Basic TLS server configuration must have the following:
a cipher list created using the config>system>security>tls>server-cipher-list command, and assigned to the TLS server profile using the config>system>security>tls>server-tls-profile>cipher-list command
a certificate profile created using the config>system>security>tls>cert-profile command, and assigned to the TLS server profile using the config>system>security>tls>server-tls-profile>cert-profile command
Basic TLS client configuration must have a cipher list created using the config>system>security>tls>client-cipher-list command, and assigned to the TLS client profile using the config>system>security>tls>client-tls-profile>cipher-list command.
TLS imports the trust anchor certificate for (TLS) peer certificate authentication and public key retrieval.
The following displays the CLI syntax for TLS:
config>system>security>tls
cert-profile profile-name [create]
no cert-profile profile-name
client-cipher-list name [create]
no client-cipher-list name
client-tls-profile name [create]
no client-tls-profile name
server-cipher-list name [create]
no server-cipher-list name
server-tls-profile name [create]
no server-tls-profile name
trust-anchor-profile name [create]
no trust-anchor-profile name
The following displays a TLS configuration example:
config>system>security>tls# info
----------------------------------------------
trust-anchor-profile "server-1-ca" create
trust-anchor "tls-server-1-ca"
exit
client-cipher-list "to-active-server" create
cipher 1 name tls-rsa-with-aes256-cbc-sha256
cipher 2 name tls-rsa-with-aes128-cbc-sha256
cipher 3 name tls-rsa-with-aes256-cbc-sha
exit
client-tls-profile "server-1-profile" create
cipher-list "to-active-server"
trust-anchor-profile ‟server-1-ca‟
no shutdown
exit
----------------------------------------------