Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
ContentIndex
  
[+] Expand All
[-] Collapse All

 A  B  C  D  E  F  G  H  I  L  M  N  O  P  R  S  T  U  V  W

 

A

access control lists    
adding, MySQL database
displaying, MySQL database
removing, MySQL database
access security    
CTPView server, managing
accounts    
creating CTPView server nonroot
default CTPOS
default CTPView server
address filter, IP     See IP access filter    
Admin Center    
accessing
groups    
adding
deleting
modifying affiliation
modifying properties
monitoring
passwords    
changing requirements
excluding from use
limiting use
managing user
reinstating excluded
users    
adding
automatic logout
counters
deleting active
deleting inactive
deleting prohibited
displaying prohibited
IP access filters, creating
IP access filters, removing
locked-out IP addresses
lockout period
logging out selected
login attempts
login properties
managing access
modifying properties
monitoring
prohibiting
reinstating prohibited
administrative passwords    
changing
administrative settings    
configuring
Apache daemon    
restarting    12
archive file    
complete, upgrading CTPView software with
web, upgrading CTPView software with
authentication    
CTPView software users with Steel-Belted RADIUS
 

B

bandwidth throttling
banner    
CTPView start-up (log-in)
setting    
CTPView server menu
BIOS menu    
changing the password    12
booting CTPView server from CD
browser    
logging in
restarting Apache daemon on CTPView server
restoring access
 

C

Circuit to Packet network    
clock options
overview
receive packet processing
serial stream processing
software overview
transmit packet processing
clock options
CompactFlash card    
burning a CTPOS image to
changing read/write state
configuration settings    
restoring (CTPView server menu)    12
saving CTPView software    12
configuration, server    
restoring overview (CTPView GUI)    12
CTP devices    
unlocking user accounts with expired passwords    12
CTP platforms    
adding and removing
adding comments to monitoring status
automatically collecting statistical data
changing display settings for network monitoring
checking connections to the CTPView server
displaying network statistics
displaying reports
displaying runtime query results
host groups, adding and removing
managing    
monitoring
manually overriding monitoring status
monitoring (CTPView GUI)
passwords    
changing user
port forwarding    
clearing open sockets
configuring the platform
configuring the server
restoring configuration
saving configuration automatically
setting audible status alert
SNMP communities, adding and removing
SSH connections    
clearing open sockets
configuring the platform
configuring the server
understanding network reports
updating CTPOS
CTPOS    
burn CTPOS flash image    12
burning image to a CompactFlash card
default accounts and passwords
updating
upgrade files
CTPView    
menu, accessing
TACACS+, configuring
TACACS+, query
TACACS+, settings
CTPView Admin Center     See Admin Center    
CTPView GUI    
adding comments to platform monitoring status
Admin Center, accessing
automatically removing outdated files
automatically synchronizing servers
bandwidth throttling
browser settings
browser, logging in
changing default user password
checking network connections
configuring automatic functions
creating more server disk space
CTP platform reports
display settings
display settings help
displaying platform and port runtime query results
email notifications
Global_Admin account, creating
groups    
adding
deleting
modifying affiliation
modifying properties
monitoring
host groups, adding and removing
managing users and groups
manually overriding platform monitoring status
monitoring the CTP platform network
network monitoring display settings
network reports    1
field descriptions
network statistics
NTP servers, managing
passwords    
changing requirements
excluding from use
limiting user
managing user
reinstating excluded
platforms, adding and removing
port forwarding, managing
restoring configuration    
CTP platform
CTPView server, by synchronizing servers    12
restoring server configuration    
overview    12
saving configuration    
CTP platform
server clock, setting
setting audible platform status alert
SNMP communities, adding and removing
start-up (log-in) banner
support for tabbed or nontabbed browsers
synchronizing servers    
automatically
manually
network configuration
overview
user properties, modifying
users    
adding
automatic logout
counters
deleting active
deleting inactive
deleting prohibited
displaying prohibited
IP access filters, creating
IP address access filters, removing
locked-out IP addresses
lockout period
logging out selected
login attempts
login properties
managing access
monitoring
prohibiting
reinstating prohibited
validating server configuration    12
verifying server OS installation
CTPView server    
access security, managing    12
account    
creating nonroot
acquiring shell access
booting from CD
clock, setting
configuring guidelines on a virtual machine
configuring on a Hyper-V server
configuring on an ESXi server
creating disk space    
CTPView GUI
data file permissions, resetting
default accounts and passwords
determining free disk space
disk space, creating    
CTPView server menu    12
firewall defaults, restoring
installation log
installing OS (CTPView server CLI)
installing the software overview
log-in banner, setting
logging level, setting
logs, managing
MySQL server, restarting
network access, configuring
on a Hyper-V server
on a Hyper-V server, overview
on a virtual machine, overview
on an ESXi server
on an ESXi server, overview
password    
creating nonroot
setting new nonroot
setting new root
password requirements    12
port forwarding, configuring
preparing a new
restoring browser access
restoring configuration by synchronizing servers    12
restoring configuration overview    
CTPView GUI    12
restoring configuration settings    
CTPView server menu    12
restoring shell access
software installation and upgrade    
overview
start-up (log-in) banner
synchronizing to restore configuration    12
system administrator account, resetting
system file defaults, restoring
TACACS+ settings
TACACS+, configuring
third-party software on
upgrade files
upgrading the software overview
user passwords, managing
users, managing shell account
validating configuration    12
verifying OS installation
web certificate, creating
CTPView server CLI    
BIOS menu password    12
burning CTPOS image to a CompactFlash card
changing default user password
changing root account password    12
installing server OS
reviewing the installation log
CTPView server menu    
access security, managing
accessing
creating more server disk space    12
GRUB boot loader password    12
log-in banner, setting
logging level, setting
logs, managing
MySQL Apache account password    12
MySQL IP access lists
MySQL root account password    12
MySQL server, restarting
network access, configuring
OpenSSL authenticaton, creating and self-signing web certificate
port forwarding, managing
restoring server configuration settings    12
saving CTPView configuration settings    12
TACACS+, configuring
user passwords, managing
users, managing shell account
web certificate, creating
CTPView server OS    
software installation and upgrade    
overview
tasks
verifying installation
CTPView server, OpenSSL    
web certificate, creating
CTPView software    
configuring administrative settings
saving configuration settings    12
updating CTPOS
upgrade files
upgrading    
overview
with complete archive file
with web archive file
user security levels
 

