The following is the sequential workflow involved in the session
establishment using PKI:
-
Generate the involved X509v3 certificates: CA
certificates, OCSP Signature CA certificate, Peer certificate (for example:
Syslog server or SSH client), ExtremeXOS device certificate.
-
Download the CA certificates and OCSP Signature CA
certificates to the ExtremeXOS device.
-
Download the ExtremeXOS device certificate and key
to ExtremeXOS device (required for establishing TLS session with Syslog
server).
-
Configure the peer (Syslog server or SSH client)
as required to use its own X509v3 certificate in the connection request.
-
Initiate the connection request from peer (Syslog
server or SSH client) to ExtremeXOS device.
-
The ExtremeXOS device
performs the following tasks on the received peer‘s certificate and accepts or
rejects the connection request:
- Certificate chain verification
- Validity checks on certificate extensions
- OCSP
