Servers, whether on-prem, in the cloud, or virtual, are usually set up one at a time – either manually or via an orchestration tool such as Ansible or AWS Certificate manager. The ENF supports these flows by allowing you to specify the access credentials (i.e., public key) for each server.
This guide walks through the tools used to create a server identity and manage its access credentials.
Each endpoint, whether a device or server, on the ENF is identified by its IPv6 address. The IPv6 address is assigned to the endpoint when it is provisioned and stays with the device no matter where it is moved.
A public/private key pair is created for each server. The public key is uploaded to the ENF as the authentication credential for the server. The private key remains on the server.
Servers use self-signed X.509 certificates to authenticate to the ENF. The certificate is signed by the key pair and kept with the server. When connecting, the server uses the certificate and private key to authenticate to the ENF.
enfclineeds to be installed. For help, see the Getting Started Tutorial.
> enfcli --host <client-domain>.xaptum.io --user <admin@account>
The three main steps to provisioning a server on the ENF are:
enftun-keygen tool, described in how-to guides for connecting
virtual machines, and
combines these steps for an easy way to manually provision a server. It’s a
great choice for manually provisioning a server, but it may not be well-suited
for automated deployments. Some organizations have their own key-generation
methods and will not use the Xaptum key generation tools.
This guide describes how to use the enfcli IAM commands to accomplish these same steps individually. These methods can be easily integrated into an existing workflow for managing server certificates and credentials.
This sequence is written for manual execution, but may be easily modified for automation.
This tutorial will generate the keys in
~/enf0-keys and copy them into the
correct location after creating the certificate. You can follow this example or
generate the keys in a location appropriate for your internal procedures and
Create a new key pair in the local directory.
> iam create-endpoint-key --key-out-file=enf0.key.pem --public-key-out-file=enf0.pubkey.pem Created enf0.key.pem Created enf0.pubkey.pem
The common name (CN) in the certificate must be the identity (IPv6 address) of
the server. If you haven’t already, pick an address for the server. The
create-endpoint-cert command will create and sign the certificate.
> iam create-endpoint-cert --cert-out-file=enf0.crt.pem --identity=2607:8f80:8080:b::deb:c004 --key-in-file=enf0.key.pem Created /home/jqpublic/enf0-keys/enf0.crt.pem
The next step is to create the new identity in the ENF and associate the newly
generated certificate. The
iam create-endpoint-from-cert command uses the
information stored in the certificate to accomplish both of these tasks.
If you are just updating the certificate for an existing server, skip ahead to
the Updating Endpoint Certificates section.
> iam create-endpoint-from-cert --cert-in-file=enf0.crt.pem Created new ipv6 endpoint 2607:8f80:8080:b::deb:c005
The newly created identity will be visible in the
For the server to connect to the ENF, the private key and the generated certificate must be placed in
/etc/enftun/enf0 directory if it does not exist.
$ sudo mkdir -p /etc/enftun/enf0
Copy the private key and certificate
$ sudo cp ~/enf0-keys/enf0.key.pem /etc/enftun/enf0 $ sudo cp ~/enf0-keys/enf0.crt.pem /etc/enftun/enf0
From time to time, it is necessary to update endpoint certificates. By default, the certificates created by the Xaptum tools expire one year from creation. Also, rotating passwords and renewing certificates is a security best-practice.
The following commands are executed from
Install the private key and certificate as described above.
> iam update-endpoint-cert --cert-in-file=enf0.crt.pem Updated 2607:8f80:8080:b::deb:c004 credentials!