在 SDX 9100 和 SDX 16000 上创建并安装 SSL 证书
使用 OpenSSL 创建密钥、生成证书签名请求 (CSR) 并生成自签名的 SSL 证书。 使用 LOM GUI 安装 SSL 证书。 成功安装后,LOM GUI 使用新的 SSL 证书进行安全连接。
必备条件
- 访问运行 FreeBSD 或 Linux 计算机并安装了 OpenSSL 的 SDX 平台。
- LOM Web 界面的管理访问凭证(nsroot/密码)。
使用 OpenSSL 创建 SSL 证书
在 OpenSSL 中执行以下步骤:
-
生成 2048 位的 RSA 私钥。 类型:
openssl genrsa-out private_key.pem 2048在包含 RSA 私钥的当前目录中创建了一个名为 private_key.pem 的文件。
- 使用此私钥生成 CSR。 类型:
openssl req-new-key private_key.pem out request.csr输入以下参数的值:- 国家/地区名称(2 个字母的代码):例如,美国
- 州或省名称(全名):例如,加利福尼亚州
- 地点名称:例如,旧金山
- 组织名称:例如,我的公司
- 组织单位名称:例如,IT 部门
- 公用名例如,你的名字(或服务器的主机名)
- 电子邮件地址:例如, admin@mycompany.com
- 挑战密码:留空
- 可选公司名称:留空
在包含证书签名请求的当前目录中创建了一个名为 request.csr 的文件。
-
使用 CSR 和私钥生成自签名的 SSL 证书。 该证书的有效期为 365 天。 类型:
openssl x509-req-in request.csr-signkey private_key.pem-out lom_certificate.pem-days 365在包含自签名 SSL 证书的当前目录中创建了一个名为 lom_certificate.pem 的文件。
使用 LOM GUI 安装 SSL 证书
- 使用默认管理员 (
nsroot) 帐户登录 LOM Web 界面。 - 导航到 配置 > 网络 > SSL 证书。
- 在 新 SSL 证书中,单击 选择文件。
- 浏览到证书文件的位置 (lom_certificate.pem)。
- 在 新建私钥中,单击 选择文件。
- 浏览到密钥文件的位置 (private_key.pem)。
- 单击上载。
将 SSL 证书和私钥上传到 LOM UI 后,BMC 将重新启动,系统默认处于锁定状态。 在浏览器中检查 SSL 证书的详细信息,确认它与您生成的 lom_certificate.pem 相匹配。
示例
[root@netscaler-sdx SSL_Cert]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[root@netscaler-sdx SSL_Cert]# uname -a
Linux netscaler-sdx 4.4.0+2 #1 SMP Fri Apr 30 02:46:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
[root@netscaler-sdx SSL_Cert]# cat /etc/centos-release
XenServer release 7.1.2 (xenenterprise)
[root@netscaler-sdx SSL_Cert]# openssl genrsa -out private_key.pem 2048
Generating RSA private key, 2048 bit long modulus
.................+++
.................+++
e is 65537 (0x10001)
[root@netscaler-sdx SSL_Cert]# ls
private_key.pem
[root@netscaler-sdx SSL_Cert]# openssl req -new -key private_key.pem -out request.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Santa_Clara
Organization Name (eg, company) [Default Company Ltd]:CSG
Organizational Unit Name (eg, section) []:Engineering
Common Name (eg, your name or your server's hostname) []: cloud.com
Email Address []: none@cloud.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@netscaler-sdx SSL_Cert]# ls
private_key.pem request.csr
[root@netscaler-sdx SSL_Cert]# openssl x509 -req -in request.csr -signkey private_key.pem -out lom_certificate.pem -days 365
Signature ok
subject=/C=US/ST=California/L=Santa_Clara/O=CSG/OU=Engineering/CN=cloud.com/emailAddress=none@cloud.com
Getting Private key
[root@netscaler-sdx SSL_Cert]# ls
lom_certificate.pem private_key.pem request.csr
[root@netscaler-sdx SSL_Cert]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[root@netscaler-sdx SSL_Cert]# uname -a
Linux netscaler-sdx 4.4.0+2 #1 SMP Fri Apr 30 02:46:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
