Secure Authentication of Syslog Server and SSH Client Using X.509 Certificate

This feature in ExtremeXOS supports the secure authentication of Syslog server and SSH client to an ExtremeXOS device using an X.509 certificate. The following are the primary aspects to a Public-Key Infrastructure (PKI) configuration:

Trusted CA—The X509v3 certificates of Certificate Authority (CA).
Peer Certificate—The X509v3 certificate of the peer, signed by one of the above trusted CAs.
OCSP—Online Certificate Status Protocol used to find the revocation status of the peer certificate.
OCSP Signature CA—To support Trusted Responder Model (TRM) of OCSP, the X509v3 certificate of the OCSP Responder is required. The OCSP signature CA is only required for TRM; it is not used for DTM and common issuer.

Supported Platforms

Summit X450-G2, X460-G2, X670-G2, X770, and ExtremeSwitching X620, X440-G2 series switches.

Limitations

All certificates should be in PEM format files.
Downloading CA certificate chain is not supported.
Individual CA certificates in a certificate chain should be downloaded one-by-one using the following command: download ssl ipaddress certificate {ssl-cert | trusted-ca | ocsp-signature-ca} cert_file
Downloading CA certificate of size greater than 7.5KB is not recommended.
Certification Revocation Lists (CRLs)—not supported.
OCSP stapling—not supported.
Nonce is always disabled in OCSP request.
OCSP is not done for the OCSP responder certificate. Therefore, the OCSP responder certificate should satisfy any of following criteria, failing which the OCSP response is rejected:
- OCSP responder certificate should be self-signed (OR).
- OCSP responder certificate should contain id-pkix-ocsp-nocheck extension.

New CLI Commands

unconfigure ssl certificate [trusted-ca | ocsp-signature-ca] [file_name |all]

Changed CLI Commands

Changes are underlined.

download ssl ipaddress certificate {ssl-cert | trusted-ca | ocsp-signature-ca} cert_file

show ssl {[trusted-ca | ocsp-signature-ca] [file_name | all]} {manufacturing} {certificate | detail}

Published November 2016prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback

Switching

Routing

Wireless

Management & Automation

Analytics & Visibility

Security & Access Control

Remote

Cloud

Security

Machine Learning

Campus Fabric

Data Center Fabric

Internet of Things

Wi-Fi 6

Primary & Secondary Education (K-12)

Retail

Service Providers

Federal Government

Manufacturing

Higher Education

Healthcare

Hospitality

State & Local Government

Sports & Public Venues

Support Portal

Knowledge Base

Documentation

End of Sale

Policies & Warranties

Training & Courses

Maintenance Services

Premier Services

Professional Services

Managed Services

Secure Authentication of Syslog Server and SSH Client Using X.509 Certificate

Supported Platforms

Limitations

New CLI Commands

Changed CLI Commands