NBB-800
User Manual for NRSW version 4.5.0.100
When enrolling certificates, the CA certificate will be initially fetched from the specified SCEP URL
using the
getca
operation. It will be shown on the configuration page and it has to be verified that it
belongs to the correct authority. Otherwise, the CA must be rejected. This part is essential when using
SCEP as it builds up the chain of trust.
If a certificate enrollment request times out, it is possible to re-trigger the interrupted enrollment request
and it will be resumed using the previously generated key. In case a request has been rejected, you
are required to erase the certificate first and then start the enrollment process all over again.
Authorities
For SSL client connections (as used by SDK functions or when downloading configuration/software
images) you might upload a list of CA certificates which are considered trusted.
To obtain the CA certificate from a particular site with Mozilla Firefox, the following steps will be re-
quired:
– Point the browser to the relevant HTTPS website
– Click the padlock in the address bar
– Click the
More Information
and the
View Certificate
button
– Select the
Details
tab press the
Export
button
– Choose a path for the file (e.g. website.pem)
Certificates from self-signed authoritites can also be retrieved by running:
echo quit | \
openssl s_client -showcerts -connect <host>:443 | \
sed -ne ’/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > other.crt
The PEM-encoded X.509 certificate files can be edited and concatenated using a simple editor (if
required) and then uploaded to the box. Once installed, an SSL client connection will terminate if
verification with any of those CA certificates fails.
183