››

Configuring Certificates

Configuring Public Key Infrastructure (PKI) must be executed by a Security User.

PKI is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate authority (CA). The user identity must be unique within each CA domain. The binding is established through the registration and issuance process, which, depending on the level of assurance the binding has, may be carried out by software at a CA or under human supervision. The PKI role that assures this binding is called the Registration Authority (RA). The RA ensures that the public key is bound to the individual to whom it is assigned in a way that ensures non-repudiation.

A certificate authority, or certification authority (CA) is an entity that issues digital certificates. Ownership of a public key by the named subject of the certificate is certified by the digital certificate. This allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the public key that is certified. In this model of trust relationships, a CA is a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate.

CAs are characteristic of many public key infrastructure (PKI) schemes. A third-party validation authority (VA) provides the information on behalf of the CA. The purpose of the validation authority is to verify a certificate, through the means of OCSP (Online Certificate Status Protocol) is an Internet protocol used for obtaining the revocation status of a digital certificate.

A Trusted Third Party (TTP), or trusted host, is an entity that facilitates interactions between two parties who both trust the third party; the Third Party reviews all critical transaction communications between the parties, based on the ease of creating fraudulent digital content. In TTP models, the relying on parties use this trust to secure their own interactions. TTPs are common in commercial transactions and in cryptographic digital transactions as well as cryptographic protocols. For example, a certificate authority (CA) would issue a digital identity certificate to one of the two parties in the next example. The CA then becomes the Trusted-Third-Party to that certificate's issuance. Likewise, transactions that need third-party recordation would also need a third-party repository service of some kind or another.

The term Trusted Third Party (TTP) may also be used for certificate authority (CA). This chapter shows several examples of configuring Public Key Infrastructure (PKI) using command line interface (CLI) commands. These examples are provided to illustrate how to load certificates via the console and enter device certificates.

Note 1: Log on with Admin or Security Admin user privileges to perform this procedure.
Note 2: **ne - Substitute olt for ne for the OLT2> on the CLI command path.

Command Path - ne security
Command Path - olt security (OLT2 only)

To load device certificates, enter the following command:

ESUx> **ne security key edit terminal pem <enter>
command completed
ESUx> _

To load Trusted Anchor certificates, enter the following command:

ESUx> **ne security pki-ca-trustpoint certificate edit terminal pem <enter> 
command completed
ESUx> _

Entering CA Cert

ESUx> **ne security pki-ca-trustpoint certificate edit pem terminal <enter>
Enter PEM formatted Certificate Authority (CA) key below: (Hit Ctrl+D when finshed, or
Ctrl+C to cancel)
-----BEGIN CERTIFICATE-----
MIIDUzCCAjugAwIBAgIIXaKC/kg5JakwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UE
AwwIQWRtaW5DQTExFTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0Uw
HhcNMTEwMjIyMDEwMDI4WhcNMjEwMjE5MDEwMDI4WjA3MREwDwYDVQQDDAhBZG1p
bkNBMTEVMBMGA1UECgwMRUpCQ0EgU2FtcGxlMQswCQYDVQQGEwJTRTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAIFzwQxmCU459g77N71fmXzfLTtxP6GP
HbBswdx4vfEIUmzgngaKhlPsy07bqXRGYnmdwwUbFReROCvoON+4UiHqO+AS+Pry
bzwZ1oWFk23vQGn1CtlzaGWaf9YJ2JoALo93zNK731oVf+uWKwxIPtuFvIFMavB2
IGAhUORcDkfCMZSR+TKgd9NA13lpSm8yl8Wt/+2iBQ+GI/o384ZId9Ezswpo0Bsa
NOE9aVDSiy+s0cf434a186v6cVlXJm9f+sVL5TPcCOlzF4xJkminc7bIVRg01Qtx
AzGb4pGBIoIwDNpSM438BsQs73NHCsmsNpz7epopOeMAO2ziTAHyNiMCAwEAAaNj
MGEwHQYDVR0OBBYEFN6PELsoZmjDfq390xyiis/XmIUpMA8GA1UdEwEB/wQFMAMB
Af8wHwYDVR0jBBgwFoAU3o8QuyhmaMN+rf3THKKKz9eYhSkwDgYDVR0PAQH/BAQD
AgGGMA0GCSqGSIb3DQEBBQUAA4IBAQA8YsdtKSp5gUg6JaxmIrLfAfzLIuvMbi4v
hbDtEAshtYf5WUsZ9NoUZ+zlLURONw0brXZ6KC/mFWH5g6Z+3u19zHTvmevzZDr2
wob/l7a4YZNM7nYf8WN38NiqdDvbHhOSHPbsOT1xiSGSo6dKadHFUmZU19WtSugr
D9sNseeuUW+opwhrbiLhMAOzQnA1PR//fUmL6jqKugcfWnHQDlGhSMFxR63/iFO6
yaNg+nAwWpREtUts0GJqDXiuK7+QUEc6XgAG/oBVG0yD4Qv9+O7yc6Ol+gRGZmOt
SZ5rDKB0IbTaYFUA+qFJyXqv0FcIhQltwKX7rvnAsKGY4Ra0OmjC
-----END CERTIFICATE-----
Certificate Imported Successfully from Terminal
ESUx> _

