450 Managing keys and certificatesNN47250-500 (320657-F Version 02.01)PKCS #7, PKCS #10, and PKCS #12 object filesPublic-Key Cryptography Standards (PKCS) are encryption interface standards created by RSA Data Security,Inc., that provide a file format for transferring data and cryptographic information. Nortel supports the PKCSobject files listed in Table 1.Certificates automatically generated by WSSsoftwareThe first time you boot a switch with WSS Software Version 4.2 or later, WSS Software automaticallygenerates keys and self-signed certificates, in cases where certificates are not already configured or installed.WSS Software can automatically generate all the following types of certificates and their keys:• Admin (required for administrative access to the switch by Web View or WLAN Management Software)• EAP (required for 802.1X user access through the switch)• Web (required for Web-based AAA user access through the switch)Table 1: PKCS Object files supported by NortelFile Type Standard PurposePKCS #7 Cryptographic MessageSyntax Standard Contains a digital certificate signed by a CA.To install the certificate from a PKCS #7 file, use the cryptocertificate command to prepare WSS Software to receive thecertificate, then copy and paste the certificate into the CLI.A PKCS #7 file does not contain the public key to go with thecertificate. Before you generate the CSR and instal thecertificate, you must generate the public-private key pair usingthe crypto generate key command.PKCS #10 Certification RequestSyntax StandardContains a Certificate Signing Request (CSR), a special file withencoded information needed to request a digital certificate froma CA.To generate the request, use the crypto generate requestcommand. Copy and paste the results directly into a browserwindow on the CA server, or into a file to send to the CA server.PKCS #12 Personal InformationExchange SyntaxStandardContains a certificate signed by a CA and a public-private keypair provided by the CA to go with the certificate.Because the key pair comes from the CA, you do not need togenerate a key pair or a certificate request on the switch. Instead,use the copy tftp command to copy the file onto the WSS.Use the crypto otp command to enter the one-time passwordassigned to the file by the CA. (This password secures the file sothat the keys and certificate cannot be installed by anunauthorized party. You must know the password in order toinstall them.)Use the crypto pkcs12 command to unpack the file.