85fa7955e1
FossilOrigin-Name: 16ebea6ee7650a6f9f11cb31fc94683c1e2eb57a0762b37613599dcac28ae14d
75 lines
2.1 KiB
Plaintext
75 lines
2.1 KiB
Plaintext
|
|
|
|
Creating SSL certificates to test AC-Tube and it's WTP's
|
|
========================================================
|
|
|
|
1. Create a root CA by executing:
|
|
|
|
./mkrootca.sh
|
|
|
|
This creates some root CAs and intermediate CAs in the
|
|
subdirectories ./root-ca and ./intermediate-ca to sign
|
|
certificates.
|
|
|
|
|
|
2. Create client certificates as needed
|
|
|
|
To create a client certificate, execute the script
|
|
|
|
./mkcert.sh <cert-name> [type]
|
|
|
|
where cert-name is the name of the certificate to be created
|
|
without extension and the optional parameter type specifies
|
|
the type of the certificate, which could be only 'cisco'
|
|
for now.
|
|
The created certificatte and key is found in the
|
|
folder ./certs
|
|
named cert-name.pem and cert-name.key.
|
|
|
|
If you chose 'cisco-ap' as type, the certificate will be
|
|
accepted by a Cisco WTP when used in AC-Tube. The firmare
|
|
on Cisco's AP must be at least 7.3.
|
|
|
|
EXAMPLE:
|
|
./mkcert.sh ac-cisco cisco-ap
|
|
will create the files ./certs/ac-cisco.pem and and ./certs/ac-cisco.key
|
|
|
|
On a Cisco AP you might have to reset the config over terminal,
|
|
before it will connet. Therefor do in enabeled mode:
|
|
clear capwap private-config
|
|
reload
|
|
|
|
|
|
3. Put these entries into ac.conf located in the ac directory,
|
|
so AC-Tube wilil use the certificates. If you have named your certificate
|
|
just 'ac', put the following into config:
|
|
|
|
ssl_key=../../ssl/certs/ac.key
|
|
ssl_cert=../../ssl/certs/ac.crt
|
|
|
|
|
|
Installing your own root ca an a Cisco WTP
|
|
==========================================
|
|
|
|
If you want to connect a Cisco 1130 series LAP to AC-Tube
|
|
using a certificate signed by a root ca of your choice, you
|
|
have to install the CA file on the WTP. Therofore you can
|
|
create a terminal script by executing:
|
|
|
|
./mkciscoimport.sh
|
|
|
|
Paste the result into a terminal session when in enabled mode.
|
|
|
|
To ac.conf add the following entry:
|
|
|
|
dtls_verify_peer = no
|
|
|
|
But remember, if you reboot the WTP the installed CA will be lost.
|
|
Currently there is no way to make the installation permanent.
|
|
|
|
|
|
If you experience with other Cisco LAPs (e.g. 1141), please tell me.
|
|
7u83@mail.ru.
|
|
|
|
|