beautypg.com

Example – Westermo RedFox Series User Manual

Page 844

background image

Westermo OS Management Guide

Version 4.17.0-0

Example

alice:/#> cert import pkcs password "AliceSecret" scp://[email protected]/home/foo/alice.p12
Downloading alice.p12 from scp://foo...
[email protected]’s password:
alice.p12

100% 3064

3.0KB/s

00:00

Importing certificate alice...
OK
alice:/#> show cert
Type

Label

Common Name

Expires

===============================================================================
Pub

alice

MyServer

Nov 26 13:35:42 2023 GMT

CA

alice

MyCA

Nov 26 13:34:19 2023 GMT

Key

alice

alice:/#>

With the certificates installed on your WeOS unit, you can configure your SSL
tunnel to use them by referring to their label, see the example for Alice below.
Until she has configured what certificates to use as her own certificate and her
CA certificate, the CLI will give warning messages.

Example

alice:/config/#> tunnel
alice:/config/tunnel/#> ssl 0
Creating new SSL tunnel 0, check your settings before activating the tunnel!
ssl0: Invalid settings: No certificate selected.

alice:/config/tunnel/ssl-0/#> certificate alice
ssl0: Invalid settings: No CA certificate selected.

alice:/config/tunnel/ssl-0/#> ca-certificate alice
alice:/config/tunnel/ssl-0/#> leave
alice:/#>

With the simple PKI model supported by WeOS (see

fig. 36.3

), Alice will accept

connections from any VPN client presenting a valid certificate issued by her con-
figured CA. (Similarly, Bob (and other VPN clients) will accept certificates pre-
sented by the VPN gateway if issued by the CA he has configured.)

36.1.4.1.1

Multiple VPN clients sharing the same certificate:

Typically,

each VPN client will have a unique certificate issued by their CA, but it is also
possible for multiple VPN clients (Bob and Dave) to be configured with the same
certificate. In this case the VPN gateway (Alice) must have the ”duplicate-cn”
(duplicate common name) setting enabled. If this setting is enabled, she will
accept multiple parallel VPN sessions from clients with the certificate, but if it is
disabled (default) she will tear down an existing VPN session if a new session is

844

➞ 2015 Westermo Teleindustri AB

This manual is related to the following products:
See also other documents in the category Westermo Equipment: