There is this company Radware (www.radware.com) that makes, among other things, SSL accelerators. This device is generally used for e-commerce apps by terminating SSL/TLS client requests, decrypting the traffic and passing the traffic to inside server. The big idea behind this concept is to offload internal servers which have more clever things to do than doing encryption and decryption. Collecting data from the database, doing some work with it and presenting results.
In order to do it’s work, Radware box needs a certificate installed on it. This can be a self-signed certificate, or certificate issued by locally created CA, but this is no good for e-commerce, because the certificate has to be issued from valid and trusted CA authority such as Entrust or Verisign. Personally I lean to Entrust because I have nice experience with those guys, but you may choose any trusted CA in the market, as long as it is supported by e-commerce clients.
So, what steps do we need to perform in order to install required cert? Please have in mind that steps described here can be performed from both web interface and CLI. In this article I will deal with CLI because I had lots of troubles with GUI. I tried lots of browsers and each and every one of them kept causing me troubles.
First, we need to make sure that the date and time is correct on the box:
[AppXcel]$ [AppXcel]$ system date get Current date: Tue Jul 19 14:32:25 UTC 2011 [AppXcel]$
The date and time must be correct because of certificate validation process. Use the “system date set MMDDhhmmYYYY” form of the command to set the date and time. We can also use NTP servers, which is the prefered method.
Our host should have FQDN name that will be used as a subject name in the certificate request and the identity certificate later in the process:
[AppXcel]$ [AppXcel]$ system device name get The current device name is radware1.popravak.com. [AppXcel]$
So these are prerequisites for the main process which actually begins with the key pair generation. Be careful here: some CAs require keys of certain length for certificate they are about to issue. Today’s standards mandate 2048 bit key length. These keys are going to be used in the process of encrypting and decrypting in e-commerce transactions. So, let us generate key pair:
[AppXcel]$ appxcel key table create 2048 2048 Encrypting the private Key Please enter passphrase: Verify your passphrase: Generating RSA private key, 2048 bit long modulus .................................................................+++ .....+++ A private Key was created successfully. [AppXcel]$
First of two 2048s is the key index and second is the actual key length. Key index is used for binding identities together, such as key pair and certificate. Make sure you don’t forget a passphrase. You may need it for exporting keys, for example.
Now we must import “root CA” and perhaps “chain root CA”. These certificates can be found on CA’s web site. We need to save them, open in text editor, select all lines and paste them in Radware’s SSH session:
[AppXcel]$ [AppXcel]$ appxcel clientca table import 2048 Note: Once the Zmodem has been launched, the operation cannot be aborted. 1) Zmodem 2) Ascii (Cut & paste) 3) SSH 4) Quit Please select import protocol [1-4]: 2 Please insert the CA certificate and press '.' and 'ENTER'. -----BEGIN CERTIFICATE----- MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChMLRW50cnVzdC5u <lines omitted> nNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/ErfF6adulZkMV8gzURZVE= -----END CERTIFICATE----- . CA certificate was imported successfully [AppXcel]$
If we have to import the “chain root CA” certificate, we need to follow some additional steps:
- create a new key pair with another index, let’s say 2049
- import “chain root CA” certificate, as just described, using this index of 2049
Now it’s time to generate the certificate signing request (CSR):
[AppXcel]$ [AppXcel]$ appxcel certificate table request 2048 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]:BA State or Province Name (full name) [New York]:RS Locality Name (eg, city) [New York]:Bijeljina Organization Name (eg, company) [Radware]:Popravak Inc Organizational Unit Name (eg, section) [ApplicationServers]:IT Common Name (eg, YOUR name) [www.radware.com]:radware1.popravak.com Email Address [email@example.com]:firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : The Certificate request was created successfully. [AppXcel]$
Now we can see our request marked as Csr in the certificate table column:
[AppXcel]$ appxcel certificate table Certificates: ÚÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Index ³ Certificate Type ³ Common Name ³ ÆÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍØÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍµ ³ 1 ³ Crt ³ xxxxxx ³ ³ 2048 ³ Csr ³ radware1.popravak.com ³ ÀÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
This CSR needs to be displayed, saved and sent to CA:
[AppXcel]$ appxcel certificate table export 2048 1) Zmodem 2) Ascii (Cut & paste) 3) Quit Please select export protocol [1-3]: 2 1) PEM format 2) Quit Please select export format [1-2]: 1 -----BEGIN CERTIFICATE REQUEST----- MIIC2zCCAcMCAQAwgZUxCzAJBgNVBAYTAkJBMQswCQYDVQQIEwJSUzESMBAGA1UE .... Kjpu4Hjapd9HO+FQRODM -----END CERTIFICATE REQUEST----- [AppXcel]$
You should select and copy all lines from —–BEGIN CERTIFICATE REQUEST—– to
—–END CERTIFICATE REQUEST—– including these lines themselves. Save this to a file and send it to a CA via e-mail or go to the CA’s website and go through the steps required to request a certificate. These steps varies from CA to CA and I won’t be dealing with them here.
Finally, after we receive the identity certificate, we need one more import:
[AppXcel]$ [AppXcel]$ appxcel certificate table import 2048 1) Zmodem 2) Ascii (Cut & paste) 3) SSH 4) Quit Please select import protocol [1-4]:
You are now set and ready to use your certificate.
Next time I’m going to show you how to set up an SSL/TLS tunnel. Till the next time…