Choosing a ca, Generating a public/private key, Generating and storing a csr – HP StorageWorks 2.128 SAN Director Switch User Manual
Page 54
54
Configuring standard security features
Choosing a CA
To ease maintenance and allow secure out-of-band communication between switches, consider using one
CA to sign all management certificates for a fabric. If you use different CAs, management services
operate correctly, but the Advanced Web Tools Fabric Events button is unable to retrieve events for the
entire fabric.
Each CA (for example, Verisign or GeoTrust) has slightly different requirements; for example, some
generate certificates based on IP address, while others require an FQDN, and most require a 1024-bit
public/private key while some might accept a 2048-bit key. Consider your fabric configuration, check
CA web sites for requirements, and gather all the information that the CA requires.
Generating a public/private key
Perform the following procedure on each switch:
1.
Connect to the switch and log in as admin.
2.
Issue the following command to generate a public/private key pair:
switch:admin> seccertutil genkey
The system reports that this process disables secure protocols, deletes any existing CSR, and deletes
any existing certificates.
3.
Respond to the prompts to continue and select the key size. For example:
Because CA support for the 2048-bit key size is limited, select 1024 in most cases.
Generating and storing a CSR
After generating a public/private key (see ”
Generating a public/private key
” on page 54), perform this
procedure on each switch:
1.
Connect to the switch and log in as admin.
2.
Issue the following command:
switch:admin> seccertutil gencsr
3.
Enter the requested information. For example:
Your CA might require specific codes for Country, State or Province, Locality, Organization, and
Organizational Unit names. Make sure that your spelling is correct and matches the CA requirements.
If the CA requires that the Common Name be specified as an FQDN, make sure that the FQDN is set
on the domain name server.
4.
Issue the following command to store the CSR:
switch:admin> seccertutil export
Continue (yes, y, no, n): [no]
y
Select key size [1024 or 2048]:
1024
Generating new rsa public/private key pair
Done.
Country Name (2 letter code, eg, US):
US
State or Province Name (full name, eg, California):
California
Locality Name (eg, city name):
San Jose
Organization Name (eg, company name):
Brocade
Organizational Unit Name (eg, department name):
Eng
Common Name (Fully qualified Domain Name, or IP address):
192.1.2.3
Generating CSR, file name is: 192.1.2.3.csr
Done.