Submitting the csr to a certificate authority, Kac certificate registration expiry – Brocade Network Advisor SAN User Manual v12.3.0 User Manual

Page 766

Advertising
background image

714

Brocade Network Advisor SAN User Manual

53-1003154-01

Steps for connecting to a DPM appliance

20

4. Do one of the following:

If a CSR is present, click Export.

If a CSR is not present, select a switch from the Encryption Center Devices table, then
select Switch > Init Node from the menu task bar. This generates switch security
parameters and certificates, including the KAC CSR.

5. Save the file. The default location for the exported file is in the Documents folder.

NOTE

The CSR is exported in Privacy Enhanced Mail (.pem) format. This is the format required in
exchanges with Certificate Authorities (CAs).

Submitting the CSR to a certificate authority

The CSR must be submitted to a Certificate Authority (CA) to be signed. The CA is a trusted
third-party entity that signs the CSR. Several CAs are available and procedures vary, but the general
steps are as follows:

1. Open an SSL/TLS connection to an X.509 server.

2. Submit the CSR for signing.

3. Request the signed certificate.

Generally, a public key, the signed Key Authentication Center (KAC) certificate, and a signed CA
certificate are returned.

4. Download and store the signed certificates.

The following example submits a CSR to the demoCA from RSA:

cd /opt/CA/demoCA

openssl x509 -req -sha1 -CAcreateserial -in certs/<Switch CSR Name> -days 365

-CA cacert.pem -CAkey private/cakey.pem -out newcerts/<Switch Cert Name>

NOTE

You can change the number of days that a certificate will expire based on your site's security policies.
For more information on changing the certificate expiry date, refer to

“KAC certificate registration

expiry”

on page 714.

KAC certificate registration expiry

It is important to keep track as to when your signed Key Authentication Center (KAC) certificates will
expire. Failure to work with valid certificates causes certain commands to not work as expected. If
you are using the certificate expiry feature and the certificate expires, the key vault server will not
respond as expected. For example, the Group Leader in an encryption group might show that the
key vault is connected; however, a member node reports that the key vault is not responding.

To verify the certificate expiration date, use the following command:

openssl x509 –in newcerts/<Switch Cert Name> -dates –noout

Output:

Not Before: Dec 4 18:03:14 2009 GMT

Not After : Dec 4 18:03:14 2010 GMT

Advertising
Popular Brands
Popular manuals