ACM VPN Configuration
Rev 3 Nov 17
29
4119855
Certificate Management and Revocation
The ACM can utilize a system of public key and certificates to allow or deny
access to client devices. For a client device to connect to the ACM, its certificate
must be signed by the same CA authority and must have the same cacert.pem
certificate file that the ACM has. These certificates and their associated keys are
issued by a certificate authority (CA).
ACM supports the following certificate types:
•
RSA 2048 bits
•
RSA 3072 bits
•
ECDSA 224 bits (Note: Not supported by oMG/MG90)
To provision the ACM with certificates:
1.
Copy the certificates into the directory: /config/auth on the ACM. To do so, log
in to the server where the certificate files exist and invoke the following
commands:
[user@server ~]$ scp -P 2222 <ca_cert_file_name>
admin@<ACM-IP>:/config/auth
[user@server ~]$ scp -P 2222 <ACM_cert_file_name>
admin@<ACM-IP>:/config/auth
[user@server ~]$ scp -P 2222 <ACM_key_file_name>
admin@<ACM-IP>:/config/auth
2.
Provision the CA certificates:
set vpn ipsec x509 ca <ca_cert_name> ca-cert-file
/config/auth/<ca_cert_file_name>
set vpn ipsec x509 ca <ca_cert_name> ca-cert-type
<RSA | ECDSA>
3.
Provision the host certificate:
set vpn ipsec x509 host <host_cert_name> cert-file
/config/auth/<ACM_cert_file_name>
set vpn ipsec x509 host <host_cert_name> cert-type
<RSA | ECDSA>
set vpn ipsec x509 host <host_cert_name> key file
/config/auth/<ACM_key_file_name>
set vpn ipsec x509 host <host_cert_name> key type
<RSA | ECDSA>
As part of this security system, the ACM also supports a certificate revocation list
(CRL) that explicitly lists the certificates of devices who should not be granted
access to the ACM. The certificates listed can be either revoked (denied access)
or in a "hold" state meaning they have yet to be approved and are thus
temporarily invalid.
To use the CRL on the ACM:
1.
Copy the CRL file into the directory: /config/auth on the ACM. To do so, log in
to the server where the CRL file exists and invoke the following command:
[user@server ~]$ scp -P 2222 <crl_file> admin@<ACM-IP>:/
config/auth