Fabric OS Administrator’s Guide 151
53-1001763-02
Authentication policy for fabric elements 7
You can request a certificate from a CA through a Web browser. After you request a certificate,
the CA either sends certificate files by e-mail (public) or gives access to them on a remote host
(private). Typically, the CA provides the certificate files listed in Table 31.
ATTENTION
Only the .pem file is supported for FCAP authentication.
5. On each switch, install the CA certificate before installing switch certificate.
6. After the CA certificate is installed, install the switch certificate on each switch.
7. Update the switch database for peer switches to use third-party certificates.
8. Use the newly installed certificates by starting the authentication process.

Generating the key and CSR for FCAP

The public/private key and CSR has to be generated for the local and remote switches that will
participate in the authentication. In FCAP, one command is used to generate the public/private key
the CSR, and the passphrase.
1. Log in to the switch using an account assigned to the admin role.
2. Enter the secCertUtil generate -fcapall -keysize command on the local switch.
switch:admin> seccertutil generate -fcapall -keysize 1024
WARNING!!!
About to create FCAP:
ARE YOU SURE (yes, y, no, n): [no] y
Installing Private Key and Csr...
Switch key pair and CSR generated...
3. Repeat step 2 on the remote switch.

Exporting the CSR for FCAP

You will need to export the CSR file created in “Generating the key and CSR for FCAP” section and
send to a Certificate Authority (CA). The CA will in turn provide two files as outlined in “FCAP
configuration overview” on page 150.
1. Log in to the switch using an account assigned to the admin role.
2. Enter the secCertUtil export –fcapswcsr command.
switch:admin> seccertutil export -fcapswcert
Select protocol [ftp or scp]: scp
Enter IP address: 10.1.2.3
Enter remote directory: /myHome/jdoe/OPENSSL
Enter Login Name: jdoe
TABLE 31 FCAP certificate files
Certificate file Description
nameCA.pem The CA certificate. It must be installed on the remote and local switch to verify the
validity of the switch certificate or switch validation fails.
name.pem The switch certificate.