Create a FIPS key for an instance on an SDX 14030/14060/14080 FIPS appliance
You can create a FIPS key on your instance or import an existing FIPS key into the instance. An SDX 14030/14060/14080 FIPS appliance supports only 2048-bit and 3072-bit keys and an exponent value of F4. For PEM keys, an exponent is not required. Verify that the FIPS key is created correctly. Create a certificate signing request and a server certificate. Finally, add the certificate-key pair to your instance.
Note:
1024-bit and 4096-bit keys and an exponent value of 3 are not supported.
Create a FIPS key by using the CLI
At the command prompt, type:
create ssl fipsKey -keytype ( RSA | ECDSA ) [-exponent (3 | F4 )] [-modulus ] [-curve ( P_256 | P_384 )] Example:
create fipsKey f1 -keytype RSA -modulus 2048 -exponent F4 Done show ssl fipskey ddvws FIPS Key Name: f1 Key Type: RSA Modulus: 2048 Public Exponent: F4 (Hex: 0x10001) Done Import a FIPS key by using the CLI
At the command prompt, type:
import ssl fipsKey -key [-inform ] [-wrapKeyName ] [-iv] [-exponent F4 ] Example:
import fipskey Key-FIPS-2 -key Key-FIPS-2.key -inform SIM -exponent F4 Done import fipskey Key-FIPS-2 -key Key-FIPS-2.key -inform PEM Done Verify that the FIPS key is created or imported correctly by running theshow fipskeycommand.
show fipskey 1) FIPS Key Name: Key-FIPS-2 Done Create a certificate signing request by using the CLI
At the command prompt, type:
create ssl certReq (-keyFile | -fipsKeyName ) [-keyform ( DER | PEM ) {-PEMPassPhrase }] -countryName -stateName -organizationName [-organizationUnitName ] [-localityName ] [-commonName ] [-emailAddress ] {-challengePassword } [-companyName ] [-digestMethod ( SHA1 | SHA256 )] Example:
create certreq f1.req –fipsKeyName f1 -countryName US -stateName CA -organizationName Citrix -companyName Citrix -commonName ctx -emailAddress test@example.com` `Done Create a server certificate by using the CLI
At the command prompt, type:
create ssl cert [-keyFile ] [-keyform ( DER | PEM ) {-PEMPassPhrase }] [-days ] [-certForm ( DER | PEM )] [-CAcert ] [-CAcertForm ( DER | PEM )] [-CAkey ] [-CAkeyForm ( DER | PEM )] [-CAserial ] Example:
create cert f1.cert f1.req SRVR_CERT -CAcert ns-root.cert -CAkey ns-root.key -CAserial ns-root.srl -days 1000 Done The preceding example creates a server certificate using a local root CA on the appliance.
Add a certificate-key pair by using the CLI
At the command prompt, type:
添加ssl certKey < certkeyName > (cert <字符串> (password]) [-key | -fipsKey | -hsmKey ] [-inform ] [-expiryMonitor ( ENABLED | DISABLED ) [-notificationPeriod ]] [-bundle ( YES | NO )] Example:
add certkey cert1 -cert f1.cert -fipsKey f1 Done After creating the FIPS key and server certificate, you can add the generic SSL configuration. Enable the features that are required for your deployment. Add servers, services, and SSL virtual servers. Bind the certificate-key pair and the service to the SSL virtual server, and save the configuration.
enable ns feature SSL LB Done add server s1 10.217.2.5 Done add service sr1 s1 HTTP 80 Done add lb vserver v1 SSL 10.217.2.172 443 Done bind ssl vserver v1 –certkeyName cert1 Done bind lb vserver v1 sr1 Done saveconfig Done For information about configuring secure HTTPS and secure RPC, clickhere.