Installation guide
Creating and Installing Certificates
Acano solution: Deployment Guide R1.2 76-1006-06-K
Page 16
3 Creating and Installing Certificates
This section and the following ones assume that you have followed the instructions in the
appropriate Acano solution Installation Guide completely and have all the prerequisites in place.
If this is not the case, then do so now before proceeding.
3.1 Security Certificates Overview
A pair of files is required on the Acano solution: the private key and the certificate generated
from the private key, containing the matching public key.
The private key is one half of a private key/public key pair. One use is for encryption (public
key) and decryption (private key) of data. RSA and DSA are two methods of generating the
public key from private key. The private key file is only stored on the Acano solution: it is
never sent
The certificate is wrapper for public key, and identifies owner of the key. Also if the certificate
is signed by a Certifying Authority (CA), it provides the authority/validation of this owner.
Web browsers and other clients have a list of signing authorities that they trust and
therefore, by a “chain of trust”, servers they can trust – and the revocation lists from these
CAs. The certificate is sent during call set up. By issuing a certificate the client has the
public key with which to start secure communications
The procedure to generate a certificate involves several steps and there are three options:
Generate keys and the certificate externally, and load then on to the MMP of the Acano
solution using SFTP
a. Generate the private key.
b. Generate the Certificate Signing Request (CSR) using the private key.
c. Ask CA to sign (or self-sign). (Signing creates the certificate.)
d. Upload the certificate and private key files to the MMP of the Acano solution using
SFTP.
Generate a key and a self-signed certificate on the Acano solution (recommended for testing
and debugging environments only) (see http://en.wikipedia.org/wiki/Self-signed_certificate).
Log in to the MMP and use:
pki selfsigned <key/cert basename>
where <key/cert basename> identifies the key and certificate which will be generated e.g.
pki selfsigned webserver creates webserver.key and webserver.crt (which is self-
signed)
For users happy to trust that Acano meets requirements for generation of private key
material, generate private keys and associated Certificate Signing Requests with the MMP
pki csr command, then export them for signing by a CA. Copy the resultant certificate file on
to the MMP of the Acano solution. This option is described later in this section.
The Acano solution comprises several components that require their own validation. Therefore
the pairs (certificate and private key) of files used are:
Web Admin Interface (required) – this for the browser to trust the Web Admin Interface