Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

generate vpn x509 key-pair <name> private-key

Generates an X.509 private key file and a certificate signing request file.

generate vpn x509 key-pair name private-key [ ecdsa | rsa ]
name
The name to be used for the X.509 private key file and certificate signing request file. The private key file will be called /config/auth/name.key and the certificate signing request file will be called /config/auth/name.csr.

Operational mode

Use this command to generate an X.509 private key file and a certificate signing request file. If rsa is specified, or no private key option is specified, an RSA key is generated. If edcsa is specified, an ECDSA key is generated.

The private key file is required for configuring a VPN for X.509 authentication (see security vpn ipsec site-to-site peer <peer> authentication x509 key file <file-name>). The certificate signing request file must be sent to a certificate authority (CA). In return, the CA will provide a server certificate (e.g. name.crt ), a CA certificate (e.g. ca.crt ), and potentially, a certificate revocation list (.crl) file. This procedure varies according to the CA being used. The files returned are also used to configure a VPN for X.509 authentication (see security vpn ipsec site-to-site peer <peer> authentication x509 cert-file <file-name> for specifying the server certificate, security vpn ipsec site-to-site peer <peer> authentication x509 ca-cert-file <file-name> for specifying the CA certificate, and security vpn ipsec site-to-site peer <peer> authentication x509 crl-file <file-name> for specifying the certificate revocation list).

This example generates an X.509 private key file and a certificate signing request file. The private key file will be called /config/auth/name.key and the certificate signing request file will be called /config/auth/name.csr.

vyatta@vyatta:~$ generate vpn x509 key-pair mykey
Generating a 1024 bit RSA private key
..............++++++
.................................................++++++
writing new private key to '/config/auth/mykey.key1'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:us
State Name []:ca
Locality Name (eg, city) []:San Jose
Organization Name (eg, company) []:Ciena
Organizational Unit Name (eg, department) []:Pubs
Common Name (eg, Device hostname) []:sys05
Email Address []:admin@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password (optional) []:
writing RSA key