[root@netscaler-sdx SSL_Cert]# cat /etc/centos-release
XenServer release 7.1.2 (xenenterprise)
[root@netscaler-sdx SSL_Cert]# openssl genrsa -out private_key.pem 2048
Generating RSA private key, 2048 bit long modulus
.................+++
.................+++
e is 65537 (0x10001)
[root@netscaler-sdx SSL_Cert]# ls
private_key.pem
[root@netscaler-sdx SSL_Cert]# openssl req -new -key private_key.pem -out request.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Santa_Clara
Organization Name (eg, company) [Default Company Ltd]:CSG
Organizational Unit Name (eg, section) []:Engineering
Common Name (eg, your name or your server's hostname) []: cloud.com
Email Address []: none@cloud.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@netscaler-sdx SSL_Cert]# ls
private_key.pem request.csr
[root@netscaler-sdx SSL_Cert]# openssl x509 -req -in request.csr -signkey private_key.pem -out lom_certificate.pem -days 365
Signature ok
subject=/C=US/ST=California/L=Santa_Clara/O=CSG/OU=Engineering/CN=cloud.com/emailAddress=none@cloud.com
Getting Private key
[root@netscaler-sdx SSL_Cert]# ls
lom_certificate.pem private_key.pem request.csr
<!--NeedCopy-->
示例 Private_key.pem(2048 位)
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAlW0N9EghsirHkPsgAiwXHuPdNw6DOstwC9V7ZLu38g36pqYk
X1yhON4yF61nCqS+Mfiu+plPEDbXc5dwtd7Le4JEW8OFHko5mBz3Uj9MSenJTBVT
V1d+hyu82nR0VWdAxe72kPiiTG7PuM34ZZqeHuy+tLU9FkAXDtxyjlPf/TDJPQl/
7h1klnTW5t9s2rSXznj3jsXOg88xF8S/ksGP1O6F5O7XoZYtpafUB/SqfZuX95qv
12EbbusifBwrmKVd/Z5/FguSGCeszBmrCol0dfUT44lMRPP2zW0m6O234j4HmOuh
Z/qL34seA1SmIMHkr9K57VHWqWoc3NmTDK2n0wIDAQABAoIBAEaI7AVb50wLFZlC
caGU3nUeatYKa7fdQE7VvyGV2wbPwnnYA2NgfloxyMOUfwdvLLi6Ax8YL1IgESPn
YLT5LmRm4Y3PhY7+yqEbS0PvzTs2uGbJykV4b6mu477bKe8GhnTokEtukm4yAKvj
zlVn3ywJ5Ru4UdWm+ztwpEK7JQiGvkoMSn7+qDhEAw5sw9cdCRxqLITm0xVhda5L
xO576NCAvSMCGlkwu9F6nnscP2TIT6Do44AiERAQRUdWVrNWNAbQQwQ+9QOLRLIn
lg+h8UIzBdUo4+HPm6ewSKTM1VBtQWTrLzKSEatUoqxXBznx1FpPbjo0G5xcTnXS
pzoztIECgYEAxxV1c706Hcy56hNv1q4G1UYDhRvBMIyeCnZWrr5lFD0Q5v7I/azH
i2EN4B/XZEQjstGxjGzCUXwngZoMykth67+bfynGkuAzdDQFgTXZCT1LSGWbJJQw
XhMTkL9Qpc9F1pByeX3G/o5pBc4xtjInMqf1wPEFD14ujeE/WMC0eCsCgYEAwCU9
azqLK1LMPgjcmep4Zl51xTVbaCzo5mreQAMoljxc4QDEW+HIK7/hhD57/MyA7Zya
6xIhIQ0q26xGV+MrJ9tWIhyUfoC07kV9jc0TcszaMAzNk0+vKVEwmvQC7833csC9
Tx/hS4jSiYkyqeIVYV0IZWjZvSlFqfmsZCl1UvkCgYAGSPolRkMQb8cqyaRNPb8/
em9gA2lM9BOFNwkziRU911OyRzbnM041a0H54md1ZeVOnuohCcn0spu4rrlapZiY
zbrF//ah6mwVbhMCakXI0eOPjI2iUP9Z6PZEKpYMNgf5ZyQGC999Z9eO9FyDaP/t
zHmotrM3Mfz8Q7ExRxwrcwKBgCwRnneUcszZ7Zwgvi/S9hBMg+haJ3/KJRSL2DOI
RevHJmo4mdCVBSr7lEaXaip94Ogebe2SN+Tztyuw5GVN5dz7UlL6iRhGfrjTWUuH
iHlhAH3awd+SfBMW2vX/FxlW/PTlvcWDA1ImrFr9C5CpGMw+4SkZFi9rYt3sNJy4
YX9JAoGAbAKC332U9iTPXajrygPkAtDjJQXnwp0BAXHU9NxNHFO0X2gkU+RQSotC
8muqyDgA0SLuagd0bAZS59wQCjTtHXB8WR5R5fri7a1MdmW+/0nhGG09CwV4Vw/n
ZEFexXmC1uUO1jfj0HtXrKgmkalj/1e60tjr/r6UxV/vM90Ogtw=
-----END RSA PRIVATE KEY-----
<!--NeedCopy-->
示例请求.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC3DCCAcQCAQAwgZYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
MRQwEgYDVQQHDAtTYW50YV9DbGFyYTEMMAoGA1UECgwDQ1NHMRQwEgYDVQQLDAtF
bmdpbmVlcmluZzESMBAGA1UEAwwJY2xvdWQuY29tMSQwIgYJKoZIhvcNAQkBFhVr
aG9hLm5ndXllbkBjbG91ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCVbQ30SCGyKseQ+yACLBce4903DoM6y3AL1Xtku7fyDfqmpiRfXKE43jIX
rWcKpL4x+K76mU8QNtdzl3C13st7gkRbw4UeSjmYHPdSP0xJ6clMFVNXV36HK7za
dHRVZ0DF7vaQ+KJMbs+4zfhlmp4e7L60tT0WQBcO3HKOU9/9MMk9CX/uHWSWdNbm
32zatJfOePeOxc6DzzEXxL+SwY/U7oXk7tehli2lp9QH9Kp9m5f3mq/XYRtu6yJ8
HCuYpV39nn8WC5IYJ6zMGasKiXR19RPjiUxE8/bNbSbo7bfiPgeY66Fn+ovfix4D
VKYgweSv0rntUdapahzc2ZMMrafTAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEA
I9rsE/tsUgGNHzgsJ6Bq45a1AFN1hDS2IPuvEVl+3eGECR6ZRMxcHRn3ZGS0ISmD
mYeTfzwxT/IcCRXbVqFvAPkdiRwZwDvCjDg3BN1petrSURbyYbd9BTRkthSn+N1O
9Szyik0EKbuHnQ9TbeCBOvAKpSFIz+jImfNYXYIlvFTsJRJaDFDN0Xlv6QgDAX2J
qxjVaiOisJVz5QXjzD/NpWtFFQJYblLphS4uXmMllg3sWaAI9LhfAd1wJC9uSr8R
CZyqnV6UjC0AXMsBbchR2SNa5lWNBH6F9Kjv2StlrpglmJfq63MqDQLq3HFfKrfA
aQi9OlrjSMWkdIQX22pZxw==
-----END CERTIFICATE REQUEST-----
<!--NeedCopy-->
样本 lom_certificate.pem
-----BEGIN CERTIFICATE-----
MIIDqjCCApICCQDaiXN+twsKSjANBgkqhkiG9w0BAQsFADCBljELMAkGA1UEBhMC
VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC1NhbnRhX0NsYXJhMQww
CgYDVQQKDANDU0cxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRIwEAYDVQQDDAljbG91
ZC5jb20xJDAiBgkqhkiG9w0BCQEWFWtob2Eubmd1eWVuQGNsb3VkLmNvbTAeFw0y
NDA2MTEwMjAxMDRaFw0yNTA2MTEwMjAxMDRaMIGWMQswCQYDVQQGEwJVUzETMBEG
A1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLU2FudGFfQ2xhcmExDDAKBgNVBAoM
A0NTRzEUMBIGA1UECwwLRW5naW5lZXJpbmcxEjAQBgNVBAMMCWNsb3VkLmNvbTEk
MCIGCSqGSIb3DQEJARYVa2hvYS5uZ3V5ZW5AY2xvdWQuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlW0N9EghsirHkPsgAiwXHuPdNw6DOstwC9V7
ZLu38g36pqYkX1yhON4yF61nCqS+Mfiu+plPEDbXc5dwtd7Le4JEW8OFHko5mBz3
Uj9MSenJTBVTV1d+hyu82nR0VWdAxe72kPiiTG7PuM34ZZqeHuy+tLU9FkAXDtxy
jlPf/TDJPQl/7h1klnTW5t9s2rSXznj3jsXOg88xF8S/ksGP1O6F5O7XoZYtpafU
B/SqfZuX95qv12EbbusifBwrmKVd/Z5/FguSGCeszBmrCol0dfUT44lMRPP2zW0m
6O234j4HmOuhZ/qL34seA1SmIMHkr9K57VHWqWoc3NmTDK2n0wIDAQABMA0GCSqG
SIb3DQEBCwUAA4IBAQBLojhxNsw24NOuTIQ3dJh6WZATiiBjw8kQyEJqyiB8oCmO
oAVleDAjI44C2eaR1vj321yNQI6bmBGPffwUoIX6YMAfll6nJqOfl9+rJd1FYCCd
FIqt76sC9YTu8WL3j7X1LE2lhQj7RZUt321QcG30qxQoXlQIM5oP7q17WkmPY0tW
JQZ4LjQRGHtc9rDiSlkzeMeBgtG3HqdNSorn2S15JJf/4sm5JXQXd7GByicv9aNM
AagjqwlkziJUpLO2r2bRX+3Qn0NE5WlxaYYisIPe9py3TsnLXHcrnTqrHbh6e4wc
+yF9+4nouCHPjOs2i0QV7koFHz8lnEiUYaxYT8wl
-----END CERTIFICATE-----
<!--NeedCopy-->
在 SDX 9100 和 SDX 16000 上创建并安装 SSL 证书
已复制!
失败!