Before configuring SSL, consider the following:
• You must install a third-party tool such as the freely available OpenSSL application to generate keys, certificates, and certificate signing requests. Download . After installing in Windows, by default, openssl.exe is located at c:\openssl\bin.
• Ensure that the time in all the switches, DCNM-SAN and the system running the OpenSSL commands, are all synchronized.
• Provide different identities for the CA certificate and KMC certificate.
• Only JRE1.6 JAVA keytool is supported for importing PKCS12 certificates to Java Keystores (JKS) files.
Your organization might already have a CA certificate. If you are requesting the CA from a security administrator, indicate that you need the CA certificate in PEM format, and you will need them to sign certificates as part of configuring SME. If you do not have or want to use an existing CA, you can create a new one by using an OpenSSL command.
This command is used to create the Certificate Authority (CA). This command creates a certificate (identify plus public key) and a private key. The private key must always be protected. In a typical enterprise organization, the private key should already exist.
This sequence of steps must be done for all of the switches managed by a DCNM-SAN server. Ensure that the same trustpoint name is used for all the switches.
To configure truspoints, follow these steps:
This is the switch’s public certificate, now signed by the CA.
Note If your security administrator controls the CA, you will need to send them the switch.csr file and request that they complete this step and respond with the switch.pem file.
This sequence of steps must be done for all of the switches to remove the crypto trustpoints.
To remove the trustpoints, follow these steps:
1. Create the KCM Server’s private key.
2. Create a certificate signing request using the private key from Step 1.
3. Using the certificate and private key, create a signed certificate for the KMC Server.
Note If your security administrator controls the CA, you will need to send them the sme_kmc_server.csr and request that they complete this step and respond with the sme_kmc_server.cert.