Cisco
300-415 · Question #448
300-415 Question #448: Real Exam Question with Answer & Explanation
The correct answer is D: openssl req -x509 -new-nodes -key XYZ.key -sha256 -days 365 \subj "/C=US/ST=DC/L=DC/O=Cisco/CN=device.. To generate a self-signed root certificate for the SD-WAN Manager using openssl in vShell, the openssl req -x509 command is required.
Security and Quality of Service
Question
A company using Catalyst SD-WAN Manager as its root certificate authority server must generate a root certificate using the vShell (Linux) built into the CLI of Catalyst SD-WAN Manager. Which command must be used to generate the root certificate?
Options
- Aopenssl genrsa -out ROOTCA.pem 2048
- Bopenssl req -x509 -new-nodes -key XYZ.pem -sha256 -days 365 \subj "/C=US/ST=DC/L=DC/O=Cisco/OU=device lab" -out ABC.key
- Copenssl genrsa -out ROOTCA.key 2048
- Dopenssl req -x509 -new-nodes -key XYZ.key -sha256 -days 365 \subj "/C=US/ST=DC/L=DC/O=Cisco/CN=device.
Explanation
To generate a self-signed root certificate for the SD-WAN Manager using openssl in vShell, the openssl req -x509 command is required.
Common mistakes.
- A. This command
openssl genrsaonly generates an RSA private key and does not create a certificate. - B. While
openssl req -x509generates a certificate, the-key XYZ.pemoption assumes a private key already exists and the outputABC.keyis an unusual naming convention for a certificate, whereas the question asks to generate a root certificate (implying both key and cert). - C. Similar to choice A, this command
openssl genrsaonly generates an RSA private key and does not create a certificate.
Concept tested. OpenSSL command for self-signed certificate generation
Reference. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-cr-book/cert-mgmt.html
Topics
#SD-WAN Security#PKI Management#OpenSSL Commands#Certificate Authority
Community Discussion
No community discussion yet for this question.