Issue
How can I obtain and apply, or transfer, an SSL certificate through the command-line interface (CLI)?
Solution
To obtain and apply a new SSL certificate, see Obtaining an SSL Certificate and then Applying the CA SSL Certificate.
To transfer an existing certificate, see Transferring an Existing SSL Certificate and then Applying the CA SSL Certificate.
To install a replacement SSL certificate, you can generally resubmit the old Certificate Signing Request (CSR) to the Certifying Authority (CA) and receive a new certificate. Once you have the new certificate, use Applying the CA SSL Certificate.
To install an intermediate certificate, use Applying the CA SSL Certificate and perform its final step as well.
Obtaining an SSL Certificate
1. Set up local host information for the new SSL certificate. Log in to the appliance as an administrator and issue the following command:
CLI>Ssl Newcert "(subject=CN=example.AcmeCo.com,O=mycompany,OU=dept,C=US,ST=California,L=Cupertino,Email=administrator@AcmeCo.com)"
Where CN=example.AcmeCo.com,O=mycompany, OU=dept, C=US, ST=California, L=Cupertino, Email=administrator@AcmeCo.com is the distinguished name (DN) given in RFC2253Â format.
Do not issue the Ssl Newcert command after this point. This generates a new CSR key and voids the previous certificate.
Not all attributes need to be specified in the DN. Those attributes not specified receive default values. When supplying values for the attributes used in a DN, remember the following:
Attribute Description
- CN= Defines the common name.
- O = Defines the organization, or name of your company.
- OU = Defines the organizational unit, a department, or a group within your company.
- C = Defines the country using the ISO3166 standard.
- ST = Defines the state when the country US is specified, or it can be a province.
- L = Defines the locality, which is usually the city when the country US is specified.
- Email = Defines an email address of someone on your system with administrator privileges.
Note: When the DN value specified for the subject includes the CN attribute, it must match the hostname associated with the interface. If not, an error occurs.
NO Subject's common name must be hostname
If you have a multi-machine environment where the same hostname is applied in several systems, and you are specifying a value for the CN attribute, if you don't want to be forced to match the interface name, you must apply the E3_SSL_anycert patch. For more information on patches, see the Software Center.
If the DN fails to parse correctly due to syntax errors, incorrect attributes, or missing CN or Email values, this error results:
NO improperly formed DN
2. Get the CSR by issuing the following command:
CLI>Ssl Getcsr ""
If you need to identify a specific host, enter the host or IP address instead of "".
Capture the certificate information and paste it into a text file (for example, csr.txt). Include the dashes that precede the BEGIN CERTIFICATE statement, through the dashes that follow the END CERTIFICATE statement.
Use this CSR information to apply for your third party (for example, Verisign) certificate.
3. Keep a copy of your new SSL certificate in a text file, until the CA certificate is received. Issue the following command:
CLI> Ssl Getcert ""
Capture the certificate information and paste it into a text file (for example, cert.txt). Highlight the certificate information displayed on screen. Include the dashes that precede the BEGIN CERTIFICATE statement, through the dashes that follow the END PRIVATE KEY statement.
The certificate information obtained is highly sensitive, as it contains your private key. Do not issue this command over a non-secure connection. Mirapoint recommends issuing this command directly from the serial console, if possible, or if necessary an SSH connection or SSL connection.
Give the CSR to any CA and follow their procedure to obtain a certificate they issue. The CA will send you a new SSL certificate. Continue with Applying the CA SSL Certificate.
Transferring an Existing SSL Certificate
To transfer an SSL certificate from an old mail router to a new RazorGate, use the no-password form of the private key. To produce a private key without embedded password, run the following Unix/Linux command:
$> openssl rsa -in oldhost.key -out nopwhost.key
Enter pass phrase for private key: passphrase
writing RSA key
The resulting output file (nopwhost.key) is what you supply as the private key for Mirapoint's Ssl Setcert command. Continue with Applying the CA SSL Certificate.
Applying the CA SSL Certificate
Log in to the appliance as an administrator, and issue the following command:
CLI> Ssl Setcert ""
Paste the SSL certificate received from the CA vendor into the appliance:
a. Capture the certificate information. Highlight the information displayed on screen; include the dashes that precede the BEGIN CERTIFICATE statement and follow the END CERTIFICATE statement, and paste this into a text file (for example, final.txt).
b. Open the cert.txt file from the previous section. Highlight the starting with the dashes that precede the BEGIN PRIVATE KEY statement, through the dashes that follow the END PRIVATE KEY statement, and paste after the last line in final.txt.
c. When prompted, paste the combined certificate information from final.txt into the system.
d. End the command string with the dot (.) on a line by itself. For example:
CLI> Ssl Setcert ""
-----BEGIN CERTIFICATE-----
AMCIOATNLKEROIU19080283590URNSNOW837502RLSMLDSUE50WLM
MAOEIR9OANLZUEROWNR194809583Q9059U4QOLVLDXMO9SE80WJM
AMCIOATNLKEROIU19080283590URNSNOW837502RLSMLDSUE50WLM
MAOEIR9OANLZUEROWNR194809583Q9059U4QOLVLDXMO9SE80WJM
AMCIOATNLKEROIU19080283590URNSNOW837502RLSMLDSUE50WLM
MAOEIR9OANLZUEROWNR194809583Q9059U4QOLVLDXMO9SE80WJM
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY------
MAOEIR9OANLZUEROWNR194809583Q9059U4QOLVLDXMO9SE80WJM
AMCIOATNLKEROIU19080283590URNSNOW837502RLSMLDSUE50WLM
MAOEIR9OANLZUEROWNR194809583Q9059U4QOLVLDXMO9SE80WJM
AMCIOATNLKEROIU19080283590URNSNOW837502RLSMLDSUE50WLM
MAOEIR9OANLZUEROWNR194809583Q9059U4QOLVLDXMO9SE80WJM
-----END PRIVATE KEY
.
OK Completed
Do not issue the Ssl Newcert command at this point. This generates a new CSR key and voids the previous certificate!
3. If you are installing an intermediate certificate:
CLI> SSL SetIntCA interface certificate
"Interface" can be "" for the main interface, or a hostname or IP address naming an interface on the appliance. certificate is obtained from a CA.
For information about Verisign SSL certificates, see Obtaining and Installing a VeriSign SSL Certificate.
Comments
0 comments
Please sign in to leave a comment.