D

data file permissions    
CTPView server, resetting
 

E

email notifications    
configuring
ESXi server    
configuring CTPView server
configuring guidelines CTPView server
overview of CTPView server on
 

F

files    
removing (CTPView GUI)
removing (CTPView server menu)    12
firewall    
CTPView server defaults, restoring
 

G

Global_Admin account    
creating CTPView GUI
groups, user    
adding
deleting
managing
modifying affiliation
modifying properties
monitoring
GRUB boot loader    
changing the password    12
 

H

host groups    
adding and removing
Hyper-V server    
configuring CTPView server
configuring guidelines CTPView server
overview of CTPView server on
 

I

installation    
reviewing log for errors
software overview
IP access filter
IP address filter     See IP access filter    
 

L

limiting CTP network bandwidth
log-in banner    
configuring
setting    
CTPView server menu
logging level    
CTPView server, setting
login security    
CTPView software
logs    
managing CTPView server
 

M

menu    
accessing CTPView server
MySQL database    
automatically backing up
changing the Apache account password    12
changing the root account password    12
configuring IP access control lists
MySQL server    
restarting
 

N

native authentication with Steel-Belted RADIUS
network access    
configuring server
network reports    
displaying CTP platform
understanding CTP platform
nonroot account    
creating
nonroot passwords    
creating
setting new
NTP servers    
managing
 

O

OpenSSL authentication    
web certificate, creating
OS, CTPView server    
installing (CTPView server CLI)
software installation and upgrade    
overview
tasks
verifying installation on server
outdated files    
automatically removing
removing (CTPView GUI)
removing (CTPView server menu)    12
overview    
Circuit to Packet network
CTP network software
restoring configuration    12
restoring server configuration    
CTPView GUI    12
software installation and upgrade    
CTPView server
synchronizing servers (CTPView)    
CTPView GUI
 

