificate:
The delete certificate: command deletes a specified certificate from certificate: file system on the switch.
Command Mode
Global Configuration
Command Syntax
delete certificate: certificate_name
Parameters
certificate_name     name of the certificate to be deleted.
Example
This command deletes the server.crt certificate from the switch.
switch(config)#delete certificate:server.crt
 
delete sslkey:
The delete sslkey: command deletes a SSL key from sslkey: file system on a switch.
Command Mode
Global Configuration
Command Syntax
delete sslkey: key_name
Parameters
key_name     name of the key.
Example
This command deletes the server.key SSL key on the switch.
switch(config)#delete sslkey:server.key
dir certificate:
The dir certificate: command displays the directory output of certificate: file system on the switch.
Command Mode
Global Configuration
Command Syntax
dir certificate:
Example
This command shows the directory output of certificate: file system on the switch.
switch(config)#dir certificate:
Directory of certificate:/
   -rw- 3319 Apr 10 11:50 server.crt
No space information available
dir sslkey:
The dir sslkey: command displays the directory output of sslkey: file system on the switch.
Command Mode
Global Configuration
Command Syntax
dir sslkey:
Example
This command shows the directory output of sslkey: file system on the switch.
switch(config)#dir sslkey:
Directory of sslkey:/
   -rw- 1675 Apr 10 12:55 server.key
No space information available
reset ssl diffie-hellman parameters
The reset ssl diffie-hellman parameters command resets the Diffie-Hellman parameters file after a system reboot.
Command Mode
Global Configuration
Command Syntax
reset ssl diffie-hellman parameters
Example
This command resets the Diffie-Hellman parameters file.
switch(config)#reset ssl diffie-hellman parameters
 
 
 
security pki certificate generate
The security pki certificate generate command is used to generate a self-signed certificate or a certificate signing request (CSR) certificate. The generated CSR is displayed on the CLI, whereas a self-signed certificate is saved to the certificate: file system.
Many other parameters can be entered and applied to the certificate as shown in the following examples below.
Command Mode
Global Configuration
Command Syntax
security pki certificate generate {self-signed | signing-request} certificate_name Key key_name
Parameters
certificate_name     name of the certificate to generate. Options includes.
self-signed     request to generate self-signed certificate.
signing-request     request to generate signing-request.
digest      signs the certificate or key with the following cryptographic hash algorithm (sha256, sha384, sha512).
key_name     name of the key to modify.
parameters     signing request parameters for a certificate. Option includes.
common-name      common name for use in subject.
country     two-letter country code for use in subject
email     email address for use in subject
locality     locality name for use in subject
organization     organization name for use in subject
organization-unit     organization Unit Name for use in subject
state     state for use in subject
subject-alternative-name     subject alternative name extension
validity     validity of the certificate in days. Value ranges from 1 to 30000 .
Examples
This command generates a self-signed certificate or CSR certificate. In the example below an existing private key (test.key) is used to generate the certificates.
switch(config)#security pki certificate generate self-signed test.crt key test.key
This command specifies the digest and the validity (in days) of the certificate or key.
switch(config)#security pki certificate generate signing-request key test.key digest sha256 validity 365
This command adds the certificate parameters such as common-name, country, email, and others.
switch(config)#security pki certificate generate signing-request key test.key parameters common-name Test [country US ...]
security pki key generate
The security pki key generate command generates a RSA key used to validate a specific certificate.
The key generated can be modified and saved by entering the value of the length in generate rsa <length> parameter.
Command Mode
Global Configuration
Command Syntax
security pki key generate rsa key_name
Parameters
rsa     use Rivest-Shamir-Adleman (RSA) algorithm. Options include.
2048     Use 2048-bit keys
3072     Use 3072-bit keys
4096     Use 4096-bit keys
key_name     name of the key to generate.
Examples
This command generates a a 2048-bit long RSA private key(test.key) and save it to sslkey:test.key.
switch(config)#security pki key generate rsa 2048 test.key
This command modifies the generated RSA key length value.
switch(config)#security pki certificate generate self-signed test.crt key test.key generate rsa 4096
switch(config)#security pki certificate generate signing-request key test.key generate rsa 2048
ssl profile
The ssl profile command places the switch in the SSL profile configuration mode. Various SSL profile management configurations are allowed in this mode. For example, this mode allows to configure a SSL profile with a certificate and its corresponding RSA key.
Similarly, other configurations such as trust certificate, chain certificate, crl, tls, cipher-list can be configured to a SSL profile in this mode.
The no form of the command deletes the SSL profile management configuration from running-config.
Command Mode
Management Security Mode
SSL Profile Mode
Command Syntax
ssl profile profile_name
Parameter
profile_name     name of the profile.
