GE 1019071 Network Card User Manual


 
On the console interface inject the ssl-fingerprint command. Below is a sample output of the ssl-
fingerprint command:
GEDE> ssl-fingerprint
MD5 Fingerprint=8F:A1:CE:8B:B3:04:E7:07:90:6D:02:77:6F:EE:9E:22
SHA1 Fingerprint=F5:D2:CA:27:BF:DA:98:31:39:6F:18:8C:C5:9C:BC:6C:D3:62:15:AC
It can be seen that the thumbprint shown by the web browser (with thumbprint algorithm shown as
sha1) matches the SHA1 fingerprint as shown by the ssl-fingerprint command.
Furthermore, the SNMP/Web adapters are provided with two different certificates: the server certificate
and the CA Root Certificate (the latter has been used to sign the server certificate). The server certificate
does not have the digital signature of a commercial CA, trusted by the browser. By installing the CA Root
Certificate in the trusted CA repository, the web browser will not show the security warning about
trusting the Certificate Authority.
The CA Root Certificate can be downloaded from the embedded web server (in the Utility section), and
then it can be installed in the trusted CA repository.
NOTE: It is not mandatory to install the CA Root Certificate – installing it will prevent the browser from
generating a security warning message.
Finally, the server certificate’s common name will not match the DNS name or the IP address of the
SNMP/Web adapter. Although the communication is secure, with the adapter controlling the access to
the web interface and the client being able to verify the fingerprint/thumbprint of the certificate, the
browser may still issue a warning.
In order to clear this final warning the user may generate a new server certificate so that the common
name matches the DNS name / IP address of the SNMP/Web adapter. The server certificate is generated
by injecting the makecert <sitename> command over the console interface (this command is available
only to the supervisor), when the <sitename> parameter must obviously match the DNS name / IP
address of the adapter. In order to start using the new certificate the SNMP/Web adapter must be
rebooted.
NOTE: The new certificate will overwrite the existing one. This operation is not reversible.
Modifications reserved Page 48/58
OPM_CNT_SNM_BAS_CRD_1GB_V012.doc Operating Manual SNMP/Web Adapter