P

passwords    
BIOS menu changing    12
changing administrative
changing requirements
CTP platform user    
changing
CTPOS    
default
CTPView GUI    
changing default
CTPView server    
changing default
changing root    12
creating nonroot
default
recovering lost
requirements    12
setting new nonroot
setting new root
excluding from use
expiration of user
Global_Admin account
GRUB boot loader changing    12
limiting use
managing user
MySQL database changing    1234
reinstating excluded
requirements of user
port forwarding    
configuring on CTP platforms
configuring on the CTPView server
 

R

receive packet processing
redundant files    
removing (CTPView GUI)
removing (CTPView server menu)    12
remote host     See CTP platforms    
root passwords    
setting new CTPView server
RSA SecurID authentication with Steel-Belted RADIUS
 

S

security levels    
user
serial stream processing
setting user password    
resetting password
shell access to CTPView server    
acquiring
restoring
SNMP communities     See adding and removing    
software    
installation and upgrade    
CTPView server OS tasks
CTPView server overview
network management only
upgrade files
SSH    
connections to CTP platforms    
configuring on the platform
persistent connections to CTP platforms    
configuring on the server
start-up banner    
configuring
setting    
CTPView server menu
Steel-Belted RADIUS    
authentication for CTPView software users
synchronization of CTPView servers    
automatic method
configuring the synchronization network
manual method
overview
to restore configuration    12
system administrator account    
CTPView server, resetting
system file    
CTPView server defaults, restoring
 

T

third-party software    
using on the CTPView server
transmit packet processing
troubleshooting    
installation issues
two factor authentication with Steel-Belted RADIUS
 

U

upgrade    
CTPView Network Management Software
software overview
user accounts, unlocking    
expired passwords    12
user groups     See groups, user    
user passwords    
changing CTP platform
changing CTPView GUI default
changing server’s default
changing server’s root    12
expiration
requirements
users    
adding
authentication with Steel-Belted RADIUS
automatic logout
counters
deleting active
deleting inactive
deleting prohibited
displaying prohibited
IP access filters    
creating
removing
locked-out IP addresses
lockout period
logging out selected
login attempts
login properties
managing
managing access
managing passwords
modifying properties
monitoring
password requirements    12
prohibiting
reinstating prohibited
security levels    12
shell account, classification
shell account, managing
 

V

virtual machine    
CTPView server, configuring guidelines
CTPView server, overview
 

W

web certificate    
creating

Enabling OpenSSL Authentication of Users by Creating a Self-Signed Web Certificate (CTPView Server Menu)

Until CTPView Release 7.1, an existing security protocol called NSS is used for authentication of user login through the CTPView GUI. Starting with CTPView Release 7.2R1, the CTPView GUI user login authentication is implemented through OpenSSL instead of NSS. Authentication of users logging in to the CTPView GUI using OpenSSL enables secure and protected transfer of information, and also compliance with OpenSSL as validated by Federal Information Processing Standards (FIPS) 140-2.

A new CA certificate is needed to support this feature. All logging in of users using CTPView uses this new CA certificate. For this feature, Mod_ssl “mod_ssl-2.2.31-1.el5” and OpenSSL “openssl-1.0.2d-1” libraries are required. A certificate authority (CA) database is created on the CTPView server with this feature. This database is required for the OpenSSL tool to manage certificates and its path is “/etc/httpd/CA”. OpenSSL CA certificate, server certificates, certificate revocation lists (CRLs), and private keys are stored in the CA database directory.

The following configuration files are modified to support this feature:

  • Openssl.cnf—The following entries are enhanced in the openssl.cnf file for CA certificate management:

    dir—CA database path certificate—CA certificate

    private_key—CA private key

    crl—CRL Path

  • Along with the preceding modifications, “countryName” and “stateOrProvinceName” are modified to support generation of server certificates for multiple countries and states. The nss.conf file is used by NSS protocol that uses secured web on port 443. To disable NSS protocol, all instances of the port number of 443 used in this file are replaced by 8443.
  • The ssl.conf file is utilized by mod_ssl library that uses secured web on port 443. To enable MOD_SSL protocol on port 443, all port numbers of 8443 used in this configuration file are replaced by 443. The SSLProtocol, SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile, and SSLCACertificateFile entries in the ssl.conf file are modified.

OpenSSL Certificate Database

OpenSSL maintains a certificate database that contains CA certificate, CA private key, server certificates, server private key, Certificate Revocation List (CRL) files, serial and index file. The OpenSSL certificate database is stored in the “/etc/httpd/CA” directory. The OpenSSL certificate database directory contains following entities:

  • certs—This directory contains all OpenSSL certificates.
  • crl—This directory contains all OpenSSL CRLs.
  • currCert—This directory contain current installed server certificate.
  • index.txt—The index file consists index of all certificates.
  • newcerts—This directory is used by OpenSSL to create new certificates.
  • private—This directory contains private keys.
  • revokedCert—This directory contains all revoked certificates.
  • serial—This file is used for OpenSSL that contain the next available serial number of certificate in hexadecimal format.
  • crlnumber—This file is used for OpenSSL that contain the next available serial number of CRL in hexadecimal format.

The OpenSSL authentication for user login feature is not supported with user interface for CRL. Instead, CRL is managed by OpenSSL CA database.

Before you begin, log in to the CTPView server and access the CTPView Configuration Menu. See Accessing the CTPView Server Configuration Menu (CTPView Server Menu).

This procedure describes the steps to create a CSR, self-sign the CSR, and import it.

To enable OpenSSL method of authentication for logging in of users by creating a self-signed Web certificate:

  1. From the CTPView Configuration Menu, select 9) AAA Functions.

    The AAA functions for CTPView can be viewed and set in the AAA sub-menu of the CLI menu script. Only System Administrators have authorization to view or modify the AAA functions. Configuration of the CTPView AAA functions has three major components:

    • Configuring the global configuration parameters, for example entering the IP addresses of the RADIUS servers you want to use for authentication.
    • Configuring the global configuration parameters, for example entering the IP addresses of the TACACS+ servers you want to use for authentication.
    • Then selecting the options which the various access methods will use. For example, enabling HTTPS – CAC/PKI with OCSP certificate validation.
  2. Select 7) CAC/PKI Configuration.

    This selection enables you to perform CAC/PKI configuration (HTTPS). CTPView is built with a default server certificate installed which is sufficient for testing purposes only. Before deploying the server in a production environment you must obtain and install a server certificate issued by a Trusted Signing CA. If you attempt to access multiple CTPView servers running on CentOS which are still using their default self-signed certificates you may be denied access by your browser because it will detect that multiple servers are presenting certificates with the same serial number. Obtaining and installing a signed server certificate is a simple process. First, you must create a certificate signing request (CSR) for your server which you will present to the Trusted Signing CA you have selected to use. To start, go to the CAC/PKI Configuration menu. The path is menu > AAA Functions > CAC/PKI Configuration.

  3. In the CAC/PKI Menu, select 1) Create CSR. You need to enter information about your server and organization. You are required to enter the Encryption Key Size, Common Name, Organization Name and Country. You may also include any combination of these optional fields: Organizational Unit (3 possible fields), State, and City/Town.
    CAC/PKI Menu
    
    Please choose a menu item from the following list:
    
    0)  Return to previous menu
    1)  Create CSR
    2)  Self-Sign CSR
    3)  List Certificates
    4)  Import Certificate
    5)  Display Certificate
    6)  Validate Certificate
    7)  Remove Certificate
    8)  List CRL's
    9)  Import CRL
    10) Display CRL
    11) Remove CRL
    
    Please input your choice [0]: 1
    
    Answer these questions to generate a CSR:
    
     Enter encryption key size(1024 or 2048)(Only <ENTER> to abort):
        ctpview_server
    Enter 1024 or 2048...
     Enter encryption key size(1024 or 2048)(Only <ENTER> to abort):
        2048
    Enter Common Name, i.e. IP or FQDN (Only <ENTER> to abort):
        ctpview_server
     Enter Organization Name (Only <ENTER> to abort):
        Juniper
     Enter Organizational Unit Name #1 (optional):
    
     Enter Organizational Unit Name #2 (optional):
    
     Enter Organizational Unit Name #3 (optional):
    
     Enter Country (2 characters):
        IN
     Enter State (optional):
        Del
     Enter City/Town (optional):
        Del
    CSR filename = ctpview_server.csr
    Generating a 2048 bit RSA private key
    ...............+++
    ..........+++
    writing new private key to '/tmp/ctpview_server.key'
    -----
    
    ===============================================
    Your certificate signing request has been created in ascii format.
    
