Filter
Top Products
13-9
Cisco Broadband Access Center 3.8 Administrator Guide
OL-27172-01
Chapter 13 Configuring CWMP Service Security
Configuring SSL Service
Note The cacerts file bundled with Cisco BAC ships with several root certificate common third-party signing
authorities. You can manage the cacerts keystore by using the keytool utility. The default cacerts keystore
password is changeit. The cacerts database file resides in the BPR_HOME/jre/lib/security directory.
The cacerts keystore does not need to be copied anywhere. The DPE will use the new keystore as soon
as it is restarted.
Example 13-5 Keytool -import Signing Authority Certificate
# ./keytool -import -alias DeviceProvRoot -file rootCA4.crt -keystore
/opt/CSCObac/jre/lib/security/cacerts
Enter keystore password: changeit
Owner: EMAILADDRESS=linksys-certadmin@cisco.com, CN=Acme Device Provisioning Root
Authority 1, OU=Acme Device Certificate Authority, O="Acme Device, Inc.", L=Irvine,
ST=California, C=US
Issuer: EMAILADDRESS=linksys-certadmin@cisco.com, CN=Acme Device Provisioning Root
Authority 1, OU=Acme Device Certificate Authority, O="Acme Device, Inc.", L=Irvine,
ST=California, C=US
Serial number: 8bcbc07a0768c1eb78e6c5c93c0c2ff0
Valid from: Fri Jul 01 21:22:12 EDT 2005 until: Mon Jun 29 21:22:12 EDT 2015
Certificate fingerprints:
MD5: C4:D4:09:6A:60:34:A0:00:96:4F:4D:47:23:86:8C:FA
SHA1: B0:CC:6D:CD:BB:62:1B:A1:15:D3:2D:68:7E:D0:4A:0C:91:C2:A5:FD
Trust this certificate? [no]: yes
Certificate was added to keystore.
Note The keytool can import X.509 v1, v2, and v3 certificates, and PKCS#7-formatted certificate chains
comprising certificates of that type. The data to be imported must be provided in binary-encoding
format, or in printable-encoding format (also known as Base64 encoding) as defined by the RFC 1421.
Importing the Signed Certificate into Server Certificate Keystore
Once you import the public certificate of the signing authority into the cacerts keystore, you must import
the signed server certificate into the DPE server certificate keystore. You will already have a keystore
with private key and corresponding self-signed certificate (public key).
By importing the certificate reply (signed certificate), the keystore is modified to associate the signed
certificate with the existing private key in the server certificate keystore.
When importing the certificate reply into the keystore, you must use the -trustcacerts flag with the
-import command for certificates in the cacerts file to be used to establish chains of trust with the
certificate reply in the subject’s keystore.
Example 13-6 Keytool -import (Signed Server Certificate)
dpe# ./keytool -import -trustcacerts -file train-1.crt -keystore train-1.keystore -alias
train-1
Enter key password: changeme2
Enter keystore password: changeme
Certificate reply was installed in keystore.
Certificate was added to keystore.
After you import the signed server certificate into the DPE server certificate keystore, use the keytool
-printcert command to verify the keystore contents, as outlined in Verifying the Signed Certificate,
page 13-8. The -printcert output should now show the issuer to be the signing certificate authority, and
that a chain of trust has been established using the signing authority with the root trusted certificate.