-
Notifications
You must be signed in to change notification settings - Fork 10
SSL
We’ll generate self-signed Root CA certificate to sign client and router certificates. First of all, on your Linux machine, create three empty directories named CA, router, and client to hold certificates, keys, certificate signing requests etc.
Generate CA key
openssl genrsa -out CA/RootCA.key 2048
Generate self-signed CA cert (CN=Self Signed Root CA)
openssl req -x509 -new -key CA/RootCA.key -days 3650 -out CA/RootCA.crt
Note: This command will prompt you many times to get answers. You can ignore most of them by pressing enter except one. For below question enter
Common Name (e.g. server FQDN or YOUR name) []: Self Signed Root CA
Client Cert signed by our Root cert Generate client key
openssl genrsa -out client/client.key 2048
Generate client CSR (CN=localhost)
openssl req -new -key client/client.key -out client/client.csr
Generate a client cert signed by our CA
openssl x509 -req -in client/client.csr -CA CA/RootCA.crt -CAkey CA/RootCA.key -CAcreateserial -out client/client.crt -days 365
Copy CA/RootCA.crt or client/client.crt to /var/tmp in router
Generate router key
openssl genrsa -out router/router.key 2048
Generate router CSR (CN=172x)
openssl req -new -key router/router.key -out router/router.csr
Note: 172x is host name of my vmx. You can choose your device's host name. This is important as later in JSON file we have to specify exact same name that we use here.
Generate a router cert signed by our SS Root CA
openssl x509 -req -in router/router.csr -CA CA/RootCA.crt -CAkey CA/RootCA.key -CAcreateserial -out router/router.crt -days 365
Generate pem file for router cert
cat router/router.crt router/router.key > router/router.pem
Copy router.pem to /var/tmp in router
You will have following files in /var/tmp
root@172x:/var/tmp # ls -ltra -rw-r--r-- 1 regress wheel 1310 Jul 24 21:23 RootCA.crt <<<< Self signed Root CA -rw-r--r-- 1 regress wheel 1176 Jul 24 21:23 client.crt <<<< client certificate -rw-r--r-- 1 regress wheel 2851 Jul 24 21:26 router.pem <<<< router private key + certificate
set security pki ca-profile ca1 ca-identity caid1 set security certificates local lcert load-key-file /var/tmp/router.pem commit run request security pki ca-certificate load ca-profile ca1 filename /var/tmp/RootCA.crt set system services extension-service request-response grpc ssl port 50051 set system services extension-service request-response grpc ssl local-certificate lcert set system services extension-service request-response grpc ssl mutual-authentication certificate-authority ca1 set system services extension-service request-response grpc ssl mutual-authentication client-certificate-request require-certificate-and-verify commit
Use following (replace values as your need) JSON file on the server side to start collector.
{
"host": "IP-of-Router",
"port": 50051,
"user": "user",
"password": "password",
"cid": "cid-2",
"tls" : {
"clientcrt" : "172x/test-cert/client/client.crt",
"clientkey" : "172x/test-cert/client/client.key",
"ca" : "172x/test-cert/CA/RootCA.crt",
"servername" : "172x"
},
"paths": [{
"path": "/interfaces",
"freq": 2000
}, {
"path": "/bgp",
"freq": 2000
}, {
"path": "/components",
"freq": 2000
}]
}
Note: In case if you want to test only server-side certification authentication then remove clientcrt and clientkey from the above JSON file. In case if you want to do clear-test tests then remove the entire “tls” section from the above JSON file.
In 17.2X, Junos has a feature using which collector will pass username and password using gRPC metadata instead of Lego API LoginCheck(). To tell the collector to use metadata is controlled by following entry in JSON file.
"meta" : true | false
true means use metadata and false means use existing LoginCheck(). The default is Meta false.
Go version 1.15 onwards, certs require SAN. To generate certs with SAN, follow the sample procedure 'docs/howto-certs-san/x.509-certs-with-san'. You can see the Makefile that generates certs with SAN. Please update values ca/ca.cnf, client/client.cnf, and router/router.cnf as you see fit.
$ make read-router-crt | grep -A 1 Subject
Subject: C=US, ST=California, L=Sunnyvale, OU=Engineering, CN=router
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
--
X509v3 Subject Alternative Name:
DNS:router, DNS:router.englab.juniper.net, DNS:*.juniper.net