Manage Server Access to ENF


Servers, whether on-prem, in the cloud, or virtual, are usually set up one at a time – either manually or via an orchestration tool such as Ansible or AWS Certificate manager. The ENF supports these flows by allowing you to specify the access credentials (i.e., public key) for each server.

This guide walks through the tools used to create a server identity and manage its access credentials.


Endpoint Identity

Each endpoint, whether a device or server, on the ENF is identified by its IPv6 address. The IPv6 address is assigned to the endpoint when it is provisioned and stays with the device no matter where it is moved.

Key Pair

A public/private key pair is created for each server. The public key is uploaded to the ENF as the authentication credential for the server. The private key remains on the server.


Servers use self-signed X.509 certificates to authenticate to the ENF. The certificate is signed by the key pair and kept with the server. When connecting, the server uses the certificate and private key to authenticate to the ENF.


  • enfcli needs to be installed. For help, see the Getting Started Tutorial.
  • User has either NETWORK_ADMIN or DOMAIN_ADMIN account.
  • Commands are issued from enfcli
    > enfcli --host <client-domain> --user <admin@account>
  • ENFTUN needs to be installed. For help, see the Physical Server connection how-to article.

Connecting to the ENF

The three main steps to provisioning a server on the ENF are:

  • generating a public/private key pair
  • generating a certificate
  • assigning a server identity using the certificate

The enftun-keygen tool, described in how-to guides for connecting Docker containers, virtual machines, and physical servers combines these steps for an easy way to manually provision a server. It’s a great choice for manually provisioning a server, but it may not be well-suited for automated deployments. Some organizations have their own key-generation methods and will not use the Xaptum key generation tools.

This guide describes how to use the enfcli IAM commands to accomplish these same steps individually. These methods can be easily integrated into an existing workflow for managing server certificates and credentials.

This sequence is written for manual execution, but may be easily modified for automation.

Generate Keys

This tutorial will generate the keys in ~/enf0-keys and copy them into the correct location after creating the certificate. You can follow this example or generate the keys in a location appropriate for your internal procedures and policies.

  1. Run the enfcli.

  2. Create a new key pair in the local directory.

    > iam create-endpoint-key --key-out-file=enf0.key.pem --public-key-out-file=enf0.pubkey.pem
    Created enf0.key.pem
    Created enf0.pubkey.pem

Generate a Server Certificate

The common name (CN) in the certificate must be the identity (IPv6 address) of the server. If you haven’t already, pick an address for the server. The iam create-endpoint-cert command will create and sign the certificate.

> iam create-endpoint-cert --cert-out-file=enf0.crt.pem --identity=2607:8f80:8080:b::deb:c004 --key-in-file=enf0.key.pem
Created /home/jqpublic/enf0-keys/enf0.crt.pem

Assign a Server Identity & Associate Certificate

The next step is to create the new identity in the ENF and associate the newly generated certificate. The iam create-endpoint-from-cert command uses the information stored in the certificate to accomplish both of these tasks. If you are just updating the certificate for an existing server, skip ahead to the Updating Endpoint Certificates section.

> iam create-endpoint-from-cert --cert-in-file=enf0.crt.pem
Created new ipv6 endpoint 2607:8f80:8080:b::deb:c005

The newly created identity will be visible in the dashboard.

Install Private Key and Certificate

For the server to connect to the ENF, the private key and the generated certificate must be placed in /etc/enftun/enf0

Create the /etc/enftun/enf0 directory if it does not exist.

$ sudo mkdir -p /etc/enftun/enf0

Copy the private key and certificate

$ sudo cp ~/enf0-keys/enf0.key.pem /etc/enftun/enf0
$ sudo cp ~/enf0-keys/enf0.crt.pem /etc/enftun/enf0

Updating Endpoint Certificates

From time to time, it is necessary to update endpoint certificates. By default, the certificates created by the Xaptum tools expire one year from creation. Also, rotating passwords and renewing certificates is a security best-practice.

The following commands are executed from enfcli.

  1. Generate a new key pair and certificate as described above. Be sure to use the same identity (IPv6 address).

  2. Install the private key and certificate as described above.

  3. Update the endpoint certificate.
    > iam update-endpoint-cert --cert-in-file=enf0.crt.pem
    Updated 2607:8f80:8080:b::deb:c004 credentials!
  4. Verify that the server is connected to the ENF. For instructions, see the Verify Connection section of the Docker Container how-to.

Didn't find what you were looking for?

Contact us and we’ll get back to you as soon as possible.

Contact Us