Filter
Top Products
13-7
Cisco Broadband Access Center 3.8 Administrator Guide
OL-27172-01
Chapter 13 Configuring CWMP Service Security
Configuring SSL Service
[Unknown]: MA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=train-1.bac.test, OU=BAC Training, O="Acme Device, Inc.", L=Boxborough, ST=MA, C=US
correct?
[no]: yes
Enter key password for <train-1>
(RETURN if same as keystore password):
In this example, train-1.bac.test goes into the CN field of the certificate and represents the FQDN that
the ACS URL contains. According to the TR-069 specification, the device validates the certificate
signature and ensures that the CN field in the certificate matches that of the URL it contacts.
Displaying Self-Signed Certificate
The keytool -list argument displays the contents of the keystore entry identified by alias. If you do not
specify an alias, the entire contents of the keystore appear.
If you combine -list with -v, the certificate chain associated with the alias appears. The following
keytool -list sample output displays the keystore containing a single self-signed certificate.
Example 13-2 Keytool -list
# ./keytool -keystore train-1.keystore -list -v
Enter keystore password: changeme
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: train-1
Creation date: Nov 8, 2005
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=train-1.bac.test, OU=BAC Training, O="Acme Device, Inc.", L=Boxborough, ST=MA,
C=US
Issuer: CN=train-1.bac.test, OU=BAC Training, O="Acme Device, Inc.", L=Boxborough, ST=MA,
C=US
Serial number: 43714f22
Valid from: Tue Nov 08 20:21:38 EST 2005 until: Mon Feb 06 20:21:38 EST 2006
Certificate fingerprints:
MD5: CF:D4:CB:D1:20:6F:8C:12:ED:EA:2F:21:53:57:E5:1D
SHA1: DD:AE:96:02:71:55:F8:1F:14:4F:D7:64:9C:FE:91:DE:65:C9:BB:49
Generating a Certificate-Signing Request
At this point in the procedure, the keystore contains a private key and a X.509 self-signed certificate. If
the DPE ACS tries to respond with this certificate to a device’s initial handshake, the device will reject
the certificate with a TLS alert
bad CA, indicating that the certificate authority that the CPE trusted did
not sign the certificate. Therefore, the signing authority that the CPE trusts must sign the certificate.
Note To support SSL, the device must have a list of preconfigured public certificates of signing authorities
that it trusts. One of the authorities that the device trusts must sign the ACS certificate.