The following is the sequential workflow involved in the session
establishment using PKI:
Generate the involved X509v3 certificates: CA
certificates, OCSP Signature CA certificate, Peer certificate (for example:
Syslog server or SSH client), ExtremeXOS device certificate.
Download the CA certificates and OCSP Signature CA
certificates to the ExtremeXOS device.
Download the ExtremeXOS device certificate and key
to ExtremeXOS device (required for establishing TLS session with Syslog
Configure the peer (Syslog server or SSH client)
as required to use its own X509v3 certificate in the connection request.
Initiate the connection request from peer (Syslog
server or SSH client) to ExtremeXOS device.
The ExtremeXOS device
performs the following tasks on the received peer‘s certificate and accepts or
rejects the connection request:
- Certificate chain verification
- Validity checks on certificate extensions