Home > GUI > Configuration > Create a Certificate and Key
|
Create a Certificate and Key
Create a CA certificate, a CSR (certificate signing request) for a server certificate, or a self-signed certificate. Concatenate a certificate and private key.
Navigate using the tab icons. Hover over an icon to see the name of the tab.
Configure > Common Objects > Certificate > Certificate Management > Add
This page provides options for creating certificates and CSRs (certificate signing requests). For more detailed information, see Certificate Management.
Note
Before generating a certificate, make sure that the time and date on the ExtremeCloud IQ clock are accurate. Otherwise, when the validity interval on the certificate is checked, the certificate can be rejected because the starting date has not yet occurred or because the expiration date has already passed.Select the task you want to perform from the following options and then refer to the related section:
ExtremeCloud IQ CA: See "Create a ExtremeCloud IQ CA"
Server CSR: See "Create a Server CSR"
Concatenate an existing certificate and private key: See "Concatenate an Existing Certificate and Private Key"
Self-signed certificate: See "Create a Self-signed Certificate"
To create a ExtremeCloud IQ CA, enter the following information, and then select Save:
Common Name: Enter a descriptive name or the domain name of the ExtremeCloud IQ appliance or Virtual IQ that you are going to use to sign server certificates, and then later to verify those server certificates when used to authenticate participants in AAA exchanges. Examples: SophiaCA, HiltonCA, Extreme NetworksCA.
Organization Name: Enter the name of the organization to which ExtremeCloud IQ belongs. The name can contain up to 64 characters. Examples: Sophia University, Hilton Hotel, Extreme Networks.
Organizational Unit: Enter the name of the division within the organization to which ExtremeCloud IQ belongs. The name can contain up to 64 characters. Examples: Marketing, Engineering, Sales.
Locality Name: Enter the name of a city, county, or other regional division where ExtremeCloud IQ is located. The name can contain up to 64 characters.
State/Province Name: Enter the name of a state, province, prefecture, or similar political division where ExtremeCloud IQ is located. The name can contain between 1 and 64 characters.
Country Code: Enter a two-character country code for the country where ExtremeCloud IQ is located.
Email Address: (optional) Enter the email address of the contact person for the CA certificate.
Validity: Enter the number of days that the CA certificate will be valid. Typically the a CA certificate is valid for a much longer period than the server certificates that it signs.
Key Size: Choose a key size for the key pair: 512, 1024, or 2048 bytes. The encryption produced by the smallest key size (512 bytes) can be cracked with relatively common tools and is not generally recommended. However, it might be needed if the devices on which the CA certificate must be loaded do not support larger key sizes. Keys of 1024 or 2048 bytes provide far stronger encryption, but require greater processing power.
Password: Enter the password for encrypting and decrypting the private key that corresponds to the public key in the CA certificate. To confirm accuracy, enter the password again. The password must contain between 4 and 20 characters. Clear the Obscure Password check box to see the characters that you enter.
ExtremeCloud IQ saves the CA certificate with the file name Default_CA.pem and the accompanying private key as Default_key.pem.
To create a server CSR, enter the following information, and then select Save:
Common Name: Enter a descriptive name or the domain name of the ExtremeCloud IQ appliance or Virtual IQ that you are going to use to sign server certificates, and then later to verify those server certificates when used to authenticate participants in AAA exchanges. Examples: SophiaCA, HiltonCA, Extreme Networks CA.
Organization Name: Enter the name of the organization to which ExtremeCloud IQ belongs. The name can contain between 1 and 64 characters. Examples: Sophia University, Hilton Hotel, Extreme Networks.
Organizational Unit: Enter the name of the division within the organization to which ExtremeCloud IQ belongs. The name can contain up to 64 characters. Examples: Marketing, Engineering, Sales.
Locality Name: Enter the name of a city, county, or other regional division where ExtremeCloud IQ is located. The name can contain up to 64 characters.
State/Province Name: Enter the name of a state, province, prefecture, or similar political division where ExtremeCloud IQ is located. The name can contain up to 64 characters.
Country Code: Enter a two-character country code for the country where ExtremeCloud IQ is located.
Email Address: (optional) Enter the email address of the contact person for the CA certificate.
Subject Alternative Name (SAN): When using the server certificate to verify the identity of a VPN server, the VPN client that receives the certificate during IKE (Internet Key Exchange) negotiations can use the subject alternative names (SANs) in that certificate to perform two validity checks for the server. First, the VPN client checks that the SAN that the VPN server presents as its IKE ID matches the SAN in the certificate that the server supplies. Second, the VPN client checks that the IKE ID it receives from the VPN server matches the peer IKE ID in its configuration. In addition to checking the digital signature of the server certificate against the CA certificate that signed it, checking that the IKE ID matches the SAN in the server certificate and the IKE ID in its configuration provides extra proof that the VPN server is indeed what it claims to be.
You can make one or more entries in the following subject alternative name fields. If you enter more than one entry in the same field, use a semicolon to separate them. Each field supports up to 128 characters.
User FQDN: Enter a text string in the form of a fully-qualified domain name for an individual. It resembles an email address: <string>@<domain>; for example,jhan@aerohive.com.
