The console server uses the Secure Socket Layer (SSL) to secure traffic between itself and a connected user. When establishing this connection the console server exposes its identity to the user’s browser using a cryptographic certificate.
The default certificate that comes with the console server upon delivery is for testing purpose only. So when you first browse to the console server (https:// ip address) your browser will respond with a message that the certificate is "untrusted". Initially you'll need to direct your browser to (temporarily) proceed and accept this untrusted certificate. However it is recommended you generate and install a new certificate - that is certified and unique for your particular console server.
The console server can generate a new cryptographic key and the associated Certificate Signing Request (CSR) that you will then need to have certified by a Certification Authority (CA). A certification authority verifies that you are the person who you claim you are, and they will sign and issue an SSL certificate to you.
- Select System: SSL Certificates
- Enter data for the Common Name, Organizational Unit, Organization, Locality/City, State/Province, Country, Email, Challenge Password and Key length
- Click Generate CSR and when generated Download the CSR to your machine
- The temporary CSR and private key is store in
/etc/config/pending.pem (private key)
/etc/config/public.csr (CSR)
Next step is to send the saved CSR string off to a Certification Authority (CA) for certification. You will get the new certificate back from the CA (after a more or less complicated traditional authentication process depending on the CA) - and you can thenUpload it to the console server.
After these steps are completed your console server will have its own trusted certificate and you should no longer receive warnings from your browser:)
Uploading certificates and key via CLI
If your internal team or a third party has generated the certificate and private key then it needs to be uploaded using the instructions below.
On your PC rename the certificate to ssl_cert.pem and the private key to ssl_key.pem
Use WInSCP, Bitvise or similar program to navigate to the /etc/config directory and upload the files.
/etc/config/ssl_key.pem
/etc/config/ssl_cert.pem
SSH into the Opengear as root and run the command below
sudo -i
dos2unix /etc/config/*pem
You need to restart the web server with the commands to reload the configuration.
killall cherokee
Something went wrong and GUI is not responding.
If the above steps somehow broke the GUI, we can re-instate the default self-signed certificate so you can start again.
Run the following command to check the firmware version.
cat /etc/version
If the firmware is 4.3.1 or lower, login as admin or root user on the CLI and run commands below to restore default certificates.
sudo -i
cp /etc/default/*pem /etc/config
config -a
At this stage cherokee should be restarted. or reboot.
If the firmware is 4.4.0 or higher, login as admin or root user on the CLI and run commands below to create default certificates.
You can customize the CN and other info by editing /etc/config/openssl.cnf file first.
sudo -i
rm /etc/config/ssl*
/etc/scripts/gen-keys
The web service should be running at this stage. If not try a reboot.
Comments
0 comments
Article is closed for comments.