Examples
These commands place the switch in SSL profile mode.
switch#config
switch(config)#management security
switch(config-mgmt-security)#ssl profile server
switch(config-mgmt-sec-ssl-profile-server)#
These commands configure SSL profile server with a certificate and its corresponding RSA key. The no command deletes the certificate configuration.
switch#config
switch(config)#management security
switch(config-mgmt-security)#ssl profile server
switch(config-mgmt-sec-ssl-profile-server)#certificate server.crt key server.key
switch(config-mgmt-sec-ssl-profile-server)#no certificate server.crt key
server.key
These commands configure the trust certificate “ca1.crt” to an SSL profile. The no command deletes a trusted certificate configuration.
switch#config
switch(config)#management security
switch(config-mgmt-security)#ssl profile server
switch(config-mgmt-sec-ssl-profile-server)#trust certificate ca1.crt
switch(config-mgmt-sec-ssl-profile-server)#no trust certificate ca1.crt
These commands configure the intermediate.crt chain certificate to a SSL profile. The no command deletes a chain certificate configuration.
switch#config
switch(config)#management security
switch(config-mgmt-security)#ssl profile server
switch(config-mgmt-sec-ssl-profile-server)#certificate server.crt key server.key
switch(config-mgmt-sec-ssl-profile-server)#chain certificate intermediate.crt
switch(config-mgmt-sec-ssl-profile-server)#no chain certificate intermediate.crt
These commands provides certificate revocation list (CRL) to a SSL profile to check the revocation status of the certificate chain. The no command deletes the crl configuration.
switch#config
switch(config)#management security
switch(config-mgmt-security)#ssl profile server
switch(config-mgmt-sec-ssl-profile-server)#crl intermediate.crl
switch(config-mgmt-sec-ssl-profile-server)#crl ca.crl
switch(config-mgmt-sec-ssl-profile-server)#no crl ca.crl
These commands configure TLSv1.2 to be used in the SSL profile.
switch#config
switch(config)#management security
switch(config-mgmt-security)#ssl profile server
switch(config-mgmt-sec-ssl-profile-server)#tls versions 1.2
These commands build a cipher suite list.
switch#config
switch(config)#management security
switch(config-mgmt-security)#ssl profile server
switch(config-mgmt-sec-ssl-profile-server)#cipher-list AESGCM
switch(config-mgmt-sec-ssl-profile-server)#cipher-list SHA256:SHA38
switch(config-mgmt-sec-ssl-profile-server)#cipher-list
ECDHE-ECDSA-AES256-GCM-SHA384
This command check that the certificate has an extended key usage attribute.
switch(config-mgmt-sec-ssl-profile-client)#certificate requirement
extended-key-usage
These commands check that all the trusted certificates or certificates in the chain have a CA basic constraints set to true.
switch(config-mgmt-sec-ssl-profile-client)#trust certificate requirement
basic-constraints ca true
switch(config-mgmt-sec-ssl-profile-client)#chain certificate requirement
basic-constraints ca true
This command enables the Federal Information Processing Standards (FIPS) mode for a SSL profile.
switch(config-mgmt-sec-ssl-profile-client)#fips restrictions
show management security ssl certificate
The show management security ssl certificate command displays information about the certificate. Provide the name of the certificate if you want to view more information of the certificate. If no name is provided, this command displays information of all the certificates.
Command Mode
EXEC
Command Syntax
show management security ssl certificate [certificate_name]
Parameter
certificate_name     name of the certificate. This is optional.
Example
This command displays the server.crt certificate information.
switch#show management security ssl certificate server.crt
Certificate server.crt:
Version:                    1
Serial Number:              9
Issuer:
    Common name:             ca
    Email address:           ca@foo.com
    Organizational unit:     Foo Org
    Organization:            Foo
    Locality:                SC
    State:                   CA
    Country:                 US
Validity:
    Not before:             Aug 11 21:44:17 2014 GMT
    Not After:              May 14 21:44:17 2069 GMT
Subject:
    Common name:            server
    Email address:          server@arista.com
    Organizational unit:    Foo Org
    Organization:           Foo
    Locality:               SC
    State:                  CA
    Country:                US
Subject public key info:
    Encryption Algorithm:   RSA
    Size:                   2048 bits
    Public exponent:        65537
    Modulus:                e04e3ff8e1c64dbcb141fe96133f998e90a322c671b9f28307bf873
                            2239f69804a77fbb8f146841eb6253b7bb50bf6c66bbf3097ec695b
                            0d7985cfdd939c9913b4ba4f6cb8655b208ed0254a269ecab574987
                            9f54c8c7f0b3a57a7ab826870119083222ad5ee76d40f3fae49d36e
                            b502f8c3f541fa3bae59743cced6e6ca04f6ca6c9268744add79c3a
                            c08af6b451455b4a61071f4c0b3ec3553585312783e9381f65bb0e2
                            ea5ee80085f5216d303cf704372b2fa1aae62756c3762441fcc1c04
                            97ee6190586ed28c0e376f48e53f05a40c7e1f3a65e3c6165bae5df
                            f8178d12dd744ddf5db100b33c46b40e53f0a1c7d49f83488976c5d
                            635a831d5ec96d841
show management security ssl crl
The show management security ssl crl command displays the basic information on the installed certificate revocation list (CRLs).To view information of a specific CRL provide the name of the CRL. If no name is provided, this command shows information of all the CRLs.
