Contents

1   Description

This instruction describes how to install a trusted certificate.

As shown in Figure 1, the trusted certificate installation consists of the following main steps:

1. Reception of the certificate file for a trusted Certificate Authority (CA) in an external host.

   The way the CA delivers the certificate file is outside the scope of this instruction. Here it is assumed that the Privacy Enhanced Mail (PEM) or Distinguished Encoding Rules (DER) file is received from the CA and that it is to be copied to host1, which is directly accessible from the Managed Element (ME) with the SFTP.

   Note:  

   The procedures how a certificate file is delivered to the operator for installation are outside the scope of this instruction. The procedures can vary, depending on the CA.

   
   

   Trusted Certificate is a certificate of CA which the operator trusts. An ME uses the CA certificate to verify the CA signature on the peer certificate, before establishing a secure connection.

   The peer certificate can be signed by the CA that the operator trusts, or it can be signed by another CA to which the trusted CA trusts (chain of trust). The peer can be a node or a host in the own network of the operator, or a node in another operator network.

   For the scope of this instruction, it is sufficient to assume that the peer has a certificate signed by the CA which the operator trusts. That signing CA certificate file has been delivered to the operator and copied to an SSH File Transfer Protocol (SFTP) server (in this instruction named host1), which allows SFTP access from ME.

2. Trusted certificate installation in the ME. During this step, the ME copies the certificate file from the external host to the ME with the SFTP and installs it as a trusted certificate.

   The certificate file received from the CA is copied to the ME and installed. This is done with an Managed Object (MO) action that downloads the certificate file to the ME with the SFTP from an external host (host1) and installs it to the ME as a trusted certificate.

   Note:  

   SSH File Transfer Protocol (SFTP) uses system-wide Secure Shell (SSH) algorithm setting defined in Ssh MO, see View SSH Algorithms.

   
   

The installation is activated in the CertM=1 context after the X.509 certificate file in PEM or DER format is uploaded to the node. This procedure automatically creates a TrustedCertificate MO, whose attribute certificateContent represents the installed certificate.

2   Procedure

2.1   Install Trusted Certificate

Prerequisites

• This instruction references the following documents:
  • Generate Fingerprint for File
  • View SSH Algorithms
• No tools are required.
• The following conditions must apply:
  • The user has the System Security Administrator role.
  • The trusted certificate to install is available.
  • The name and path to the certificate file in host1 are known.

    In this instruction, file trustedCertificate1.pem is stored in host1 in the home directory for hostuser1.

  • The fingerprint for the trusted certificate is known.

    In this instruction, the fingerprint is c2:91:ac:4f:b3:00:f0:98:28:47:36:b1:eb:d9:66:33:69:05:7d:c4.

  • The address, username, and password for the SFTP server in the external host are known.

    In this instruction, the username is hostuser1, the password is hostuser1pw, and the host is host1.

  • An Ericsson Command-Line Interface (ECLI) session in Exec mode is in progress.

Steps

1. Navigate to the CertM Managed Object (MO), for example:

   >dn ManagedElement=NODE06ST,SystemFunctions=1,SecM=1,CertM=1

2. Install the trusted certificate, for example:

   (CertM=1)>installTrustedCertFromUri --uri sftp://hostuser1@host1/home/hostuser1/trustedCertificate.pem --uriPassword hostuser1pw --fingerprint c2:91:ac:4f:b3:00:f0:98:28:47:36:b1:eb:d9:66:33:69:05:7d:c4

   The fingerprint of file trustedCertificate1.pem is checked. The fingerprint must be entered in the defined format for the algorithm that the ME supports for calculating the fingerprint. The supported format for fingerprint can be read from the node with MO action (CertMCapabilities=1)>show fingerprintSupport. For more information on fingerprint, refer to Generate Fingerprint for File.

   Note:  

   When referring to files that are relative to user home directory, the syntax of the SFTP Uniform Resource Identifier (URI) format is as follows:

   sftp://<hostname>/~/cert.pem.

   The fingerprint is calculated from the whole Certificate Management file, not only from the certificate it contains.

   
   

   The system returns true or false.

3. Verify that the certificate installation completed successfully:

   (CertM=1)>show reportProgress

   For a successful installation, the system returns the following:

   result=SUCCESS resultInfo="installed from the certificate file"

   If an error occurs during the execution of the action, attribute reportProgress shows result=FAILURE and resultInfo shows the cause of the failure. Repair the failure and restart the installation if needed.

The certificate installation automatically deletes file trustedCertificate1.pem in directory certificates.