06d748a470
FossilOrigin-Name: 21ef75e0a9c1bd22396902887a13ebd383bbbf97fe30834c8232f86ef6bb8eb6 |
||
---|---|---|
.. | ||
mkcert.sh | ||
mkcerts.sh | ||
mkciscoimport.sh | ||
mkclean.sh | ||
mkrootca.sh | ||
openssl-crt.cnf | ||
openssl-int.cnf | ||
openssl.cnf | ||
README |
Creating SSL certificates to test AC-Tube and it's WTP's ======================================================== 1. Create a root CA by executing: ./mkrootca.sh This creates some root CAs and intermediate CAs in the subdirectories ./root-ca and ./intermediate-ca to sign certificates. 2. Create client certificates as needed To create a client certificate, execute the script ./mkcert.sh <cert-name> [type] where cert-name is the name of the certificate to be created without extension and the optional parameter type specifies the type of the certificate, which could be only 'cisco' for now. The created certificatte and key is found in the folder ./certs named cert-name.pem and cert-name.key. If you chose 'cisco-ap' as type, the certificate will be accepted by a Cisco WTP when used in AC-Tube. The firmare on Cisco's AP must be at least 7.3. EXAMPLE: ./mkcert.sh ac-cisco cisco-ap will create the files ./certs/ac-cisco.pem and and ./certs/ac-cisco.key On a Cisco AP you might have to reset the config over terminal, before it will connet. Therefor do in enabeled mode: clear capwap private-config reload 3. Put these entries into ac.conf located in the ac directory, so AC-Tube wilil use the certificates. If you have named your certificate just 'ac', put the following into config: ssl_key=../../ssl/certs/ac.key ssl_cert=../../ssl/certs/ac.crt Installing your own root ca an a Cisco WTP ========================================== If you want to connect a Cisco 1130 series LAP to AC-Tube using a certificate signed by a root ca of your choice, you have to install the CA file on the WTP. Therofore you can create a terminal script by executing: ./mkciscoimport.sh Paste the result into a terminal session when in enabled mode. To ac.conf add the following entry: dtls_verify_peer = no But remember, if you reboot the WTP the installed CA will be lost. Currently there is no way to make the installation permanent. If you experience with other Cisco LAPs (e.g. 1141), please tell me. 7u83@mail.ru.