Table of Contents
Advertisement
Keypair regeneration
The PEM file containing the keypair is regenerated by the
controller if:
1. It expires. This will be noted in the XstreamCORE event
log. Additionally, the approaching expiration of the
keypair is logged one month prior to its expiration.
2. The IP configuration of an Ethernet port changes. The
certificate used on the controller uses the IP
configurations of the Ethernet ports (but not the DNS
name of the controller). If an Ethernet port IP
configuration changes, the keypair will be regenerated to
reflect the change.
3. User-provided certificate attributes change.
In all cases, since it is the controller that generates the
keypair, the certificate within will be self-signed. This will
result in a client web browser warning advisement when a
connection attempt is made to the controller.
Even if an externally signed certificate is present on
the XstreamCORE, a self-signed certificate will be generated to
replace it if the conditions met above are met.
Uploading a keypair PEM file
If a self-signed certificate is not desirable, an externally-
signed certificate and its associated private key can be
uploaded to the controller. The file containing this keypair
must meet several requirements:
1. It must be named httpspem.pem.
2. It must be in the PEM format.
3. The contents of the file must include both the certificate
and the private key.
4. It must not be encrypted (if generated via OpenSSL's
"req" command, specify "-nodes").
5. The private key must be an RSA private key.
6. The certificate must be SHA256 signed.
7. The certificate must have the same attributes as the
controller displays in the "get HttpsCertParams"
command (see below).
The file format should appear as follows (note that the actual
contents have been abbreviated):
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBA
QDaJU8liMAIZREs
... <snip>
uU0m3t4sxrOlF5WarwTYQWKE
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDIjCCAgqgAwIBAgIJANYizZ6isr/gMA0GCSqGSIb3DQEBCwUA
MDoxCzAJBgNV
... <snip>
/GAqJDXDoFDpHrHGEXtOi9AP1VKxREo+J/L9eb+CuOE/EPFaHlM
=
-----END CERTIFICATE-----
Keypairs may be uploaded via the "Certificate Management"
page of the XstreamVIEW interface.
CLI commands available for the user
1.
HTTPSCertInfo: This command displays certificate
information to the console, including IP addresses
associated with the keypair PEM file, the expiration date,
attributes, and algorithms used. Example output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d6:22:cd:9e:a2:b2:bf:e0
Signature Algorithm: sha256WithRSAEncryption
Issuer: ST = NY, L = Getzville, O = AttoTechnology
Validity
Not Before: Feb 4 18:32:13 2019 GMT
Not After : Feb 4 18:32:13 2020 GMT
Subject: ST = NY, L = Getzville, O = AttoTechnology
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
IP Address:10.40.0.31
-----BEGIN CERTIFICATE-----
MIIDIjCCAgqgAwIBAgIJANYizZ6isr/gMA0GCSqGSIb3DQEBCwUA
MDoxCzAJBgNV
<snip>
-----END CERTIFICATE-----
2.
HttpsCertParams: Displays and configures the
certificate's attributes, including State (ST), Locality (L),
and Organization (O) attributes (as shown in the example
above). These attributes may also be set via the
Certificate Management page in the XstreamVIEW web
interface.
Advertisement
Table of Contents
