User Guide
OmniAccess SafeGuard OS Administration Guide
227
Chapter 6: Configuring Authentication and Role Derivation
Downloading New Certificates
SafeGuard devices ship with default certificates. To download new certificates and new
Diffie-Helmann (DH) key material, use the following Global Configuration commands:
copy tftp://ip/file nvram:sslpem-root
copy tftp:
//ip/file nvram:sslpem-server
The nvram:sslpem-root keywords download the root certificate, and nvram:sslpem-
server
keywords download the server certificate. Both files must be downloaded for SSL
to operate and both files should be in PEM format.
For example:
(SafeGuardOS) #configure terminal
(SafeGuardOS)(config) #copy tftp://172.58.17.19/cert1 nvram:sslpem-root
(SafeGuardOS)(config) #copy tftp://172.58.17.19/cert1 nvram:sslpem-server
(SafeGuardOS)(config) #exit
(SafeGuardOS) #
The system uses DH key exchange during the SSL process and supports the downloading
of DH key parameters using the following commands:
copy tftp://ip/file nvram:sslpem-dhweak
copy tftp:
//ip/file nvram:sslpem-dhstrong
These are the 512- and 1024-bit DH parameters, respectively. These files are also in PEM
format.
For example, the following commands support 1024-bit DH parameters:
(SafeGuardOS) #configure terminal
(SafeGuardOS)(config) #copy tftp://172.58.17.19/cert1 nvram:sslpem-root
(SafeGuardOS)(config) #copy tftp://172.58.17.19/cert1 nvram:sslpem-server
(SafeGuardOS)(config) #copy tftp://172.58.17.19/cert1 nvram:sslpem-dhstrong
Syntax Description ip IP address of the TFTP server.
file Filename of the certificate.
NOTE: When using copy tftp://ip/file nvram:sslpem-server, the file
to be downloaded must contain both the certificate and the matching private
key. The certificate and key can be concatenated together, as:
-----BEGIN CERTIFICATE-----
<encoded certificate>
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
<encoded private key>
-----END RSA PRIVATE KEY-----