Setting up PKI
Following is the sequential workflow involved in the session
establishment using PKI:
-
Generate the involved X509v3 certificates: CA
certificates, OCSP Signature CA certificate, Peer certificate (for example:
Syslog server or SSH client), ExtremeXOS device certificate.
-
Download the CA certificates and OCSP Signature CA
certificates to the ExtremeXOS device.
-
Download the ExtremeXOS device certificate and key
to ExtremeXOS device (required for establishing TLS session with Syslog
server).
-
Configure the peer (Syslog server or SSH client)
as required to use its own X509v3 certificate in the connection request.
-
Initiate the connection request from peer (Syslog
server or SSH client) to ExtremeXOS device.
-
ExtremeXOS device performs below tasks on the
received peer‘s certificate and accepts/rejects the connection request:
-
Certificate chain verification.
-
Sanity checks on certificate extensions.
-
OCSP.