planix.org/actube
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
3297370f349030372d49e0d99310fa1a5c75679f
actube/ssl/README
7u83@mail.ru 85fa7955e1 Fixed issues with creating cisco cert. 
FossilOrigin-Name: 16ebea6ee7650a6f9f11cb31fc94683c1e2eb57a0762b37613599dcac28ae14d
2016-03-01 08:31:16 +00:00

75 lines
2.1 KiB
Plaintext
Raw Blame History

Creating SSL certificates to test AC-Tube and it's WTP's
========================================================
1. Create a root CA by executing:
./mkrootca.sh
This creates some root CAs and intermediate CAs in the
subdirectories ./root-ca and ./intermediate-ca to sign
certificates.
2. Create client certificates as needed
To create a client certificate, execute the script
./mkcert.sh <cert-name> [type]
where cert-name is the name of the certificate to be created
without extension and the optional parameter type specifies
the type of the certificate, which could be only 'cisco'
for now.
The created certificatte and key is found in the
folder ./certs
named cert-name.pem and cert-name.key.
If you chose 'cisco-ap' as type, the certificate will be
accepted by a Cisco WTP when used in AC-Tube. The firmare
on Cisco's AP must be at least 7.3.
EXAMPLE:
./mkcert.sh ac-cisco cisco-ap
will create the files ./certs/ac-cisco.pem and and ./certs/ac-cisco.key
On a Cisco AP you might have to reset the config over terminal,
before it will connet. Therefor do in enabeled mode:
clear capwap private-config
reload
3. Put these entries into ac.conf located in the ac directory,
so AC-Tube wilil use the certificates. If you have named your certificate
just 'ac', put the following into config:
ssl_key=../../ssl/certs/ac.key
ssl_cert=../../ssl/certs/ac.crt
Installing your own root ca an a Cisco WTP
==========================================
If you want to connect a Cisco 1130 series LAP to AC-Tube
using a certificate signed by a root ca of your choice, you
have to install the CA file on the WTP. Therofore you can
create a terminal script by executing:
./mkciscoimport.sh
Paste the result into a terminal session when in enabled mode.
To ac.conf add the following entry:
dtls_verify_peer = no
But remember, if you reboot the WTP the installed CA will be lost.
Currently there is no way to make the installation permanent.
If you experience with other Cisco LAPs (e.g. 1141), please tell me.
7u83@mail.ru.
Reference in New Issue View Git Blame Copy Permalink