    Your CSR file is /tmp/ctpview_server.csr
    
    You must now have this CSR signed by a CA.
    ===============================================
    
    Hit return to continue...
    
    CAC/PKI Menu
    
    Please choose a menu item from the following list:
    
    0)  Return to previous menu
    1)  Create CSR
    2)  Self-Sign CSR
    3)  List Certificates
    4)  Import Certificate
    5)  Display Certificate
    6)  Validate Certificate
    7)  Remove Certificate
    8)  List CRL's
    9)  Import CRL
    10) Display CRL
    11) Remove CRL
    
    Please input your choice [0]: 2
    
    It is preferred that you have your server CSR signed by a Trusted CA.
    Where that is not possible, this utility will create a self-signed
    server certificate using the CTPView CA issued by Juniper Networks.
    This self-signed certificate will generate an error in client browsers to
    the effect that the signing certificate authority is unknown and not trusted.
    
    Place the CSR you wish to self-sign into the /tmp directory.
    
    Enter the CSR filename (Only <ENTER> to abort):
        ctpview_server.csr
    Using configuration from /etc/pki/tls/openssl.cnf
    Enter pass phrase for /etc/httpd/alias/demoCA/private/CTPView_CA.key:
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 2 (0x2)
            Validity
                Not Before: Nov 19 10:02:00 2015 GMT
                Not After : Nov 18 10:02:00 2016 GMT
            Subject:
                countryName               = IN
                stateOrProvinceName       = Del
                organizationName          = Juniper
                organizationalUnitName    =
                organizationalUnitName    =
                organizationalUnitName    =
                commonName                = ctpview_server
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Comment:
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier:
                    BE:0C:E8:66:E1:F8:7E:DE:50:38:07:4A:A0:14:39:62:AE:5D:00:E1
                X509v3 Authority Key Identifier:
                    keyid:91:1A:8E:67:B6:C4:71:CB:63:62:9C:61:A9:44:54:DE:AC:23:9D:D2
    
    Certificate is to be certified until Nov 18 10:02:00 2016 GMT (365 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    
    ===============================================
    Your CSR has been signed.
    
    The certificate file is /tmp/ctpview_server.crt
    
    You must now import this certificate.
    ===============================================
    
    Hit return to continue...
    
    Please input your choice [0]: 4
    
    There are two catagories of certificates you may import.
    The first is the returned CSR certificate signed by a Signing CA.
    The second is the group of certificates which are in the chain
    
    Place the certificate you wish to import into the /tmp directory.
    
    Enter the certificate filename (Only <ENTER> to abort):
        ctpview_server.crt
    
    Is this the signed CSR certificate for this server? [N] Y
    ctpview_server.crt: OK
    Stopping httpd:                                            [OK]
    Starting httpd: Apache/2.2.29 mod_ssl/2.2.29 (Pass Phrase Dialog)
    Some of your private key files are encrypted for security reasons.
    In order to read them you have to provide the pass phrases.
    
    Server ctpview:443 (RSA)
    Enter pass phrase:
    
    OK: Pass Phrase Dialog successful.
                                                               [  OK  ]
    
    Hit return to continue...
    	
    CAC/PKI Menu
    
    Please choose a menu item from the following list:
    
    0)  Return to previous menu
    1)  Create CSR
    2)  Self-Sign CSR
    3)  List Certificates
    4)  Import Certificate
    5)  Display Certificate
    6)  Validate Certificate
    7)  Remove Certificate
    8)  List CRL's
    9)  Import CRL
    10) Display CRL
    11) Remove CRL
    
    Please input your choice [0]: 5
    
    Current listing of installed Certificates:
    CTPView_CA.crt  ctpview_server.crt
    
