RESTCONF Certificate Shortcut¶
There is a shortcut command which can generate a basic set of PKI entries for
use with the RESTCONF Server: pki generate-restconf-certs
. This
shortcut command creates a CA, a server certificate, and a client certificate
for the tnsr
user.
Note
This command is intended for a rapid basic setup and does not offer complete flexibility over various PKI entry options. For complete control over the CA and certificate structure, create the entries manually.
See also
Results¶
The PKI structure created by the pki generate-restconf-certs
command has the
following entries:
CA
Name:
restconf-CA
Common name:
restconf-CA
Server certificate
Name:
restconf
Common name: Hostname of the TNSR installation
Client certificate
Name:
restconf-client
Common name:
tnsr
(for the defaulttnsr
user)
Tip
To add a client certificate for an additional user, create a new private key
(Key Management) and signing request (Certificate Signing Request Management), then sign that request with
the restconf-CA
CA (Using a CA to sign a CSR).
Parameters¶
The pki generate-restconf-certs
command has two optional parameters:
length (2048|3072|4096)
:Specifies the length of the private keys the command generates for each entry. The default value is
2048
bits.subject-alt-names <addresses>
:A list of up to eight alternative names to place in the server certificate. Each entry can be an IP address or hostname.
Examples¶
Create the basic structure with all default values:
tnsr(config)# pki generate-restconf-certs
Create a set of certificates with stronger private keys and a SAN entry for the host management IP address:
tnsr(config)# pki generate-restconf-certs length 4096 subject-alt-names 198.51.100.2