Loader

Security Admin

 

Cryptographic security-related commands

Manage Device Certificate key

 

 

Information

Note 1: Log on with Admin or Security Admin user privileges to perform this procedure.
Note 2: + select one parameter from list,  * required parameter
Note 3:  **ne - Substitute olt for ne for the OLT2> on the CLI command path

A device certificate is used to assert the unique identity of the OLT.  A device certificate (public certificate) has the identity of the OLT and it along with the private key can be used to identify the OLT to other parties like the EMS and securely encrypt traffic.  The ne/olt security>key command is used to edit the current device certificate and private key.  You must be a certificate admin to manage the Device Certificate. 

  • Command Path - ne security
  • Command Path - olt security (OLT2 only)
  • Command - key
    • Action 
      • edit Import certificate stored on NE /OLT
        • *passphrase= passphrase for decrypt/encrypt of certificate (Must be 4 or more alpha numberic characters)
          • + pem - Specifies PEM certificate storage format
          • pkcs12 - Specifies PKCS12 certificate storage format
          • + terminal - Manually enter certificate via terminal input (Must be in PEM format)
          • url - URL to download the certificates form.
            • e.g: https://[username[:password]@]location[:port][/path]/filename

Example scripts 

To apply the anchor certificates for the NE, when the certificate type is pem, input the following:

  1. From the ESUx  command line, input **ne security key edit pem url https://<username>:<password>@<ems ip address>:8090/certificates/anchor/<filename.pem> passphrase=<pass_phrase>, and press Enter. 
    ESUx> **ne security key edit pem url https://<username>:<password>@<ems ip address>:
8090/certificates/anchor/<filename.pem> passphrase=<pass_phrase>_

Additional scripts 

ESUx> **ne security key edit pem url [passphrase=<pass phrase>] _ 
ESUx> **ne security key edit pem url https://<username>:<password>@<ems ip address>:
8090/certificates/anchor/<filename.pem> passphrase=<pass_phrase> _

 Managing Yubikey

  • Command Path - ne security
  • Command Path olt security (OLT2 only)
  • Action 
    • yubikey SSH Yubikey Token Utility
      • cfg configure the server access
        • + cert - Enter the yubico web server trust anchor bundle
        • + host - Enter the yubico web server hostname
        • + ip - Enter the yubico web server ip address
        • terminal - Manually enter via terminal input
      • debug Report yubikey status
        • + certful - Show the full X.509 cert
        • + certsum - Show the summary X.509 cert
        • + check Perform the yubikey configuration diagnostics
        • + curl - Verify ems curl path
        • + log - Yubikey debugger logging status
        • + logoff - Yubikey debugger turn off logging
        • + logon - Yubikey debugger turn on logging
        • + sclient - Make openssl s_client call to ems
        • + status - Show the yubikey state
      • delete delete the yubico configuration
        • cert - Only deletes a provisioned cert. The default cert is never deleted.
        • user - Enter the username
      • edit add the user yubikey token
        • + admin - Enable or disable ssh yubikey mode
        • + user - Enter the username
        • terminal - Manually enter the yubikey token via terminal input
      • show show the user's yubikey token 
        • + cert
        • + host
        • + ip
        • + status
        • + userv Enter the username
        •  +users

To display the current  yubikey status input the following command:

  1. From the ESUx > command line, input **ne security yubikey show cert, and press EnterOutput similar to the following is displayed: 
    ESUx> **ne security yubikey show status <enter>
Yubikey is disabled.

ESUx> _

PKI CA Trust Point/Anchor Certificates

Manage and edit Public Key Infrastructure (PKI) Certificate Authority Trust Point.  The PKI trustpoint is also known as an anchor certificate and defines the list of CAs or Certificate Authorities that the OLT will trust.  The OLT will trust any connection where the offered certificate can be validated with one of the trust anchors that have been configured.  You must be a certificate admin to manage the Trust Anchors.

  • Command Path ne security
  • Command Path - olt security (OLT2 only)
  • Action   
    • pki-ca-trustpoint - Public Key Infrastructure Certificate Authority trust point management
      • certificate SSL Certificate Utility
        • edit - Import Certificate stored on NE
          • *passphrase= - passphrase for decrypt/encrypt of certificate (Must be 4 or more alpha numberic characters)
            • +der - Specifies DER certificate storage format
            • +pem - Specifies PEM certificate storage format
            • +pkcs12 - Specifies PKCS12 certificate storage format
            • +terminal  - Manually enter certificate via terminal input (Must be in PEM format)
            • +url= - URL to download the certificates form. e.g: https://[username[:password]@]location[:port][/path]/filename
        • show - Show Anchor Certificates stored on NE
          • raw - Display the anchor certs as entered
          • summary - Displays the Subject and Issuer (default)
          • verbose - Displays the full details 
      • Online-Certificate-Status-Protocomanage OCSP-based (PKI) certificate validation configuration 
        • edit - edit OCSP configuration
          • admin= - enable/disable use of OCSP for certificate revocation checks
            • enabled|disabled
          • conflict-preference= - preference which OCSP server when certificate's embedded URL and configured URL conflict
            • configured-url|certificate-url
          • polling-frequency=- interval to poll for expired certificates
            • (hours)
          • url= - server to use for certificate revocation checks
        • show display ocsp configuration 

If the certificate type is pkcs12, input pkcs12:

  1. From the ESUx> command line, input **ne security  pki-ca-trustpoint certificate edit pkcs12 url=https://<username>:<password>@<ems ip address>:8090/certificates/anchor/<filename.p12> passphrase=<pass_phrase>, and press Enter

To display the current OCSP Configuration, enter the following command:

  1. From the ESUx command line, input **ne security pki-ca-trustpoint show ocsp, and press Enter. Output similar to the following is displayed: 
    ESUx> **ne security pki-ca-trustpoint show ocsp <enter>

| OCSP Configuration                                                |
|===================================================================|
|===================================================================|
| enabled             : enabled                                     |
| url                                                               |
| polling-frequency   : 4                                           |
| conflict-preference : certificate-url                             |
|                                                                   |
|===================================================================|

ESUx> _
     
Previous  |  Next
 



 

©2024 Tellabs Enterprise, Inc. All rights reserved.

FEEDBACK: Are you happy with this material?
  •   © 2025 Tellabs Access, LLC. All rights reserved - A Better Way to Build and Operate Networks.

On this page

light-box Image