openssl req -new -x509 -extensions v3_ca -keyout xnc-private.pem -out xnc-cert.pem -days 3650
Combine xnc-private.pem and xnc-cert.pem into one:
cat xnc-privkey.pem xnc-cert.pem > xnc.pem
Convert xnc.pem to pkcs12:
openssl pkcs12 -export -out xnc.p12 -in xnc.pem
Generate password-protected Java keystore of xnc.p12:
keytool -importkeystore -srckeystore xnc.p12 -srcstoretype pkcs12 -destkeystore tlsKeyStore -deststoretype jks
Export router's certificate to XNC Controller.
c891(config)#crypto pki export c891 pem terminal
Generate password-protected Java truststore of sw-cacert.pem:
keytool -import -alias swca1 -file sw-cacert.pem -keystore tlsTrustStore
Start XNC script:
./runxnc.sh -start 8022 -tls -tlskeystore tlsKeyStore -tlstruststore tlsTrustStore
Configure the passwords for router, keystore and truststore with:
bin/./configkeystorepwd.sh so that the XNC can decrypt the encrypted truststore/keystore.
The router's (TLS client) default self-signed certificate (might look something like IOS-Self-Signed-Certificate-2124668178) is not suitable for establishing a working TLS tunnel with the XNC controller (TLS server).
If debugging the XNC script with
./runxnc.sh -start 8022 -tls -tlskeystore tlsKeyStore -tlstruststore tlsTrustStore -console -debug
and adding a onePK client you might be given an error by the script:
No subject alternative names matching IP address
Solution was to delete the factory IOS self-signed certificate and generate a new one with the subject alternative name matching the router's IP.
Sample trustpoint configuration:
crypto pki trustpoint c891
enrollment selfsigned
serial-number
ip-address 10.113.114.210
subject-name cn=c891
subject-alt-name 10.113.114.210
revocation-check none
rsakeypair c891keys
No comments:
Post a Comment