Cisco Cisco Broadband Access Center for Cable 4.0
8-26
Cisco Broadband Access Center for Cable Administrator’s Guide
OL-2445-02
Chapter 8 Broadband Access Center for Cable Support Tools and Advanced Concepts
Managing KDC Certificates with the PKCert Tool
Note
If you encounter difficulty using any of these options, you can specify a -? option to display all
available help information on your computer screen.
available help information on your computer screen.
•
[option]—Implements optional functions that are dependent on the function selected above.
When you run the PKCert command, it will print a list of all errors encountered while performing the
requested activities. You can use this printout to troubleshoot any problems that may have occurred.
requested activities. You can use this printout to troubleshoot any problems that may have occurred.
Creating a KDC Certificate
Enter this command, from the /opt/CSCObpr/kdc directory, to create the KDC certificate:
PKCert.sh
-s <dir> -d <dir> -c <cert> -r <realm> -a <name> -k <keyFile> [-n <serial>] [-o]
Where:
•
-a <name>—specifies the DNS name of KDC
•
-c <Cert File>—uses the service provider certificate (DER encoded)
•
-d <directory>—specifies the destination directory
•
-k <Key File>—uses the service provider private key (DER encoded)
•
-n <Serial#>—set the certificate serial number
•
-o—overwrite existing files
•
-r <Realm>—specifies the Kerberos realm for KDC certificate
•
-s <directory>—specifies the source directory
When a new certificate is created and installed, the new certificate identifies the realm in the subject
alternate name field. The new certificate is unique to its current environment in that it contains:
alternate name field. The new certificate is unique to its current environment in that it contains:
•
The KDC realm
•
The DNS name associated with this KDC that the MTA will use. For example:
PKCert.sh -c "-s . \
-d /opt/CSCObpr/kdc/solaris/packetcable/certificates \
-k CLCerts/Test_LSCA_privkey.der \
-c CLCerts/Test_LSCA.cer \
-r PCTEST.CISCO.COM \
-n 100 \
-a kdc.pctest.cisco.com \
-o"
Using this command creates the files /opt/CSCObpr/kdc/solaris/packetcable/certificates/KDC.cer and
/opt/CSCObpr/kdc/solaris/packetcable/certificates/KDC_private_key.pkcs8. The KDC certificate will
have a realm set to PCTEST.CISCO.COM, a serial number set to 100, and the KDC server’s FQDN is
set to kdc.pctest.cisco.com.
/opt/CSCObpr/kdc/solaris/packetcable/certificates/KDC_private_key.pkcs8. The KDC certificate will
have a realm set to PCTEST.CISCO.COM, a serial number set to 100, and the KDC server’s FQDN is
set to kdc.pctest.cisco.com.
Note
A console message is displayed after the successful completion of the command indicating that the file
/opt/CSCObpr/kdc/solaris/packetcable/certificates/KDC_private_key.pkcs8 must be copied to
/opt/CSCObpr/kdc/solaris/KDC_private_key.pkcs8. The command line option -o tells the utility that it
should overwrite any pre-existing files.
/opt/CSCObpr/kdc/solaris/packetcable/certificates/KDC_private_key.pkcs8 must be copied to
/opt/CSCObpr/kdc/solaris/KDC_private_key.pkcs8. The command line option -o tells the utility that it
should overwrite any pre-existing files.