OcNOS-SP : NetConf User Guide : NetConf Over Transport Layer Security : Client Configuration
Client Configuration
1. Generate CA authority key and certificate on TLS client:
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout rootCAKey.pem -out rootCACert.pem
2. Generate client key and certificate on client:
a. Create a new file named ClientCertReq.config with this content:
[req]
distinguished_name = dn
prompt = no
 
[dn]
CN = 10.12.65.10 ---------- > <Apply TLS client IP here>
C = IN
L = BNG
O = IPI
OU = IPI-QA
openssl req -newkey rsa:2048 -keyout ClientKey.pem -out ClientCert.csr -config ./ClientCertReq.config -nodes -days 100
3. Client certificate signing:
openssl x509 -req -sha256 -in ClientCert.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out ClientCert.pem -days 365
4. Server certificate signing:
openssl x509 -req -sha256 -in ServerCert.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out ServerCert.pem -days 365
5. Manually import (SCP) signed server certificate and CA-root certificate to OcNOS (/usr/local/etc/tls/certs).
File should be in PEM format for CA-root certificate and named cert.pem (/usr/local/etc/tls/certs/ca.pem).
OcNOS server certificate file should be in PEM format and named cert.pem (/usr/local/etc/tls/certs/cert.pem).
6. Establish TLS session using the below command on the client side:
connect --tls --host 10.12.89.152 --port 6513 --cert /root/QUX/ClientCert.pem
--key /root/QUX/ClientKey.pem --trusted /root/QUX/rootCACert.pem
Note: This example uses the Netopeer2 command as NetConf client over TLS.
Last modified date: 06/08/2023