beautypg.com

Submitting the csr to a certificate authority, Exporting the kac, Certificate signing request (csr) – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 50

background image

30

Fabric OS Encryption Administrator’s Guide (DPM)

53-1002922-01

Steps for connecting to a DPM appliance

2

Exporting the KAC certificate signing request (CSR)

1. Export the KAC CSR to a temporary location prior to submitting the KAC CSR to a CA for signing.

2. Synchronize the time on the switch and the key manager appliance. Time settings should be

within one minute of each other. Differences in time can invalidate certificates and cause key
vault operations to fail.

3. Select a switch from the Encryption Center Devices table, then select Switch > Properties from

the menu task bar to display the Properties dialog box.

NOTE

You can also select a switch from the Encryption Center Devices table, then click the
Properties icon.

4. Do one of the following:

If a CSR is present, click Export.

If a CSR is not present, select a switch from the Encryption Center Devices table, then
select Switch > Init Node from the menu task bar. This generates switch security
parameters and certificates, including the KAC CSR.

5. Save the file. The default location for the exported file is in the Documents folder.

NOTE

The CSR is exported in Privacy Enhanced Mail (.pem) format. This is the format required in
exchanges with Certificate Authorities (CAs).

Submitting the CSR to a certificate authority

The CSR must be submitted to a Certificate Authority (CA) to be signed. The CA is a trusted
third-party entity that signs the CSR. Several CAs are available and procedures vary, but the general
steps are as follows:

1. Open an SSL/TLS connection to an X.509 server.

2. Submit the CSR for signing.

3. Request the signed certificate.

Generally, a public key, the signed KAC certificate, and a signed CA certificate are returned.

4. Download and store the signed certificates.

The following example submits a CSR to the demoCA from RSA:

cd /opt/CA/demoCA

openssl x509 -req -sha1 -CAcreateserial -in certs/ -days 365

-CA cacert.pem -CAkey private/cakey.pem -out newcerts/

NOTE

You can change the number of days that a certificate will expire based on your site's security
policies. For more information on changing the certificate expiry date, refer to

“KAC certificate

registration expiry”

on page 31.

See also other documents in the category Brocade Computer Accessories: