简单介绍一下关于Radware APSolute Vision平台的证书更新。
更新证书有两种方式,一种为自签发,另外一种为导入第三方证书,且更新证书仅能通过命令行的形式更新证书。两种方式都会导致APSolute Vision平台设备的重启(老版本,最新版本只会导致当前访问vision会话中断),请注意设备使用情况(设备为管理监控平台,重启不影响当前网络及业务)。
自签发
命令如下:
[APSOLUTE-VISION]$ system ssl create
This operation will restart the Vision server.
Current web sessions will be disconnected.
Continue? [y/N]
y
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Common Name (eg, The servers hostname or the servers IP) [APSolute Vision Server]:192.168.136.110 //对应域名
Country Name (2 letter code) [NA]: //按需填写
State or Province Name [NA]: //按需填写
Locality Name (eg, city) [NA]: //按需填写
Organization Name (eg, company) [NA]: //按需填写
Organizational Unit Name (eg, section) [NA]: //按需填写
Email Address [NA]: //按需填写
New certificate was created.
生成后自动应用保存。
配置完成后证书如下:
命令行查看证书:
web界面查看证书:
导入第三方证书
这种方式需要通过SFTP服务器进行导入,首先需要配置一台可用的SFTP服务器:
首先,搭建一套SFTP服务器,将需要导入的证书和KEY放在根目录下
此次使用的SFTP服务器搭建是通过FreeSSHd进行搭建的,
配置SFTP服务器的IP地址和端口,
配置SFTP的文件根目录,将证书文件以及KEY文件放在目录下。
1、点击Users
2、点击Add...
3、输入登录用户名
4、选择Password stored as SHA1 hash
5、输入密码
6、再次输入密码
7、选择用户使用的权限
8、点击确定
点击Click here to start it启动SFTP服务。
正常启动界面如下:
如果启动不起来,则需要到服务中将FreeSSHDService停止后,便可正常启动。
另外如果出现多次输入密码发生报错的话,需在authentication中 将Password那项选为required 将public key选为disable,重启软件后即可
第二步,通过命令将证书上传到设备上
命令如下: system ssl import pem <protocol://user@ip:/path -key Key_Filename -cert Certificate_Filename [-pass key_passphrase] [-interm Intermediate_Certifcate_Filename]>
本次命令如下:system ssl import pem sftp://radware@192.168.136.1:/ -key server.key -cert server.cer -pass radware -interm ca.cer
命令输入后结果如下:
[APSOLUTE-VISION]$ system ssl import pem sftp://radware@192.168.136.1:/ -key server.key -cert server.cer -pass radware -interm ca.cer
This operation will restart the Vision server.
Current web sessions will be disconnected.
Continue? [y/N]
y
Importing private key and certificate from remote machine: 192.168.136.1
Transfer protocol: sftp. User: radware
Files path on remote machine: /
Private key file: server.key
Certificate file: server.cer
Chain certificate file: ca.cer
Connecting to remote machine ....
radware@192.168.136.1's password:
Connected to 192.168.136.1.
/opt/radware/ssl/certificate_temp: OK
SSL private key, certificate and intermediate file were imported.
命令行查看证书:
web界面查看证书:
注意:证书格式需要为crt,pem,cer格式,证书的key文件不能是加密后的,否则导入后会导致Vision的web界面无法正常访问