planix.org
/
actube
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
actube/ssl
History
7u83@mail.ru 46fab74fba Cleans directories now 
FossilOrigin-Name: ff2a8ef77424d3752f2456bfbaaad7ade79100cddb089c4ffd1ece7824856d09
 		2015-01-22 22:32:40 +00:00
..
cisco Inital commit 2015-01-11 21:41:55 +00:00
README More information on how to connect a Cisco AP. 2015-01-12 17:32:39 +00:00
mkcert_cisco.sh Initial commit 2015-01-11 22:37:56 +00:00
mkcerts.sh Creates on certificate 2015-01-22 22:32:18 +00:00
mkciscoimport.sh Builds a script that can be pasted into a Cisco terminal to import the ca certificate. 2014-08-11 15:32:37 +00:00
mkclean.sh Cleans directories now 2015-01-22 22:32:40 +00:00
mkrootca.sh New improved script 2015-01-22 22:13:09 +00:00
openssl-cisco.cnf Initial commit 2015-01-11 22:37:56 +00:00
openssl.cnf Changed hash algorithm to md5 so an cisco IOS 12.3-image can import certificate. 2014-08-10 10:21:03 +00:00

README 


Creating ssl certificates to test AC-Tube and it's WTP
======================================================

1. Create a root CA by executing: 

   ./mkrootca

   This creates the files root-ca.crt and root-ca.key.


2. Create client certificates for AC and WTP

   ./mkcerts

   This will create the files ac.key, ac.crt and  wtp.crt, wtp.key. 
   All .key files are protected with  the password you have chosen 
   in the certificate creation process. 

3. Put these entries into  ac.conf  located in  the    ac directory, 
   so AC-Tube wilil use the certificates:

   ssl_key=../../ssl/ac.key
   ssl_key_pass=your password 
   ssl_cert=../../ssl/ac.crt

   For WTP the certiciate's config entries for now are hard-coded.
   Now you can play around joining WTP to AC...

4. If you want to connect a Cisco 1130 series LAP to  AC-Tube you 
   have to install the CA file on the LAP. Therofore you can create 
   a terminal script by  executing:

   ./mkciscoimport.sh 	

   Paste the result into a terminal session when in enabled mode. 

   To ac.conf add the following entry:
   
   dtls_verify_peer = no

   Now your Cisco 1130 LAP will join to AC-Tube. Remember that the 
   Cisco LAP will lose the installed  certificate after rebooting. 

   If you want to use a Cisco LAP without installing on it your own
   ca certificate, which is lost after each reboot, you can sign your 
   certificate with a Cisco intermediate ca certificate as explained 
   in the next section.	
   



Get a Cisco AP out of the box connected to AC-Tube
==================================================

If you want to use a Cisco AP without installing your own CA 
certificate on it, which is lost after each reboot, you have to 
use a certificate with AC-Tube, that is signed by a CA, where the 
CA certificate is already installed on the AP.

To create such a certificate a Cisco WLC uses an intermediate CA 
certificate, witch is signed by this root CA certificate, installed 
on the AP. 

If you have both, the intermediate CA certificate with an 
appropriate private key and the CA certificate, which is installed 
on the AP, you can create such a certificate like a Cisco WLC does, 
by icopying them to the ./cisco  sub-directory, using the 
following names:

cisco-root-ca.crt: the CA certificate,
cisco-ca.crt: intermediate CA certificate
cisco-ca.key: private key.

All files have to be in PEM format.

Now run the script

./mkcert_cisco.sh

witch creates two files: 

ac_cisco.pem 
ac_cisco.key

When you get asked for a password, use always the same. The chosen
password is not imported. You don't need it later.

Now you can modify ac.conf to use the certificate and and key:

ssl_key=../../ssl/ac_cisco.key
ssl_cert=../../ssl/ac_cisco.pem

And a Cisco AP will now join AC-Tube without any modifications!



If you experience with other Cisco LAPs (e.g. 1141), please tell me.
7u83@mail.ru.