Setting Up PKI
The following is the sequential workflow involved in the session establishment using PKI:
- Generate the involved X509v3 certificates: CA certificates, OCSP Signature CA certificate, Peer certificate (for example: Syslog server or SSH client), ExtremeXOS device certificate.
- Download the CA certificates and OCSP Signature CA certificates to the ExtremeXOS device.
- Download the ExtremeXOS device certificate and key to ExtremeXOS device (required for establishing TLS session with Syslog server).
- Configure the peer (Syslog server or SSH client) as required to use its own X509v3 certificate in the connection request.
- Initiate the connection request from peer (Syslog server or SSH client) to ExtremeXOS device.
The ExtremeXOS device
performs the following tasks on the received peer‘s certificate and accepts or
rejects the connection request:
- Certificate chain verification
- Validity checks on certificate extensions