Cisco SPA2102-AU Provisioning Guide - Page 56

Submit All Changes, Step 3

Get Cisco SPA2102-AU PDF manuals and user guides View all Cisco SPA2102-AU manuals
Add to My Manuals
Save this manual to your list of manuals

Page 56 highlights

Secure Resync Chapter 3 Provisioning Tutorial Step 3 For this step, you may need to install the open source OpenSSL package or equivalent software. If using OpenSSL, the command to generate the basic CSR file is as follows: openssl req -new -out provserver.csr Step 4 Step 5 This command generates a public/private key pair, which is saved in the privkey.pem file. Submit the CSR file (provserver.csr) to Linksys for signing. A signed server certificate is returned (provserver.cert) along with a Linksys CA Client Root Certificate, spacroot.cert. Store the signed server certificate, the private key pair file, and the client root certificate in the appropriate locations on the server. In the case of an Apache installation on Linux, these locations are typically as follows: # Server Certificate: SSLCertificateFile /etc/httpd/conf/provserver.cert # Server Private Key: SSLCertificateKeyFile /etc/httpd/conf/pivkey.pem # Certificate Authority: SSLCACertificateFile /etc/httpd/conf/spacroot.cert Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 Step 14 Restart the server. Copy the basic.txt configuration profile from the earlier exercises onto the virtual root directory of the HTTPS server. Verify proper server operation by downloading basic.txt from the HTTPS server, using a standard browser from the local PC. Inspect the server certificate supplied by the server. The browser probably does not recognize it as valid unless the browser has been preconfigured to accept Linksys as a root CA. However, SPA devices expect the certificate to be signed this way. Modify the Profile_Rule of the test SPA to contain a reference to the HTTPS server in place of the HTTP server, for example: https://my.server.com/basic.txt This example assumes the name of the HTTPS server is my.server.com. Click Submit All Changes. Observe the syslog trace sent by the SPA. The syslog message should indicate that the resync obtained the profile from the HTTPS server. (Optional) Use an Ethernet protocol analyzer on the SPA subnet to verify that the packets are encrypted. In this exercise, client certificate verification is not yet enabled, use a browser to request the profile stored in basic.txt. At this point, the connection between SPA and server is encrypted. However, the transfer is not secure because any client can connect to the server and request the file, given knowledge of the file name and directory location. For secure resync, the server must also authenticate the client, as demonstrated in the next exercise. Linksys SPA Provisioning Guide 3-8 Version 3.0

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
3-8
Linksys SPA Provisioning Guide
Version 3.0
Chapter 3
Provisioning Tutorial
Secure Resync
Step 3
For this step, you may need to install the open source OpenSSL package or equivalent software. If using
OpenSSL, the command to generate the basic CSR file is as follows:
openssl req –new –out provserver.csr
This command generates a public/private key pair, which is saved in the privkey.pem file.
Step 4
Submit the CSR file (provserver.csr) to Linksys for signing.
A signed server certificate is returned (provserver.cert) along with a Linksys CA Client Root Certificate,
spacroot.cert.
Step 5
Store the signed server certificate, the private key pair file, and the client root certificate in the
appropriate locations on the server.
In the case of an Apache installation on Linux, these locations are typically as follows:
# Server Certificate:
SSLCertificateFile /etc/httpd/conf/provserver.cert
# Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/pivkey.pem
# Certificate Authority:
SSLCACertificateFile /etc/httpd/conf/spacroot.cert
Step 6
Restart the server.
Step 7
Copy the basic.txt configuration profile from the earlier exercises onto the virtual root directory of the
HTTPS server.
Step 8
Verify proper server operation by downloading basic.txt from the HTTPS server, using a standard
browser from the local PC.
Step 9
Inspect the server certificate supplied by the server.
The browser probably does not recognize it as valid unless the browser has been preconfigured to accept
Linksys as a root CA. However, SPA devices expect the certificate to be signed this way.
Step 10
Modify the Profile_Rule of the test SPA to contain a reference to the HTTPS server in place of the HTTP
server, for example:
This example assumes the name of the HTTPS server is my.server.com.
Step 11
Click
Submit All Changes
.
Step 12
Observe the syslog trace sent by the SPA.
The syslog message should indicate that the resync obtained the profile from the HTTPS server.
Step 13
(Optional) Use an Ethernet protocol analyzer on the SPA subnet to verify that the packets are encrypted.
Step 14
In this exercise, client certificate verification is not yet enabled, use a browser to request the profile
stored in basic.txt.
At this point, the connection between SPA and server is encrypted. However, the transfer is not secure
because any client can connect to the server and request the file, given knowledge of the file name and
directory location. For secure resync, the server must also authenticate the client, as demonstrated in the
next exercise.