Entering Device Cert

ESUx> **ne security key edit pem terminal <enter>
Enter PEM formatted Key below: (Hit Ctrl+D when finished, or Ctrl+C to cancel)
Bag Attributes
friendlyName: ESU_128_90
localKeyID: 32 69 EB 80 43 9D C2 79 9D C6 26 81 E8 C9 59 8D 1F F4 E4 DB
subject=/CN=ESU_128_90
issuer=/CN=AdminCA1/O=EJBCA Sample/C=SE
-----BEGIN CERTIFICATE-----
MIIDwDCCAqigAwIBAgIIL4x5nTNAgcAwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UE
AwwIQWRtaW5DQTExFTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0Uw
HhcNMTEwODAzMTUwNDI1WhcNMTMwODAyMTUwNDI1WjAVMRMwEQYDVQQDDApFU1Vf
MTI4XzkwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIYf+pjKefEb
epYxdyjGkXIn47kBmhSpu5ot3cmAXPxVyCfNsFHjCr/X1DlMI1UNQqn/aRk2pIBX
mBlzpXQ9rL4yCSLWFCFx7U7zBPLM48fI8cyxbX8xz/iV+Tyngp300qBgGYkVHKUO
VvykFxrp3ntjlaOiQC+7IS6blhX7LwBzGm3VNLIMyVpB/o/BvyAHpxZ7uFGLmjit
bAzCo83uZd8ikL/x8CETM1GK6AOoFHoBCgnAZ9QMyb0Tb89GoMZnrG4/OXCu8nXr
Phn455xOOPySJ1haJ7dESMyRGtZp5t2t+NBhtg/EvN4zd8Dd+nY+mVGmvymYIgFE
KMVwHe29EQIDAQABo4HxMIHuMF4GCCsGAQUFBwEBBFIwUDBOBggrBgEFBQcwAYZC
aHR0cDovL3Byb2ZpbGVzdnIxLnR4LnRlbGxhYnMuY29tOjgwODAvZWpiY2EvcHVi
bGljd2ViL3N0YXR1cy9vY3NwMB0GA1UdDgQWBBQyaeuAQ53CeZ3GJoHoyVmNH/Tk
2zAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFN6PELsoZmjDfq390xyiis/XmIUp
MA4GA1UdDwEB/wQEAwICpDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
DwYDVR0RBAgwBocErByAWjANBgkqhkiG9w0BAQUFAAOCAQEAC5j00bUa4Zz5ETtl
c4zoQow5yjw339i8CZPlWRUkhjUC6AwNmZsTOvST8xjT2v5s4sEU8dtXYGmpSZLD
IV7EgCbnFe6myrnKt0pcda6HIbpIOUFYAn2Q52z1e3hIwTMorIZtFXobRq4AE1sW
rduoBx0i1oP+KfWDLXIExBbfTKw5foSiF4i4nysH/W5Q6nRjknA8L2ROJnouMNJG
0gdpXS38lpTiG+JReKz8vths099XkxpEGkxtH5sNfsHEVUqoYpxPWLDUjzqkAdNV
iy9XKo6QR0Db/fH7u1xyI3CNZxybix8pAcJTuDU42HCPum3QE6lNYR8QhpYsM7TK
1ZpAzA==
-----END CERTIFICATE-----
Bag Attributes
friendlyName: ESU_128_90
localKeyID: 32 69 EB 80 43 9D C2 79 9D C6 26 81 E8 C9 59 8D 1F F4 E4 DB
Key Attributes: 
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEApIYf+pjKefEbepYxdyjGkXIn47kBmhSpu5ot3cmAXPxVyCfN
sFHjCr/X1DlMI1UNQqn/aRk2pIBXmBlzpXQ9rL4yCSLWFCFx7U7zBPLM48fI8cyx
bX8xz/iV+Tyngp300qBgGYkVHKUOVvykFxrp3ntjlaOiQC+7IS6blhX7LwBzGm3V
NLIMyVpB/o/BvyAHpxZ7uFGLmjitbAzCo83uZd8ikL/x8CETM1GK6AOoFHoBCgnA
Z9QMyb0Tb89GoMZnrG4/OXCu8nXrPhn455xOOPySJ1haJ7dESMyRGtZp5t2t+NBh
tg/EvN4zd8Dd+nY+mVGmvymYIgFEKMVwHe29EQIDAQABAoIBAQCBvWdAdfbNvK2/
uOsfHZ+hGNWOBdnWiM7kqwvaZ0l7il2XLpRMo/aYBnsL13dMMYj4dhh8564ogTES
N5fz9LuiGoZYoAkT7N/rlKOd1l5ujaDP1WxhfblpWI3j8snh/fAPnPrLiEeGxD6P
qEE6GzYsBT+dxGFxnnJCE4AMFh9zivILdHWhqRxMzvEBUlwC5PDHn578qG4ImSxJ
5L2vgtaYd6ArnDCcdXlsvXQ7tQFMBlm0IV4fFq1y2w1H4QXjPNWH8SfRNPAOSGzs
V0+KSi4FclIQJPBLQQVMvhvA/u1+K3od2+d0NS9UVWIDyLPqjV7xcRmj/ZmEVYK9
4itlUKJBAoGBANj6vVH//Ub8im/aR7HGjxUbi1CJHH5+WEmQ0cysoxVrr2Lzb0Qw
uuwliPTmXN4BGlg35syMx47Fo3ei34nL7QPFcpLeZH0SXYhJoN+isOXy1XdHhthl
543T7SgnOElElSoeNm3XYiVpuw3rJFEWm5RDl/uAjXQ9NP18UtlyUuUpAoGBAMIc
cotUN2aR8ZHatz3CcJ9sVHHapkduS9OJbwEFN77wu/VGM6U1qZ6Lkonxp9WjDPe4
4iew//UTKTnn0oc4A5M5TSOeUSA9bRHoVLiW5953LjIg5aFwQEM5qreudYBu9eea
6N1dnhNjBkQpLVTqJgovcdacmIRHUTjDKOEu0m2pAoGAPhFDtMAweGznQOXE2nK9
HUGa0XfXQcvsf2bAzPaZVBhQvFJ8gpoZ7lEyYzO+XvcbzR54lAy1TP72KtPZc/Z0
nz6M7rxVLH3jaYf+T9qfFbgoHg3E4gQMf8KetXy6miLXNIwd77/L4H3lNy8LXXLF
IF1RjW0Ria20icpVfMQ6ODkCgYBFeq09Vd2mpyKSlHj2cDyjs8DeJ+dQthgKFa1X
7igv/jco6gHeZsDZ8Rd4rLjobT5dBR5eGqrjbAJbqbDfmZsd/WqxDx/2rEX4HPMG
R22jYYF1i/TlvioiZefHa3i/ifgW+InVgobsZYt+pkaFmHIZPzY+HTsyTdyytphR
UdMcUQKBgQCurpxS7k8vIvWjRN9Yae6TmiNMrXdIzWGFRmL3XoA9YAxpLXnbr9BI
I1lyeOLawfsoFXkkHqrzHCKeAiO8/WtNqUADsugT6gH5GvLPmzn+ew0Q7UumOlTZ
cPdul7OOeILgXS9H1m+Qa0Mi2pcKQEpeqoT/k+K9KXsAPLBoFZfqpA==
-----END RSA PRIVATE KEY-----
Certificate Imported Successfully from Terminal
ESUx> _

