Create a Server CSR

Before generating a certificate, make sure the time and date on the ExtremeCloud IQ clock are accurate. Otherwise, the certificate might be rejected during validation because the starting date has not occurred or the expiration date has passed.

Use this task to create a server CSR.

  1. Enter a descriptive name or the domain name of the ExtremeCloud IQ appliance or Virtual IQ that you are going to use to sign server certificates.
    The appliance or VIQ name you assign is used to verify the server certificates when they are used to authenticate participants in AAA exchanges. Examples: SophiaCA, HiltonCA, Extreme NetworksCA.
  2. Enter the ExtremeCloud IQ organization's name.
    Examples: Sophia University, Hilton Hotel, Extreme Networks.
  3. Enter the ExtremeCloud IQ division's name.
    Examples: Marketing, Engineering, Sales.
  4. Enter the ExtremeCloud IQ location.
  5. Enter ExtremeCloud IQ State or Province.
  6. Enter ExtremeCloud IQ two-character country code.
  7. Enter an optional contact email address.
  8. Enter an optional Subject Alternative Name.

    When using the server certificate to verify a VPN server, the VPN client that receives the certificate during IKE (Internet Key Exchange) negotiations uses the SAN ( subject alternative names) in that certificate to perform two validity checks for the server: The VPN client checks that the SAN which the VPN server presents as its IKE ID matches the SAN in the certificate that the server supplies, and the VPN client verifies that the IKE ID it receives from the VPN server matches the peer IKE ID in its configuration. Fill in the associated fields as follows:

    • User FQDN: Enter a text string in the form of a fully-qualified domain name for an individual. It resembles an email address: <string>@<domain>. For example, jhan@extremenetworks.com.
    • FQDN: Enter a text string in the form of a fully-qualified domain name, such as portal.extremenetworks.com.
    • IP Address: Enter an IP address in dotted decimal notation, for example, 10.1.1.1.
  9. Choose a key size for the key pair: 512, 1024, or 2048 bytes.
    The encryption produced by the smallest key size (512 bytes) can be cracked with relatively common tools and is not generally recommended. However, it might be needed if the devices on which the CA certificate must be loaded do not support larger key sizes. Keys of 1024 or 2048 bytes provide far stronger encryption, but require greater processing power.
  10. Enter the corresponding password for encrypting and decrypting the private key linked to the public key in the CA.
  11. Enter a name to distinguish the CSR file.
  12. Select Save.
    ExtremeCloud IQ saves the CA certificate with the file name Default_CA.pem and the accompanying private key as Default_key.pem.
  13. Select a Generate Method as follows:
    • To send the CSR to a third-party CA to generate a server certificate, select Export and OK, save the CSR file to your management system, and then send it to the CA.
    • To generate a server certificate using ExtremeCloud IQ as a CA, select Sign by ExtremeCloud IQ CA, enter a valid time period, clear or select Combine key and certificate into one file as explained below, and then select OK:
      • Clear Combine key and certificate into one file to create two separate files—one with the certificate and another with the private key. Extreme Networks RADIUS servers use these two files to authenticate themselves to RADIUS supplicants using PEAP (Protected Extensible Authentication Protocol), TTLS (Tunneled Transport Layer Security), or TLS (Transport Layer Security).
      • Select Combine key and certificate into one file to create a single file that combines the certificate and private key. This simplifies the organization of server certificates and their related private keys so that they cannot accidentally become mismatched. You can use the concatenated server certificate/private key file to provide authentication between RADIUS authentication servers and their supplicants.