Setting Up PKI
The following is the sequential workflow involved in the session establishment using PKI:
- Generate the involved X509v3 certificates: CA certificates, OCSP Signature CA certificate, Peer certificate (for example: Syslog server or SSH client), ExtremeXOS device certificate.
- Download the CA certificates and OCSP Signature CA certificates to the ExtremeXOS device.
- Download the ExtremeXOS device certificate and key to ExtremeXOS device (required for establishing TLS session with Syslog server).
- Configure the peer (Syslog server or SSH client) as required to use its own X509v3 certificate in the connection request.
- Initiate the connection request from peer (Syslog server or SSH client) to ExtremeXOS device.
-
The ExtremeXOS device
performs the following tasks on the received peer‘s certificate and accepts or
rejects the connection request:
- Certificate chain verification
- Validity checks on certificate extensions
- OCSP