FQDN: Enter a text string in the form of a fully-qualified domain name, such asportal.aerohive.comfor example.
IP Address: Enter an IP address in dotted decimal notation; for example,10.1.1.1.
Key Size: Choose a key size for the key pair: 512, 1024, or 2048 bytes. The encryption produced by the smallest key size (512 bytes) can be cracked with relatively common tools and is not generally recommended. However, it might be needed if the devices on which the CA certificate must be loaded do not support larger key sizes. Keys of 1024 or 2048 bytes provide far stronger encryption, but require greater processing power.
Password: Enter the password for encrypting and decrypting the private key that corresponds to the public key in the CA certificate. Then, to confirm accuracy, enter the password again. The password must be between 4 and 20 characters long. Clear the Obscure Password check box to see the characters as you enter them.
CSR File Name: Enter a name to distinguish the CSR file. It can contain up to 20 characters.
In the Generate method section you are prompted to export the CSR or self-sign it using the private key of a previously generated ExtremeCloud IQ CA certificate. If you want to send the CSR to a third-party CA to generate a server certificate, select Export and OK, save the CSR file to your management system, and then send it to the CA. To generate a server certificate using ExtremeCloud IQ as a CA, select Sign by ExtremeCloud IQ CA, enter a valid time period, clear or select the Combine key and certificate into one file check box as explained below, and then select OK:
Clear the Combine key and certificate into one file check box to create two separate files—one with the certificate and another with the private key. Extreme Networks RADIUS servers use these two files to authenticate themselves to RADIUS supplicants using PEAP (Protected Extensible Authentication Protocol), TTLS (Tunneled Transport Layer Security), or TLS (Transport Layer Security).
Validity: Enter the number of days that the CA certificate will be valid.
Select the check box to Combine key and certificate into one file to create a single file that combines the certificate and private key. This simplifies the organization of server certificates and their related private keys so that they cannot accidentally become mismatched. You can use the concatenated server certificate/private key file to provide authentication between RADIUS authentication servers and their supplicants.
To create a new file containing a concatenation of a server certificate and an unencrypted private key, select Add, enter the following, and then select Save:
HTTPS Certificate Name: Enter a name for the concatenated certificate/private key file. The name can contain up to 20 characters, including spaces.
Description: Enter an optional note about the certificate for later reference. It can contain up to 64 characters, including spaces.
Certificate: Select the certificate you want to use from the drop-down list, or select Import to import a certificate.
Private Key: Select a private key method from the drop-down list or select Import to import a key.
Password: Enter the password for encrypting and decrypting the private key that corresponds to the public key in the CA certificate. To confirm accuracy, enter the password again. The password must contain between 4 and 20 characters. Clear the Obscure Password check box to compare the passwords you enter.
Although you cannot change the certificate and private key in a concatenated file, you can modify the name and description. For example, if you give a certificate file a name and description based on the location of the device, and then you have to move it, you can easily modify these attributes for your own reference. Select the name of the file, modify the Certificate Name and Description fields, and then select Update.
To create a new file containing a concatenation of a server certificate and an unencrypted private key, select Add, enter the following, and then select Save:
HTTPS Certificate Name: Enter a name for the concatenated certificate/private key file. The name can contain up to 20 characters, including spaces.
Description: Enter an optional note about the certificate for later reference. It can contain up to 64 characters, including spaces.
Common Name: Enter a descriptive name or the domain name of the ExtremeCloud IQ appliance or Virtual IQ that you are going to use to sign server certificates, and then later to verify those server certificates when used to authenticate participants in AAA exchanges. Examples: SophiaCA, HiltonCA, Extreme NetworksCA
Organization Name: Enter the name of the organization to which the device that will use the certificate belongs. The name can contain between 1 and 64 characters. Examples: Sophia University, Hilton Hotel, Extreme Networks Networks
Organizational Unit: Enter the name of the division within the organization to which the device that will use the certificate belongs. The name can contain between 1 and 64 characters. Examples: Marketing, Engineering, Sales
Locality Name: Enter the name of a city, neighborhood, or other regional division where the device will be deployed. The name can contain between 1 and 64 characters. Examples: Funabashi, Guadalajara, San Francisco
State/Province Name: Enter the name of a state, province, prefecture, or similar political division where the device will be deployed. The name can contain between 1 and 64 characters. Examples: Chiba, Jalisco, California (or "CA")
Country Code: Enter a two-character country code for the country where the device will be deployed. Examples: JP, MX, US
Email Address: (optional) Enter the email address of the contact person for this certificate.
Validity: Enter the number of days that the certificate will be valid.
Key Size: Choose a key size for the key pair: 512, 1024, or 2048 bytes. The encryption produced by the smallest key size (512 bytes) can be cracked with relatively common tools. However, it might be needed if the devices with which the device will have to use the certificate do not support larger key sizes. Keys that are 1024 or 2048 bytes long provide far stronger encryption. The larger the key, the more difficult it becomes to crack; however, a larger key requires greater processing power.
Copyright © 2020 Extreme Networks. All rights reserved. Published March 2020.