9.10. Basic TLS Configuration

Basic TLS server configuration must have the following:

  1. a cipher list created using the config>system>security>tls>server-cipher-list command, and assigned to the TLS server profile using the config>system>security>tls>server-tls-profile>cipher-list command
  2. a certificate profile created using the config>system>security>tls>cert-profile command, and assigned to the TLS server profile using the config>system>security>tls>server-tls-profile>cert-profile command

Basic TLS client configuration must have a cipher list created using the config>system>security>tls>client-cipher-list command, and assigned to the TLS client profile using the config>system>security>tls>client-tls-profile>cipher-list command.

TLS imports the trust anchor certificate for (TLS) peer certificate authentication and public key retrieval.

The following displays the CLI syntax for TLS:

CLI Syntax:
config>system>security>tls
cert-profile profile-name [create]
no cert-profile profile-name
client-cipher-list name [create]
no client-cipher-list name
client-tls-profile name [create]
no client-tls-profile name
server-cipher-list name [create]
no server-cipher-list name
server-tls-profile name [create]
no server-tls-profile name
trust-anchor-profile name [create]
no trust-anchor-profile name

The following displays a TLS configuration example.

config>system>security>tls# info
----------------------------------------------
        trust-anchor-profile "server-1-ca" create
            trust-anchor "tls-server-1-ca"
        exit
        client-cipher-list "to-active-server" create
            cipher 1 name tls-rsa-with-aes256-cbc-sha256
            cipher 2 name tls-rsa-with-aes128-cbc-sha256
            cipher 3 name tls-rsa-with-aes256-cbc-sha
        exit
        client-tls-profile "server-1-profile" create
            cipher-list "to-active-server"
            trust-anchor-profile “server-1-ca“
            no shutdown
        exit
----------------------------------------------

9.11. Common Configuration Tasks

9.11.1. Configuring a Server TLS Profile

The following displays the CLI syntax for a server TLS profile.

CLI Syntax:
config>system>security>tls
server-tls-profile name [create]
no server-tls-profile name
authenticate-client
trust-anchor-profile ca-profile-name
no trust-anchor-profile
cert-profile name
no cert-profile
cipher-list name
no cipher-list
[no] shutdown
tls-re-negotiate-timer [0 to 65000]
no tls-re-negotiate-timer

9.11.2. Configuring a Client TLS Profile

The following displays the CLI syntax for a client TLS profile, which also configures the server authentication behavior:

CLI Syntax:
config>system>security>tls
client-tls-profile name [create]
no client-tls-profile name
trust-anchor-profile name
no trust-anchor-profile

9.11.3. Configuring a TLS Client or TLS Server Certificate

The following displays the CLI syntax for TLS certificate management:

CLI Syntax:
config>system>security>tls
cert-profile profile-name [create]
no cert-profile profile-name
entry entry-id [create]
no entry entry-id
cert cert-filename
no cert
key key-filename
no key
[no] send-chain
[no] ca-profile name
[no] shutdown
client-tls-profile name [create]
no client-tls-profile name
cert-profile name
no cert-profile
server-tls-profile name [create]
no server-tls-profile name
cert-profile name
no cert-profile

9.11.4. Configuring a TLS Trust Anchor

The following displays the CLI syntax for a TLS trust anchor:

CLI Syntax:
config>system>security>pki
[no] ca-profile
certificate-display-format
[no] certificate-expiration-warning hours
[no] crl-expiration-warning
[no] maximum-cert-chain-depth
config>system>security>tls
[no] trust-anchor-profile
[no] client-tls-profile
[no] cipher-list
[no] shutdown
[no] trust-anchor-profile-profile

The following displays a TLS trust anchor configuration example:

*B:SeGW-1>config>system>security>pki# info
----------------------------------------------
        ca-profile “tls-server-1-ca" create
            cert-file “tls-1-Root-CERT"
            crl-file “tls-1-CRL-CERT“
            no shutdown
        exit
----------------------------------------------
*A:SwSim8>config>system>security>tls# info
----------------------------------------------
        trust-anchor-profile "server-1-ca" create
            trust-anchor "tls-server-1-ca"
        exit
        client-tls-profile "server-1-profile" create
            cipher-list "to-active-server"
            trust-anchor-profile “server-1-ca“
            no shutdown
        exit