Before generating a certificate, ensure that the time and date on the ExtremeCloud IQ clock are
accurate. Otherwise, the certificate might be rejected during validation because the
starting date has not occurred or the expiration date has passed.
Use this task to create a Certificate Signing Request (CSR).
-
Go to .
-
To create a new CSR, select
.
-
Type a descriptive name or the
domain name of the ExtremeCloud IQ appliance or Virtual IQ
that you are going to use to sign server certificates.
The appliance or VIQ name you
assign is used to verify the server certificates when they are used to
authenticate participants in AAA exchanges. Examples: SophiaCA, HiltonCA,
Extreme NetworksCA.
-
Type the name of the ExtremeCloud IQ
organization name.
Examples: Sophia University,
Hilton Hotel, Extreme Networks.
-
Type the name of the ExtremeCloud IQ
division.
Examples: Marketing,
Engineering, Sales.
-
Type the ExtremeCloud IQ
location.
-
Type the ExtremeCloud IQ State
or Province.
-
Type the ExtremeCloud IQ
two-character country code.
-
Type an optional contact email
address.
-
Type an optional Subject Alternative
Name.
When using the server certificate to verify a VPN server, the VPN client that
receives the certificate during IKE (Internet Key Exchange) negotiations
uses the SAN ( subject alternative names) in that certificate to perform two
validity checks for the server: The VPN client checks that the SAN which the
VPN server presents as its IKE ID matches the SAN in the certificate that
the server supplies, and the VPN client verifies that the IKE ID it receives
from the VPN server matches the peer IKE ID in its configuration. Fill in
the associated fields as follows:
- User
FQDN: Type a text string in the form of a fully-qualified
domain name for an individual. It resembles an email address: <string>@<domain>. For example, jhan@extremenetworks.com.
- FQDN:
Type a text string in the form of a fully-qualified domain name, such as
portal.extremenetworks.com.
- IP
Address: Type an IP address in dotted decimal notation,
for example, 10.1.1.1.
-
Choose a key size for the key pair: 512, 1024, or 2048 bytes.
The encryption produced by the smallest key size (512 bytes) can be cracked
with relatively common tools and is not generally recommended. However, it might
be needed if the devices on which the CA certificate must be loaded do not
support larger key sizes. Keys of 1024 or 2048 bytes provide far stronger
encryption, but require greater processing power.
-
Type the corresponding password
for encrypting and decrypting the private key linked to the public key in the
CA.
-
Type a name to distinguish the
CSR file.
-
Select Save.
ExtremeCloud IQ
saves the CA certificate with the file name Default_CA.pem
and the accompanying private key as Default_key.pem.
-
Select a Generate
Method as follows:
- To send the CSR to a
third-party CA to generate a server certificate, select Export
and OK, save the CSR file to your management system, and
then send it to the CA.
- To generate a server
certificate using ExtremeCloud IQ as a CA, select Sign by ExtremeCloud
IQ CA, enter a valid time period, clear or select
Combine
key and certificate into one file as explained below,
and then select OK:
- Clear Combine key
and certificate into one file to create two
separate files—one with the certificate and another with the
private key. Extreme
Networks RADIUS servers use
these two files to authenticate themselves to RADIUS supplicants
using PEAP (Protected Extensible Authentication Protocol), TTLS
(Tunneled Transport Layer Security), or TLS (Transport Layer
Security).
- Select Combine key
and certificate into one file to create a single
file that combines the certificate and private key. This
simplifies the organization of server certificates and their
related private keys so that they cannot accidentally become
mismatched. You can use the concatenated server
certificate/private key file to provide authentication between
RADIUS authentication servers and their supplicants.
