Basic TLS configuration

Basic TLS server configuration must have the following:

• a cipher list created using the config>system>security>tls>server-cipher-list command, and assigned to the TLS server profile using the config>system>security>tls>server-tls-profile>cipher-list command

• a certificate profile created using the config>system>security>tls>cert-profile command, and assigned to the TLS server profile using the config>system>security>tls>server-tls-profile>cert-profile command

Basic TLS client configuration must have a cipher list created using the config>system>security>tls>client-cipher-list command, and assigned to the TLS client profile using the config>system>security>tls>client-tls-profile>cipher-list command.

TLS imports the trust anchor certificate for (TLS) peer certificate authentication and public key retrieval.

The following displays the CLI syntax for TLS:

config>system>security>tls
  cert-profile profile-name [create]
  no cert-profile profile-name
  client-cipher-list name [create]
  no client-cipher-list name
  client-tls-profile name [create]
  no client-tls-profile name
  server-cipher-list name [create]
  no server-cipher-list name
  server-tls-profile name [create]
  no server-tls-profile name
  trust-anchor-profile name [create]
  no trust-anchor-profile name

The following displays a TLS configuration example:

config>system>security>tls# info
----------------------------------------------
        trust-anchor-profile "server-1-ca" create
            trust-anchor "tls-server-1-ca"
        exit
        client-cipher-list "to-active-server" create
            cipher 1 name tls-rsa-with-aes256-cbc-sha256
            cipher 2 name tls-rsa-with-aes128-cbc-sha256
            cipher 3 name tls-rsa-with-aes256-cbc-sha
        exit
        client-tls-profile "server-1-profile" create
            cipher-list "to-active-server"
            trust-anchor-profile ‟server-1-ca‟
            no shutdown
        exit
----------------------------------------------