    Enter the Certificate Name (Only <ENTER> to abort):
        ctpview_server.crt
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 2 (0x2)
        Signature Algorithm: sha1WithRSAEncryption
            Issuer: C=IN, ST=Delhi, L=Delhi, O=Juniper, OU=Jun ODC, CN=juniper.net CA/emailAddress=saurav.kumar@juniper.net
            Validity
                Not Before: Nov 19 10:02:00 2015 GMT
                Not After : Nov 18 10:02:00 2016 GMT
            Subject: C=IN, ST=Del, O=Juniper, OU= , OU= , OU= , CN=ctpview_server
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:bf:49:00:19:38:82:c8:1f:3c:db:41:28:cb:01:
                        4e:b5:b4:26:f0:2e:48:f5:33:f4:81:fd:3b:6b:fc:
                        ae:c7:c9:f6:b7:68:fd:b2:b1:45:cc:63:ca:04:91:
                        10:36:c3:65:27:42:ef:3f:c0:75:88:b5:e6:d3:fa:
                        a6:bd:fb:51:a7:72:da:59:63:b8:8d:ad:79:a0:e6:
                        7b:0f:89:33:2a:71:c9:0a:2f:66:90:39:32:ec:4a:
                        d1:a0:f5:af:1a:b7:5a:96:ae:b7:cf:d1:df:dc:37:
                        35:d8:df:17:8d:50:a9:e6:5b:c6:08:e8:39:9f:94:
                        f3:3f:bc:28:c8:b4:ce:b7:b1:12:e2:e6:a1:24:c2:
                        4e:7b:2c:78:e1:07:60:e6:eb:f0:d5:51:28:4f:f1:
                        6d:a6:e3:3b:84:d3:7f:32:06:d8:be:0e:32:42:8a:
                        c5:11:05:ef:39:ea:0c:90:17:72:b7:f6:97:89:4b:
                        f9:12:ec:eb:fc:6e:3b:58:e4:0f:9e:18:79:13:28:
                        fd:22:60:68:16:39:1a:5f:95:2a:58:31:77:06:92:
                        14:08:8e:14:75:91:b9:83:5a:bc:7a:30:78:1c:5e:
                        9c:0b:6d:72:2c:fb:7b:43:dc:73:04:c1:0a:ec:c3:
                        f3:b3:8c:02:f5:86:f1:de:e8:f1:5f:d7:06:57:4c:
                        c6:e3
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Comment:
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier:
                    BE:0C:E8:66:E1:F8:7E:DE:50:38:07:4A:A0:14:39:62:AE:5D:00:E1
                X509v3 Authority Key Identifier:
                    keyid:91:1A:8E:67:B6:C4:71:CB:63:62:9C:61:A9:44:54:DE:AC:23:9D:D2
    
        Signature Algorithm: sha1WithRSAEncryption
             49:d0:ab:29:5f:61:bc:b4:e7:2a:41:ff:93:6e:ab:cb:c8:a8:
             2a:91:d8:10:66:da:9e:83:c2:84:18:03:75:8c:c7:16:49:0d:
             49:35:52:5a:fa:98:8f:20:da:79:34:17:00:1c:74:c0:d1:26:
             0e:13:a4:2b:52:34:b8:99:45:67:20:42:9c:15:36:8a:e0:14:
             63:ff:b1:00:94:bc:bf:86:3d:24:67:6c:39:d1:c8:8f:3d:a6:
             3b:88:12:1b:99:e1:6d:c2:d7:2b:0d:8f:57:44:47:09:05:ae:
             ee:55:ab:2d:54:ef:6e:11:7c:be:a8:7d:21:1a:50:b3:c5:d6:
             fd:40:72:7d:55:e8:32:b8:83:00:dd:14:86:f1:95:4a:37:80:
             a0:f5:1e:66:c3:c3:7c:78:e2:1c:0a:39:5c:60:2a:80:04:49:
             2e:4f:38:cb:13:e9:26:c7:1f:85:b3:01:a0:40:d2:d6:58:4b:
             bd:7c:3a:16:59:14:95:ca:4a:7e:b5:f4:72:ee:98:af:09:1d:
             5a:8c:34:8a:55:af:c3:ac:88:5b:d9:d0:69:10:a0:91:9f:ce:
             c3:fe:7a:0c:cc:6d:78:8e:9a:57:2e:0c:64:e6:d5:4f:05:9a:
             2f:4e:35:9a:92:d2:2b:fe:a8:bc:78:d1:83:b0:64:e7:c6:83:
             67:72:da:31
    
    Hit return to continue...
    CAC/PKI Menu
    
    Please choose a menu item from the following list:
    
    0)  Return to previous menu
    1)  Create CSR
    2)  Self-Sign CSR
    3)  List Certificates
    4)  Import Certificate
    5)  Display Certificate
    6)  Validate Certificate
    7)  Remove Certificate
    
    Please input your choice [0]: 3
    CTPView_CA.crt    ctpview_server.crt
    
    Hit return to continue...
    