Note: All certificates entered from the terminal must be in PEM format, P12 via terminal is not supported.

Note1: When entering certificate information, the screen does not echo any characters typed until CTRL+D is pressed. For now, just blind copy and paste the certificate and hit CTRL+D.

Note2: When entering device key information, the device key must contain both Public and Private keys. Device public and device private keys cannot be entered separately.

To load certificates for Secure Hyper Terminal Transfer Protocol (HTTPS):

ESUx> **ne security key edit pkcs12 url=https://[username[:password]@]location[:port][/path]/fil
ename passphrase=[Passphase] <enter>
ESUx> **ne security pki-ca-trustpoint certificate edit pem url=https://[username[:password]@]
location[:port][/path]/filename <enter>

Importing CA certificates

ESUx> **ne security pki-ca-trustpoint certificate edit pem url=https://test:test@172.28.123.
95:8090/certificates/anchor/esu/AdminCA1.pem <enter>
Certificate Imported Successfully.

Importing Device Certificates

ESUx> **ne security key edit pkcs12 url=https://test:test@172.28.123.95:8090/certificates/ 
anchor/esu/OLT_128_90.p12 passphrase=esu <enter>
Certificate Imported Successfully.

Note: This command accepts only an https connection; non-secure http connections are rejected.

Note1: The following ports can be used to download certificates:

Port 8090 - used by SW download (no user authentication)
Port 3010 - used with peer authentication.

Note2: Most P12 certificates require a passphrase to import and decrypt the certificates. If an error is received while importing certificates, make sure the passphrase was entered correctly.

Enable DNS:

ESUx> **ne ip edit dns admin=enabled <enter>

Configure DNS Servers:

ESUx> **ne ip dns edit admin=enabled name-server address=172.28.2.32 <enter>
Successfully updated DNS configuration
ESUx> _

Enable Online Certificate Status Protocol (OCSP):

ESUx> **ne security pki-ca-trustpoint edit ocsp admin=enabled <enter> 
Successfully updated OCSP configuration.
ESUx> _

Configure OCSP Server

ESUx> **ne security pki-ca-trustpoint edit ocsp url=http://profilesvr1.tx.tellabs.com:8080/
ejbca/publicweb/status/ocsp <enter>
Successfully updated OCSP configuration
ESUx> _

Previous | Next

FEEDBACK: Are you happy with this material?

Thank you Your feedback helps us to continually improve our content.

On this page

Entering Device Cert
Importing CA certificates
Importing Device Certificates