From 6a465bba6f7cf7d69879d8622665b7baa542e37f Mon Sep 17 00:00:00 2001 From: Jon Sands Date: Sat, 6 Aug 2022 08:10:29 -0400 Subject: [PATCH] admonition attempt v1 --- docs/icx6xxx-adv.md | 121 ++++++++++++++++++++++---------------------- 1 file changed, 61 insertions(+), 60 deletions(-) diff --git a/docs/icx6xxx-adv.md b/docs/icx6xxx-adv.md index b778fcc..a214baf 100644 --- a/docs/icx6xxx-adv.md +++ b/docs/icx6xxx-adv.md @@ -33,72 +33,73 @@ web-management https Once you get an `ssl-certificate creation is successful` message in the console, you'll be able to access the web UI via `https`. -If you want to use your own certificate that is also possible. It's important to remember that the switch [doesn't support PKCS #8](https://community.ruckuswireless.com/t5/Switches/Can-t-import-SSL-certificates-quot-Could-not-parse-the-PEM/m-p/18554/highlight/true#M686) and this isn't actually [documented anywhere](https://docs.ruckuswireless.com/fastiron/08.0.60/fastiron-08060-securityguide/GUID-E83AC70A-9F89-4209-B6C4-ED5725D4F487.html). You must create certificates using the PKCS #1 format. If you try to use PKCS #8 (the default for openssl), you'll get certificate parsing errors. +??? info + If you want to use your own certificate that is also possible. It's important to remember that the switch [doesn't support PKCS #8](https://community.ruckuswireless.com/t5/Switches/Can-t-import-SSL-certificates-quot-Could-not-parse-the-PEM/m-p/18554/highlight/true#M686) and this isn't actually [documented anywhere](https://docs.ruckuswireless.com/fastiron/08.0.60/fastiron-08060-securityguide/GUID-E83AC70A-9F89-4209-B6C4-ED5725D4F487.html). You must create certificates using the PKCS #1 format. If you try to use PKCS #8 (the default for openssl), you'll get certificate parsing errors. -The ICX6610 again doesn't support keys larger than 2048 bits. This example assumes you want to create your own CA and sign with it. + The ICX6610 again doesn't support keys larger than 2048 bits. This example assumes you want to create your own CA and sign with it. -1. Create new Root CA -``` -pass='{{ pass }}' \ -name='{{ name }}' \ -openssl req \ - -newkey rsa:4096 \ - -sha512 \ - -passin pass:"${pass}" \ - -x509 \ - -nodes \ - -keyout "$name"Root.pem \ - -new \ - -out "$name"Root.crt \ - -subj "/CN="$name" Root CA" \ - -days 3650 -``` + 1. Create new Root CA + ``` + pass='{{ pass }}' \ + name='{{ name }}' \ + openssl req \ + -newkey rsa:4096 \ + -sha512 \ + -passin pass:"${pass}" \ + -x509 \ + -nodes \ + -keyout "$name"Root.pem \ + -new \ + -out "$name"Root.crt \ + -subj "/CN="$name" Root CA" \ + -days 3650 + ``` -2. Generate key in PKCS#1 format. Use the `-traditional`, see [openssl-genrsa](https://www.openssl.org/docs/manmaster/man1/openssl-genrsa.html) for more details. -``` -openssl genrsa -traditional -out keyfile 2048 -``` + 2. Generate key in PKCS#1 format. Use the `-traditional`, see [openssl-genrsa](https://www.openssl.org/docs/manmaster/man1/openssl-genrsa.html) for more details. + ``` + openssl genrsa -traditional -out keyfile 2048 + ``` -3. Create certificate sign request -``` -name='{{ name }}' \ -C='{{ country }}' \ -ST='{{ state/province }}' \ -openssl req \ - -new \ - -sha512 \ - -key keyfile \ - -subj "/C="$C"/ST="$ST"/O="$name" Network, Inc./CN=sw1.home.arpa" \ - -out certsignreq.csr \ - -reqexts SAN \ - -extensions SAN \ - -config <(cat /etc/ssl/openssl.cnf ; printf "[SAN]\nsubjectAltName=DNS:%s" "sw1.home.arpa") -``` + 3. Create certificate sign request + ``` + name='{{ name }}' \ + C='{{ country }}' \ + ST='{{ state/province }}' \ + openssl req \ + -new \ + -sha512 \ + -key keyfile \ + -subj "/C="$C"/ST="$ST"/O="$name" Network, Inc./CN=sw1.home.arpa" \ + -out certsignreq.csr \ + -reqexts SAN \ + -extensions SAN \ + -config <(cat /etc/ssl/openssl.cnf ; printf "[SAN]\nsubjectAltName=DNS:%s" "sw1.home.arpa") + ``` -4. Sign certificate request -``` -name='{{ name }}' \ -openssl x509 \ - -req \ - -in certsignreq.csr \ - -CA "$name"Root.crt \ - -CAkey "$name"Root.pem \ - -CAcreateserial \ - -out certfile \ - -days 3650 \ - -sha512 \ - -extensions v3_ext \ - -extensions SAN \ - -extfile <(cat /etc/ssl/openssl.cnf ; printf "[SAN]\nsubjectAltName=DNS:%s" "sw1.home.arpa") -``` + 4. Sign certificate request + ``` + name='{{ name }}' \ + openssl x509 \ + -req \ + -in certsignreq.csr \ + -CA "$name"Root.crt \ + -CAkey "$name"Root.pem \ + -CAcreateserial \ + -out certfile \ + -days 3650 \ + -sha512 \ + -extensions v3_ext \ + -extensions SAN \ + -extfile <(cat /etc/ssl/openssl.cnf ; printf "[SAN]\nsubjectAltName=DNS:%s" "sw1.home.arpa") + ``` -5. Install your own certificate via tftp -``` -ip ssl cert-key-size 2048 -ip ssl certificate-data-file tftp 192.168.1.51 certfile -ip ssl private-key-file tftp 192.168.1.51 keyfile -web-management https -``` + 5. Install your own certificate via tftp + ``` + ip ssl cert-key-size 2048 + ip ssl certificate-data-file tftp 192.168.1.51 certfile + ip ssl private-key-file tftp 192.168.1.51 keyfile + web-management https + ``` You should enable authentication for telnet access: ```