actube/ssl
7u83@mail.ru 06d748a470 WTP joins now a Cisco vwlc via mod cisco.
FossilOrigin-Name: 21ef75e0a9c1bd22396902887a13ebd383bbbf97fe30834c8232f86ef6bb8eb6
2016-03-13 17:55:42 +00:00
..
mkcert.sh WTP joins now a Cisco vwlc via mod cisco. 2016-03-13 17:55:42 +00:00
mkcerts.sh Some fixes (bash ... etc) 2016-02-29 08:17:34 +00:00
mkciscoimport.sh Modyfied to match new directory structure 2015-01-24 07:49:16 +00:00
mkclean.sh Cleans directories now 2015-01-22 22:32:40 +00:00
mkrootca.sh Certificate stuff 2015-02-09 21:04:54 +00:00
openssl-crt.cnf some improvements to support Cisco. 2015-03-12 22:21:57 +00:00
openssl-int.cnf some improvements to support Cisco. 2015-03-12 22:21:57 +00:00
openssl.cnf Locality is mandatory now. 2015-02-03 07:21:34 +00:00
README Fixed issues with creating cisco cert. 2016-03-01 08:31:16 +00:00


Creating SSL certificates to test AC-Tube and it's WTP's
========================================================

1. Create a root CA by executing: 

   ./mkrootca.sh

   This creates some root CAs and intermediate CAs in the
   subdirectories ./root-ca and ./intermediate-ca to sign
   certificates.


2. Create client certificates as needed

   To create a client certificate, execute the script

   ./mkcert.sh <cert-name> [type]

   where cert-name is the name of the certificate to be created
   without extension and the optional parameter type specifies
   the type of the certificate, which could be only 'cisco'
   for now.
   The created certificatte and key is found in the 
   folder ./certs
   named cert-name.pem and cert-name.key.
   
   If you chose 'cisco-ap' as type, the certificate will be
   accepted by a Cisco WTP when used in AC-Tube. The firmare
   on Cisco's AP must be at least 7.3.

   EXAMPLE:
     ./mkcert.sh ac-cisco cisco-ap
     will create the files ./certs/ac-cisco.pem and and ./certs/ac-cisco.key

   On a Cisco AP you might have to reset the config over terminal,
   before it will connet. Therefor do in enabeled mode:
     clear capwap private-config
     reload


3. Put these entries into  ac.conf  located in  the    ac directory, 
   so AC-Tube wilil use the certificates. If you have named your certificate
   just 'ac', put the following into config:

   ssl_key=../../ssl/certs/ac.key
   ssl_cert=../../ssl/certs/ac.crt


Installing your own root ca an a Cisco WTP
==========================================

If you want to connect a Cisco 1130 series LAP to  AC-Tube
using a certificate signed by a root ca of your choice, you
have to install the CA file on the WTP. Therofore you can 
create a terminal script by  executing:

./mkciscoimport.sh 	

Paste the result into a terminal session when in enabled mode. 

To ac.conf add the following entry:
   
dtls_verify_peer = no

But remember, if you reboot the WTP the installed CA will be lost.
Currently there is no way to make the installation permanent.


If you experience with other Cisco LAPs (e.g. 1141), please tell me.
7u83@mail.ru.