Setting up PKI

Following is the sequential workflow involved in the session establishment using PKI:

  1. Generate the involved X509v3 certificates: CA certificates, OCSP Signature CA certificate, Peer certificate (for example: Syslog server or SSH client), ExtremeXOS device certificate.
  2. Download the CA certificates and OCSP Signature CA certificates to the ExtremeXOS device.
  3. Download the ExtremeXOS device certificate and key to ExtremeXOS device (required for establishing TLS session with Syslog server).
  4. Configure the peer (Syslog server or SSH client) as required to use its own X509v3 certificate in the connection request.
  5. Initiate the connection request from peer (Syslog server or SSH client) to ExtremeXOS device.
  6. ExtremeXOS device performs below tasks on the received peer‘s certificate and accepts/rejects the connection request:
    1. Certificate chain verification.
    2. Sanity checks on certificate extensions.
    3. OCSP.