Table of Contents
Advertisement
Secure Resync
Step 3
For this step, you may need to install the open source OpenSSL package or equivalent software. If using
OpenSSL, the command to generate the basic CSR file is as follows:
openssl req –new –out provserver.csr
This command generates a public/private key pair, which is saved in the privkey.pem file.
Step 4
Submit the CSR file (provserver.csr) to Linksys for signing.
A signed server certificate is returned (provserver.cert) along with a Linksys CA Client Root Certificate,
spacroot.cert.
Step 5
Store the signed server certificate, the private key pair file, and the client root certificate in the
appropriate locations on the server.
In the case of an Apache installation on Linux, these locations are typically as follows:
# Server Certificate:
SSLCertificateFile /etc/httpd/conf/provserver.cert
# Server Private Key:
SSLCertificateKeyFile /etc/httpd/conf/pivkey.pem
# Certificate Authority:
SSLCACertificateFile /etc/httpd/conf/spacroot.cert
Step 6
Restart the server.
Step 7
Copy the basic.txt configuration profile from the earlier exercises onto the virtual root directory of the
HTTPS server.
Step 8
Verify proper server operation by downloading basic.txt from the HTTPS server, using a standard
browser from the local PC.
Step 9
Inspect the server certificate supplied by the server.
The browser probably does not recognize it as valid unless the browser has been preconfigured to accept
Linksys as a root CA. However, SPA devices expect the certificate to be signed this way.
Step 10
Modify the Profile_Rule of the test SPA to contain a reference to the HTTPS server in place of the HTTP
server, for example:
https://my.server.com/basic.txt
This example assumes the name of the HTTPS server is my.server.com.
Step 11
Click Submit All Changes.
Step 12
Observe the syslog trace sent by the SPA.
The syslog message should indicate that the resync obtained the profile from the HTTPS server.
Step 13
(Optional) Use an Ethernet protocol analyzer on the SPA subnet to verify that the packets are encrypted.
Step 14
In this exercise, client certificate verification is not yet enabled, use a browser to request the profile
stored in basic.txt.
At this point, the connection between SPA and server is encrypted. However, the transfer is not secure
because any client can connect to the server and request the file, given knowledge of the file name and
directory location. For secure resync, the server must also authenticate the client, as demonstrated in the
next exercise.
Linksys SPA Provisioning Guide
3-8
Chapter 3
Provisioning Tutorial
Version 3.0
Hide quick links:
Advertisement
Table of Contents
