Lantronix SLC 8000 Advanced Console Manager User Guide - Page 325
Maintenance, SLC™ 8000 Advanced Console Manager User Guide
View all Lantronix SLC 8000 Advanced Console Manager manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 325 highlights
13: Maintenance mkdir ztp-cert cd ztp-cert mkdir newcerts cp /etc/ssl/openssl.cnf . export OPENSSL_CONF=/root/ztp-cert/openssl.cnf b. Under the CA_default section in openssl.cnf, change the directory where everything is kept to ".": [ CA_default ] dir = . # Where everything is kept c. Update the [ req ] and [ req_distinguished_name ] sections of openssl.cnf with specific certificate requests; otherwise, use the default values. d. Create the index.txt and serial files, which is a flat file database to keep track of signed certificates: touch index.txt echo 1000 > serial echo 1000 > crlnumber 2. Create the root certificate as follows: a. Create the private key for the root CA. Use longer bit sizes for the private key, such as 8192 instead of 4096 openssl genrsa -out ca.key 4096 b. Create the certificate for the root CA (the common name (CN) overrides the value in openssl.cnf, and can be set to any allowed certificate name). openssl req -new -x509 -days 3650 -key ca.key -out cacert.pem -subj /CN=ztpExampleCA c. Copy the output cacert.pem file of the previous step to the top-level directory of the external storage device, which will be used for ZTP. d. Verify the information in the certificate, such as the algorithms, validity date, and CN at using the following command: openssl x509 -noout -text -in cacert.pem 3. Create the server certificate and sign it with the root CA as follows: a. Create the private key of the server certificate. Use longer bit sizes for the private key, such as 8192 can be used instead of 4096 openssl genrsa -out server.key 4096 b. Create the Certificate Signing Request (CSR) of the server certificate (the CN must match the IP address or name used in the URL to access the ZTP configuration file. Also, the CN cannot be the same as the CN of the root CA). openssl req -new -key server.key -out server.csr -subj /CN=example.ztp.com c. Create the server certificate by signing the CSR with the root CA. policy_match can be used in place of policy_anything to use a different rule in openssl.cnf for SLC™ 8000 Advanced Console Manager User Guide 325