    
  4. Follow the onscreen instructions and configure the options as described inTable 2.

    Table 2: Creating a Certificate Signed Request

    FieldFunctionYour Action

    Enter encryption key size(1024 or 2048)(Only <ENTER> to abort):

    Specifies the encryption key size of the CSR file.

    Specify 1024 or 2048. If you enter a different value, you are prompted to enter the key size again. You can press Enter to abort the process of creating the CSR.

    Enter Common Name, i.e. IP or FQDN (Only <ENTER> to abort):

    Specifies the common name to be used for the CSR file.

    Specify the IP address or the fully-qualified domain name, which is the common name that is used in the distinguished name. The FQDN or any other CN values must be specified during the certificate request procedure.

    You can press Enter to abort the process of creating the CSR.

    Enter Organization Name (Only <ENTER> to abort):

    Specifies the organization name of the CSR.

    Enter the organization name to be used in the CSR. This name is a component in the distinguished name.

    You can press Enter to abort the process of creating the CSR.

    Enter Organizational Unit Name #1 (optional):

    Specifies the first name of the organizational unit to be used in the CSR file.

    Specify the first name of the organizational unit to be used in the CSR. This name is a component in the distinguished name.

    Enter Organizational Unit Name #2 (optional):

    Specifies the second name of the organizational unit to be used in the CSR file.

    Specify the second name of the organizational unit to be used in the CSR. This name is a component in the distinguished name.

    This field is optional. If you not want to specify this value, press Enter to skip this entry and proceed to the next field.

    Enter Organizational Unit Name #3 (optional):

    Specifies the third name of the organizational unit to be used in the CSR file.

    Specify the third name of the organizational unit to be used in the CSR. This name is a component in the distinguished name.

    This field is optional. If you not want to specify this value, press Enter to skip this entry and proceed to the next field.

    Enter Country (2 characters):

    Specifies the country code, such as IN for India or US for United States of America, to be used in the CSR.

    Specify the country code to be used in the CSR. The country code is a parameter in the distinguished name.

    This field is optional. If you not want to specify this value, press Enter to skip this entry and proceed to the next field.

    Enter State (optional):

    Specifies the name of the state to be used in the CSR.

    Specify the name of the state to be used in the CSR. This name is a component in the distinguished name.

    This field is optional. If you not want to specify this value, press Enter to skip this entry and proceed to the next field.

    Enter City/Town (optional):

    Specifies the name of the town or city to be used in the CSR.

    Specify the name of the town or city to be used in the CSR. This name is a component in the distinguished name.

    This field is optional. If you not want to specify this value, press Enter to skip this entry and proceed to the next field.

    CSR Filename

    The script will generate a random seed to use when creating the CSR by using the timing of keystrokes on your keyboard. The CSR will be a RSA certificate in ASCII format (i.e. plain text), using either 1024 or 2048 bit encryption depending on your choice when creating the CSR. The CSR name will be <Common Name>.csr and is created in the /tmp directory on the server. If you want to change any of the information you entered when creating the CSR simply create a new CSR. Creating a CSR has no effect on the configuration or operation of the server.

    View the CSR filename that is generated is displayed. You are alerted that the CSR needs to be signed by a CA. Also, the path in which the CSR file is stored is displayed.

  5. Press Enter to continue to the next step. You need to self-sign the CSR after you have created it. The CAC/PKI menu is displayed.
  6. In the CAC/PKI Menu, select 2) Self-Sign CSR.

    While it is preferred that you have your server CSR signed by a Trusted Signing CA, where that is not possible you may generate a self-signed server certificate using the CTPView_CA issued by Juniper Networks. Note that if you use the CTPView_CA certificate, the self-signed certificate will generate an error in client browsers to the effect that the signing certificate authority is unknown and not trusted. However you will be able to successfully complete the connection. To use the CTPView_CA to sign your CSR select Self-Sign CSR from the CAC/PKI Menu.

