Manualshelf

Data Center Fabric Manager Enterprise User Manual v10.3.X (53-1001357-01, November 2009)

ManualsBrandsHP ManualsSoftwareHP B-series Data Center Fabric Manager Enterprise Software
641642643644645646647648649650
612 DCFM Enterprise User Manual
53-1001357-01
Exporting the KAC certificate signing request
A
Exporting the KAC certificate signing request
If you are using the SAN Management program, the KAC certificate signing request (CSR) is
exported to a location you specify when you create a new encryption group or add a switch to an
encryption group. You can also export the KAC CSR from the Switch Properties view.
If you are using the CLI, you can export the KAC CSR from the switch to a file on a LAN-attached
host, or you can attach a USB storage device to the switch and export the KAC CSR to that device.
1. Log into the switch on which the CSR was generated as Admin or SecurityAdmin.
2. Export the CSR from the switch over an SCP-protected LAN connection to a file on an external
host (e.g., your workstation), or to a mounted USB device.
The following example exports a CSR to an external SCP-capable host.
SecurityAdmin:switch>cryptocfg --export -scp -KACcsr \
192.168.38.245 mylogin /tmp/certs/kac_lkm_cert.pem
Password:
Operation succeeded.
The following example exports a CSR to USB storage.
SecurityAdmin:switch>cryptocfg --export -usb KACcsr kac_lkm_cert.pem
Operation succeeded.
If you export the CSR to a USB storage device, you will need to remove the storage device from
the switch, and attached it to a computer that has access to a third party certificate authority
(CA). If you are using the SAN Management program, this can be your SAN Management
program workstation. The CSR must be submitted to a CA.
NOTE
The CSR is exported in Privacy Enhanced Mail (.pem) format. This format is required in exchanges
with certificate authorities.
Submitting the CSR to a certificate authority
The CSR must be submitted to a certificate authority (CA) to be signed. The certificate authority is a
trusted third party entity that signs the CSR. There are several CAs available, and procedures vary,
but the general steps are as follows.
1. Open an SSL connection to an X.509 server.
2. Submit the CSR for signing.
3. Request the signed certificate.
Generally, a public key, the signed KAC certificate, and a signed CA certificate are returned.
4. Store the signed certificates, preferably in the same location as the CSR.