Configuring TLS with CLI

This section provides information to configure TLS using the command line interface.

Topics in this section include:

  1. Basic TLS Configuration on page 635
  2. Common Configuration Tasks on page 636

Basic TLS Configuration

TLS configuration must have the following:

  1. TLS anchor certificate
  2. TLS profile configuration

TLS imports the trust anchor certificate for server certificate authentication and public key retrieval.

The following displays the CLI syntax for TLS:

CLI Syntax:
config>system>security>tls
[no] client-cipher-list
[no] client-tls-profile
[no] trust-anchor-profile

The following displays a TLS configuration example.

config>system>security>tls# info
----------------------------------------------
        trust-anchor-profile "server-1-ca" create
            trust-anchor "tls-server-1-ca"
        exit
        client-cipher-list "to-active-server" create
            cipher 1 name tls-rsa-with-aes256-cbc-sha256
            cipher 2 name tls-rsa-with-aes128-cbc-sha256
            cipher 3 name tls-rsa-with-aes256-cbc-sha
        exit
        client-tls-profile "server-1-profile" create
            cipher-list "to-active-server"
            trust-anchor-profile “server-1-ca“
            no shutdown
        exi
----------------------------------------------

Common Configuration Tasks

The following sections are basic TLS configuration tasks that can be performed.

  1. Configuring a Client TLS Profile on page 636
  2. Configuring a TLS Client Certificate on page 636
  3. Configuring a TLS Trust Anchor on page 637

Configuring a Client TLS Profile

The following displays the CLI syntax for a client TLS profile, which also configures the server authentication behavior:

CLI Syntax:
config>system>security>tls
client-tls-profile name [create]
no client-tls-profile name
trust-anchor-profile name create
no trust-anchor-profile name
[no] trust-anchor ca-profile-name

Configuring a TLS Client Certificate

The following displays the CLI syntax for TLS certificate management:

CLI Syntax:
config>system>security>tls
[no] client-cipher-list
[no] client-tls-profile
[no] trust-anchor-profile

The following displays a TLS client certificate configuration example:

*A:SwSim8>config>system>security>tls# info
----------------------------------------------
        client-tls-profile "server-1-profile" create
            cipher-list "to-active-server"
            trust-anchor-profile “server-1-ca“
            no shutdown
        exit

Configuring a TLS Trust Anchor

The following displays the CLI syntax for a TLS trust anchor:

CLI Syntax:
config>system>security>pki
[no] ca-profile
certificate-display-format
[no] certificate-expiration-warning hours
[no] crl-expiration-warning
[no] maximum-cert-chain-depth
config>system>security>tls
[no] trust-anchor-profile
[no] client-tls-profile
[no] cipher-list
[no] shutdown
[no] trust-anchor-profile-profile

The following displays a TLS trust anchor configuration example:

*B:SeGW-1>config>system>security>pki# info
----------------------------------------------
        ca-profile “tls-server-1-ca" create
            cert-file “tls-1-Root-CERT"
            crl-file “tls-1-CRL-CERT“
            no shutdown
        exit
----------------------------------------------
*A:SwSim8>config>system>security>tls# info
----------------------------------------------
        trust-anchor-profile "server-1-ca" create
            trust-anchor "tls-server-1-ca"
        exit
        client-tls-profile "server-1-profile" create
            cipher-list "to-active-server"
            trust-anchor-profile “server-1-ca“
            no shutdown
        exit