RESTCONF Certificate Shortcut

There is a shortcut command which can generate a basic set of PKI entries for use with the RESTCONF Server: pki generate-restconf-certs. This shortcut command creates a CA, a server certificate, and a client certificate for the tnsr user.

Note

This command is intended for a rapid basic setup and does not offer complete flexibility over various PKI entry options. For complete control over the CA and certificate structure, create the entries manually.

See also

• RESTCONF Service Setup with Certificate-Based Authentication and NACM

• TNSR GUI Service with Client Certificate Authentication

Results

The PKI structure created by the pki generate-restconf-certs command has the following entries:

• CA

  • Name: restconf-CA

  • Common name: restconf-CA

• Server certificate

  • Name: restconf

  • Common name: Hostname of the TNSR installation

• Client certificate

  • Name: restconf-client

  • Common name: tnsr (for the default tnsr user)

Tip

To add a client certificate for an additional user, create a new private key (Key Management) and signing request (Certificate Signing Request Management), then sign that request with the restconf-CA CA (Using a CA to sign a CSR).

Parameters

The pki generate-restconf-certs command has two optional parameters:

length (2048|3072|4096):

Specifies the length of the private keys the command generates for each entry. The default value is 2048 bits.

subject-alt-names <addresses>:

A list of up to eight alternative names to place in the server certificate. Each entry can be an IP address or hostname.

Examples

Create the basic structure with all default values:

tnsr(config)# pki generate-restconf-certs

Create a set of certificates with stronger private keys and a SAN entry for the host management IP address:

tnsr(config)# pki generate-restconf-certs length 4096 subject-alt-names 198.51.100.2