Lantronix EMG 8500 EMG User Guide - Page 338
Maintenance, EMG™ Edge Management Gateway User Guide, CA_default, req ], req_distinguished_name ]
View all Lantronix EMG 8500 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 338 highlights
15: Maintenance cd /root mkdir ztp-cert cd ztp-cert mkdir newcerts cp /etc/ssl/openssl.cnf . export OPENSSL_CONF=/root/ztp-cert/openssl.cnf b. Under the CA_default section in openssl.cnf, change the directory where everything is kept to ".": [ CA_default ] dir = . # Where everything is kept c. The openssl.cnf sections [ req ] and [ req_distinguished_name ] can be updated with specific options for certificate requests, or the defaults can be used. d. Create the index.txt and serial files, which act as a flat file database to keep track of signed certificates: touch index.txt echo 1000 > serial echo 1000 > crlnumber 2. Create the root certificate: a. Create the root CA's private key (longer bit sizes such as 8192 can be used instead of 4096): openssl genrsa -out ca.key 4096 b. Create the root CA's certificate (the CN, or commonName, overrides the value in openssl.cnf, and can be set to any allowed certificate name): openssl req -new -x509 -days 3650 -key ca.key -out cacert.pem -subj /CN=ztpExampleCA c. The cacert.pem file output in the previous step can be copied to the top level directory of the external storage device that will be used for ZTP. The certificate can be verified (e.g. view the algorithms, validity date and CN, etc) at anytime with the command: openssl x509 -noout -text -in cacert.pem 3. Create the server certificate and sign it with the root certificate: a. Create the server certificate's private key (longer bit sizes such as 8192 can be used instead of 4096): openssl genrsa -out server.key 4096 b. Create the server certificate's Certificate Signing Request or CSR (the CN, or commonName, must match the IP address or name used in the URL to access the ZTP configuration file and cannot be the same as the CN of the root CA): openssl req -new -key server.key -out server.csr -subj / CN=example.ztp.com c. Create the server certificate by signing the CSR with the root CA (policy_match can be used in place of policy_anything to use a different rule in openssl.cnf for controlling which attributes of a certificate are required to match those given in the CA; by default policy_anything requires that only a CN be specified): EMG™ Edge Management Gateway User Guide 338