beautypg.com

Enabling a certificate, Chain, Allowing self-signed certificates – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 142: Enabling a certificate chain, Configuring certificate chain depth

background image

130

Brocade Virtual ADX Security Guide

53-1003250-01

Advanced SSL profile configuration

6

NOTE

To avoid “man-in-the-middle” attacks, where the CRL may be compromised while on the network,
CRLs are digitally signed by the issuing CAs. For this reason, it is essential that the certificate of the
CA that issues the CRL is present on the Brocade Virtual ADX when a client certificate is being
checked for revocation.

Allowing self-signed certificates

By default, the Brocade Virtual ADX does not accept certificates that have been issued by a CA that
is not trusted. A Brocade Virtual ADX only accepts certificates which have been signed by a CA that
is configured under the SSL profile. For testing purposes, customers may want to use self-signed
certificates (generated using the Open SSL utilities or by the Brocade Virtual ADX cert gen utility) on
the SSL client.

The following example configures a Brocade Virtual ADX to accept self-signed certificates.

Virtual ADX(config)#ssl profile profile1

Virtual ADX(config-ssl-profile-profile1)#allow-self-signed-cert

Syntax: [no] allow-self-signed-cert

Enabling a certificate chain

By default, for CA signed certificates, the Brocade Virtual ADX does not send the entire certificate
chain when presenting the certificate to the client.

To enable the Brocade Virtual ADX to send the entire certificate chain (including the root CA
certificate and any intermediate CA certificates), enter the following commands in the SSL profile
configuration mode:

Virtual ADX(config)#ssl profile profile1

Syntax: ssl profile profile-name

Virtual ADX(config-ssl-profile-ssl-profile1)#enable-certificate-chaining

Syntax: enable-certificate-chaining

NOTE

All intermediate CA certificates need to be uploaded to the Brocade Virtual ADX.

Configuring certificate chain depth

You can configure certificate chain depth up to which certificate verification can be done by a
Brocade Virtual ADX. The default value is 4 and it can be configured up to 10 as shown in the
following.

Virtual ADX(config)#ssl profile profile1

Virtual ADX(config-ssl-profile-ssl-profile1)#verify-cert-depth 10

Syntax: [no] verify-cert-depth chain-depth

The chain-depth variable specifies the maximum certificate chain depth verified. The accepted
values are between 4 and 10. The default value is 4.

See also other documents in the category Brocade Computer Accessories: