Creating keyring, signing-request and importing signed certificate. 1 On this example, we will use a keyring named sslkey.
Create new keyring named "sslkey" on MC
conf t
ssl
create keyring sslkey algorithm rsa length 2048 showable yes
Create certificate signing-request (CSR) for keyring "sslkey"
create signing-request sslkey subject "C=US,ST=CA,O=Symantec,CN=mc.company.com alternative-names 192.168.100.20"
View signing-request for keyring "sslkey"
view signing-request sslkey
Once CSR signed by your internal PKI server, import the signed certificate
conf t
ssl
inline certificate sslkey
(follow instruction on SSH screen)
To view keyring information under (config-ssl) prompt
2
view keyring sslkey
To view private key on MC - Copy to use later in the inline keyring default step
view keypair sslkey
To view certificate - Copy to use later in the inline certificate default step
view certificate sslkey
A private key and signed certificate created off box can also be imported to MC.
Note that example below will overwrite the "default" certificate
conf t
ssl
inline keyring default showable yes
(follow instruction on SSH screen pasting the private key collected in the view keypair sslkey step)
inline certificate default
(follow instruction on SSH screen pasting the public key collected in the view certificate sslkey step)
Internal Root and/or intermediate certificate signer should be imported to Management center and added to browser-trusted CCL.
To import root and/or intermediate ca under (config-ssl) prompt
3
inline ca-certificate internal_root_ca
(follow instruction on screen)
edit ccl browser-trusted
add internal_root_ca
Notes:
MC presents the keyring named "default" when accessing the web management console on which needs to be overwritten with new information if you wish to create a signed certificate.
Device-communication should match the CN name or Server Alternative-Name you defined on your "default" signed certificate.
4