    Enter the CSR filename and the utility will create a signed server certificate which you can then import into the certificate database. No additional Chain of Trust certificates are required to use the CTPView_CA. As when creating a CSR, repeating the signing process has no effect on the configuration or operation of the server since a separate process is required to import the certificate. When the Trusted Signing CA sends you the signed server certificate you will need to import it into your server’s certificate database. You will also need to import all of the certificates that make up the Chain of Trust for your new server certificate. These are available from your Trusted Signing CA. Copy all of the certificates into the /tmp directory of the server. They can have any filename and file extension.

  7. Enter answers for each question that is subsequently displayed.

    You are required to enter the Encryption Key Size, Common Name, Organization Name and Country. You may also include any combination of these optional fields: Organizational Unit (3 possible fields), State, and City/Town. The script will generate a random seed to use when creating the CSR by using the timing of keystrokes on your keyboard. The CSR will be a RSA certificate in ASCII format (i.e. plain text), using either 1024 or 2048 bit encryption depending on your choice when creating the CSR. The CSR name will be <Common Name>.csr and is created in the /tmp directory on the server. If you want to change any of the information you entered when creating the CSR simply create a new CSR. Creating a CSR has no effect on the configuration or operation of the server. Send the CSR which you created to your Trusted Signing CA. You may be asked to send the CSR as an email attachment or to paste the CSR into a web form. You can do that by opening the CSR file with a text editor, such as WordPad or VI, then use the copy and paste editing functions to transfer the new certificate request to the web form.

    Note: For Common Name, enter the IP address of the server. Otherwise, your users’ browsers will report a domain name mismatch when users connect to the server.

  8. Follow the onscreen instructions and configure the options as described inTable 3.

    Table 3: Self-Signing a Certificate Signed Request

    FieldFunctionYour Action

    Enter the CSR filename (Only <ENTER> to abort):

    Specify the name of the CSR file.

    The CSR will be a RSA certificate in ASCII format (i.e. plain text), using either 1024 or 2048 bit encryption depending on your choice when creating the CSR. The CSR name will be <Common Name>.csr and is created in the /tmp directory on the server.

    Specify the name of the CSR. Press Enter to abort the operation.

    Enter pass phrase for /etc/httpd/alias/demoCA/private/CTPView_CA.key:

    Specifies the pass phrase, after which the system checks whether the request matches with the signature.

    Specify the pass phrase.

    Sign the certificate? [y/n]:

    Specifies whether you want to sign the certificate.

    Specify y or n.

    1 out of 1 certificate requests certified, commit? [y/n]

    Specifies whether you want to commit the signed certificate to the database.

    Specify y or n.

  9. Press Enter to continue to the next step of importing the certificate. The CAC/PKI menu is displayed.
  10. From the CAC/PKI Menu, select 4) Import Certificate to import the certificate into the database.

    There are two categories of certificates you may import. The first is the returned CSR certificate signed by a Signing CA. The second is the group of certificates which are in the chain

  11. Follow the onscreen instructions and configure the options as described inTable 4.

    Table 4: Self-Signing a Certificate Signed Request

    FieldFunctionYour Action

    Enter the certificate filename (Only <ENTER> to abort):

    Specifies the name of the CSR. The CSR name will be <Common Name>.csr and is created in the /tmp directory on the server. If you want to change any of the information you entered when creating the CSR simply create a new CSR. Creating a CSR has no effect on the configuration or operation of the server.

    Specify the name of the CSR file that you previously created. Press Enter to abort the operation.

    Is this the signed CSR certificate for this server? [N]

    Specifies whether the signed CSR is for the server on which you are configuring it. If you enter y, the HTTP daemon is stopped and started. You are asked to enter the pass phrase in the next step.

    Specify y or n.

    Enter pass phrase:

    Specifies the pass phrase for the private key files that need to be decrypted for security reasons.

    Specify the pass phrase for the private key files that are encrypted.

  12. Press Enter to continue to the next step. The CAC/PKI menu is displayed.
  13. From the CAC/PKI Menu, select 5) Display Certificate. The list of certificates are displayed.
    Current listing of installed Certificates:
    CTPView_CA.crt  ctpview_server.crt

Related Documentation

Modified: 2016-02-04