Content
How to easily enable HTTPS/SSL on a Brocade Fabric OS based switch with CA
Objective
This will help customer or local engineer to easily enable HTTPS/SSL on a Brocade Fabric OS based switch to achieve one of security requirement.
Environment
- Brocade Fabric OS
- Fabric OS below 8.2.x
Procedure
1) Delete all existing keys with the following command: seccertutil delkey
Example:
> seccertutil delkey Deleting the key pair will automatically do the following: 1. Delete all existing CSRs. 2. Delete all existing certificates. 3. Reset the certificate filename to none. 4. Disable secure protocols. Continue (yes, y, no, n): [no] y
2) Generate new keys and select either 1024 or 2048 key size at the prompt with the following command: seccertutil genkey
Example:
> seccertutil genkey Generating a new key pair will automatically do the following: 1. Delete all existing CSRs. 2. Delete all existing certificates. 3. Reset the certificate filename to none. 4. Disable secure protocols. Continue (yes, y, no, n): [no] y Select key size [1024 or 2048]: 1024 Generating new rsa public/private key pair Done.
3) Generate a new CSR completing the prompts specific to the switch environment with the following command: seccertutil gencsr
Example:
> seccertutil gencsr Country Name (2 letter code, eg, US):US State or Province Name (full name, eg, California):Colorado Locality Name (eg, city name):Broomfield Organization Name (eg, company name):Brocade Organizational Unit Name (eg, department name):Customer Support Common Name (Fully qualified Domain Name, or IP address):10.10.10.10 Generating CSR, file name is: 10.10.10.10.csr Done.
4) Export CSR to be used with CA (Certificate Authority) completing the prompts specific to the environment with the following command: seccertutil export
Example:
> seccertutil export Select protocol [ftp or scp]: scp Enter IP address: 10.10.10.1 Enter remote directory: localca/certin Enter Login Name: user user@10.10.10.1's password: Success: exported CSR [10.10.10.10.csr].
5) Generate certificate from CA in the PEM format.
6) Import certificate and enable https with the following command (this example is using scp, but can use ftp if necessary):seccertutil import -config swcert -enable https -protocol scp -ipaddr <IP of SCP server> -remotedir <directory where cert is located> -certname <cert_name.pem> -login <username>
Make sure to properly substitute the values that are unique to the switch environment.
Example:
> seccertutil import -config swcert -enable https -protocol scp -ipaddr 10.10.10.1 -remotedir localca/certout -certname 10.10.10.10.pem -login user user@10.10.10.1's password: Success: imported certificate [10.10.10.10.pem]. Certificate file in configuration has been updated. Secure http has been enabled.
Additional Notes
Please make sure the certificate is in PEM format when importing instead of .cer or .cert
From release notes 8.1.0:
secCertMgmt Command
FOS v8.1.0 introduces a new CLI command secCertMgmt to provide consistency and uniformity of certificate management for various security protocols. This command is planned as a replacement of the existing secCertUtil command.
CXOne Metadata
PageID: 19055