PKI Security - CLI

Created by Ribbon Communications, last modified on Aug 17, 2016

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Back to Table of Contents

Back to CLI Configure Mode

Back to System - CLI

Back to Security Management - CLI

In this section:

The Public Key Infrastructure (PKI) provides a common set of infrastructure features supporting public key and certificate-based authentication based on the RSA public/private key pairs and X.509 digital certificates.

Certificate Types

Local-Internal Certificates

In previous

Unable to show "metadata-from": No such page "_space_variables"

versions, the RSA key pairs and Certificate Signing Request (CSR) for

Unable to show "metadata-from": No such page "_space_variables"

platforms were generated on an external workstation. The CSR was then submitted to a Certificate Authority, and the resulting certificate was received back from the CA, copied onto the workstation, and combined with the private key in a PKCS#12 file which was used to install the key pair and certificate onto the

Unable to show "metadata-from": No such page "_space_variables"

.

The

Unable to show "metadata-from": No such page "_space_variables"

application can now generate and install RSA key pairs and generate Certificate Signing Request (CSR) on the

Unable to show "metadata-from": No such page "_space_variables"

system itself. The certificate request is sent to a CA, and the issued certificate is then installed on the

Unable to show "metadata-from": No such page "_space_variables"

. The local-internal certificate option simplifies the certificates and keys managing process and also provides more security since the private key never leaves the

Unable to show "metadata-from": No such page "_space_variables"

. For steps to configure local-internal certificates, see Generating PKI Certificates.

Local Certificates

Local certificates are credentials belonging to the local system itself, which it presents to peers in order to prove its identity. You have to download local certificate files to the system before installing the certificates.

Remote Certificates

Remote certificates are credentials belonging to Certificate Authorities (CA). The copies of these certificates are installed in the

Unable to show "metadata-from": No such page "_space_variables"

because they are part of a chain of certificates the local system will present to peers, or because the corresponding CAs are trust anchors for the local system. Certificates belonging to non-CA remote systems should also be installed as trust anchors in this manner.

The Certificate Authority (CA) certificates and trusted remote certificates contain public key certificates; they do not contain the private keys. The CA certificates and remote certificates are Distinguished Encoding Rules (DER) format files; a method for encoding a data object (such as an X.509 certificate) which uses a digital signature to bind together a public key with an identity.

The

Unable to show "metadata-from": No such page "_space_variables"

imports these certificates from Distinguished Encoding Rules (DER) formatted files.

Command Syntax

Set Command Syntax

% set system security pki certificate <certificate name>
	fileName <1-255 characters>
	passPhrase <pass phrase>
	state <disabled | enabled>
	type <local | local-internal | remote>


% show system security pki
 
% delete system security pki

Request Command Syntax

The page request system was not found -- Please check/update the page name used in the MultiExcerpt-Include macro

Command Parameters

Note

The SBC supports a maximum of 4,096 TLS certificates/CAs (both local and remote).

Set Parameters

set system security Parameters

Parameter	Length/Range	Description
`certificate`	N/A	`<certificate name>` – The collection of certificates configured on SBC.
`fileName`	N/A	Certificate content filename.
`passPhrase`	N/A	Specifies the pass-phrase to decrypt RSA private key in PKCS12 file.
`state`	N/A	Administration state of this certificate. Options are: `disabled` – Prohibits the PKI certificate from being used by the Unable to show "metadata-from": No such page "_space_variables" for authenticating remote peers (when this is a remote certificate) OR presenting its own identity (in case of a local or local-internal certificate). `enabled` – Certificate can be used by Unable to show "metadata-from": No such page "_space_variables" for authentication purposes. The certificate must first be installed on the Unable to show "metadata-from": No such page "_space_variables" before enabling it.
`type`	N/A	Specifies the certificate type – CA (remote) certificate or local certificate. Options are: `local` – Certificate belongs to (has as its subject) the local system itself; the key pair and CSR were generated elsewhere. `local-internal` – Certificate belongs to (has as its subject) the local system itself; the key pair and CSR were generated on this machine. `remote` – Certificate belongs to (has as its subject) a remote entity such as a CA or peer device.

Request Parameters

The page request system was not found -- Please check/update the page name used in the MultiExcerpt-Include macro

Command Example

To display security management configuration:

% show system security pki certificate
certificate testSBCCert {
    state 		enabled;
	fileName	sonuscert.pem
    type  local-internal;
}
certificate defaultSBCCert {
    state      enabled;
    fileName   sonuscert.p12;
    passPhrase $3$KFfiuJ0Lifk=;
    type       local;
}

No labels