Note The command only shows basic information and does not show any information on the revocation status of certificates.
Command Mode
EXEC
Command Syntax
show management security ssl crl
Example
This command displays the basic information of the intermediate.crl CRL.
switch#show management security ssl crl intermediate.crl
CRL intermediate.crl:
   CRL Number: 11
   Issuer:
      Common name: intermediate
      Email address: intermediate@foo.com
      Organizational unit: Foo Org
      Organization: Foo
      State: CA
      Country: US
   Validity:
      Last Update: Jul 19 19:27:34 2016 GMT
      Next Update: Dec 05 19:27:34 2043 GMT
show management security ssl diffie-hellman
The show management security ssl diffie-hellman command displays the Diffie-Hellman parameter information.
Command Mode
EXEC
Command Syntax
show management security ssl diffie-hellman
Example
This command displays the Diffie-Hellman parameter information.
switch#show management security ssl diffie-hellman
Last successful reset on Apr 10 16:18:08 2015
Diffie-Hellman Parameters 1024 bits
Generator: 2
Prime:     dc47b5edc0d2b41451432f79f45efab452bba7b1ab118c194d671d6752ed1c550
            664ed8f052ad0fdad623c1d54ae5aee5e728d2bd7a6221636b787a4c08d1fef8c
            6dcd10759d38f8b70b47d1c7972d69b0b295a2ee6ab44cfc7352cb133e85197c8
            9f1fc27aac7e8e02afb4fb01ca1cb05558a7bef505b73a8d06cdfe403576b
show management security ssl key
The show management security ssl key command displays the RSA key information. To view information of a specific key, provide the name of the key in the command. If no name is provided, this command displays information of all the keys.
Note For security reasons, only the public part of the key is shown.
Command Mode
EXEC
Command Syntax
show management security ssl key [key_name]
Parameter
key_name     name of the key. This is optional.
Example
This command displays the server.key key information.
switch#show management security ssl key server.key
Key server.key:
Encryption Algorithm: RSA
Size:                 2048 bits
Public exponent:      65537
Modulus:              e04e3ff8e1c64dbcb141fe96133f998e90a322c671b9f28307bf873
                       2239f69804a77fbb8f146841eb6253b7bb50bf6c66bbf3097ec695b
                       0d7985cfdd939c9913b4ba4f6cb8655b208ed0254a269ecab574987
                       9f54c8c7f0b3a57a7ab826870119083222ad5ee76d40f3fae49d36e
                       b502f8c3f541fa3bae59743cced6e6ca04f6ca6c9268744add79c3a
                       c08af6b451455b4a61071f4c0b3ec3553585312783e9381f65bb0e2
                       ea5ee80085f5216d303cf704372b2fa1aae62756c3762441fcc1c04
                       97ee6190586ed28c0e376f48e53f05a40c7e1f3a65e3c6165bae5df
                       f8178d12dd744ddf5db100b33c46b40e53f0a1c7d49f83488976c5d
                       635a831d5ec96d841
show management security ssl profile
The show management security ssl profile command displays the SSL profile status information. To display information of a specific SSL profile, provide the name of the profile. If no name is provided, this command displays profile status of all the SSL profiles.
If there are any errors in the SSL profile, the state is shown ‘invalid’ and the errors are listed in the third column as shown in the example below.
Command Mode
EXEC
Command Syntax
show management security ssl profile [profile_name]
Parameter
profile_name     name of the SSL profile, this is optional.
Example
This command displays the SSL profile status of profile server.
switch#show management security ssl profile server
Profile      State
------------- -----------
server       valid
If the certificate 'server.crt' does not match with the key the following error occurs.
switch#show management security ssl profile server
Profile        State       Error
------------- ------------- ----------------------------------------
server         invalid     Certificate 'server.crt' does not match
                            with key
If a trusted certificate 'ca2.crt' does not exist the following error occurs.
switch#show management security ssl profile server
Profile        State       Error
------------- ------------- ----------------------------------------
server         invalid     Certificate 'ca2.crt' does not exist
If a trusted certificate 'foo.crt' is not self-signed root certificate the following error occurs.
switch#show management security ssl profile server
Profile        State       Error
------------- ------------- ----------------------------------------
server         invalid     Certificate 'foo.crt' is trusted and not
                           a root certificate
If the certificate 'server.crt' is expired the following error occurs.
switch#show management security ssl profile server
Profile        State       Error
------------- ------------- ----------------------------------------
server         invalid     Certificate 'server.crt' has expired
If the certificate chain is missing an intermediate certificate the following error occurs.
switch#show management security ssl profile server
    Profile        State     Error
-------------- ------------- ---------------------------------------------
    server        invalid    Profile has invalid certificate chain
                             Certificate 'intermediate.crt' does not exist