Filter
Top Products
13-4
Cisco Broadband Access Center 3.8 Administrator Guide
OL-27172-01
Chapter 13 Configuring CWMP Service Security
Configuring SSL Service
To configure a server certificate:
Step 1 Create a new server keystore with a new private key by using keytool. See Generating Server Certificate
Keystore and Private Key for a New Certificate, page 13-6, for details.
Step 2 Generate a certificate-signing request (CSR). See Generating a Certificate-Signing Request, page 13-7,
for details.
Step 3 Request a public certificate from the signing authority by using CSR. See Generating a
Certificate-Signing Request, page 13-7, for details.
Step 4 Load the public key of the signing authority into the cacerts keystore. See Importing Signing Authority
Certificate into Cacerts Keystore, page 13-8, for details.
Step 5 Load the signed server certificate into the server keystore. See Importing the Signed Certificate into
Server Certificate Keystore, page 13-9, for details.
Step 6 Put the new keystore file in the DPE BPR_HOME/dpe/conf directory.
Step 7 At the CLI, configure one of the DPE services to use the new keystore. See Configuring SSL Service,
page 13-3, for details
Step 8 Restart the DPE by using the dpe reload command from the CLI, or the /etc/init.d/bprAgent restart
dpe command from the watchdog agent command line (see Using Cisco BAC Process Watchdog from
the Command Line, page 9-2).
Note To enable the use of client certificates for device authentication, ensure that the public certificate of the
signing authority for device certificates is loaded into the cacerts keystore. Follow the procedure
described in Importing Signing Authority Certificate into Cacerts Keystore, page 13-8, for details.
Importing an Existing Signed Server Certificate
If you already have the signed server certificate and you want to load it into the keystore, you must know
the private key that is associated with the certificate. In this case, instead of following the procedure
described above, follow the steps outlined in this section. Use the PCKS#12 file format, which combines
both the private key and the signed certificate. You can load this file into a keystore by using the keystore
import-pkcs12 command.
To configure a server certificate with an existing signed server certificate:
Step 1 Load the existing private key and certificates into a DPE-compatible file, used in authenticating the DPE
to SSL clients, by using the keystore import-pkcs12 command.
When using this command, the syntax is:
keystore import-pkcs12 keystore-filename pkcs12-filename keystore-password key-password
export-password export-key-password
• keystore-filename—Identifies the keystore file to create. If it already exists, it will be overwritten.
Note Remember to specify the full path of the keystore file.
• pkcs12-filename—Identifies the PKCS#12 file from which you intend to import the key
and certificate.