hellt
commented
3 years ago Hi Eric, thanks for you kind words about the projects I've been involved with
As to the certs, the containerlab tools cert command uses a generic library from cloudflare to generate the CA/cert, so there is nothing SR OS specific.
The only field that is definitely needed is the subjectAltName which needs to point either to the management IP or the dns name of the routers.
EricRemote
Hello there,
first, thanks for all your work wether it's on Containerlab / gNMIc / Nokia SR OS, it's much appreciated !
Background : I'm working on different telemetry solutions to compare, study capabilities, configuration, etc... We are working with Cisco/Nokia/Juniper routers and different collectors (gNMIc, Telegraf, Pipeline, JTImon).
I wanted to add TLS on our Nokia environment and make it work with gNMIc. I first did it by hand as I was kind of familiar with how to do this and already had our "standard" documentation prepared for such cases, but it didn't work.
I then came across your lab "Securing gNMI with TLS". For the certificate creation, you use the "tools cert" command and it seemed really simple ! I downloaded clabs and used it just for my certificate creation, continued the lab guide and everything worked perfectly. I wanted to know what was different between your certificates and mine, and it seems like you use the v3 extensions. I found out that the following options are the one that make my certificates look like the ones that are from the "tools cert" command :
keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth basicConstraints = critical, CA:FALSE subjectKeyIdentifier = hash subjectAltName = DNS:_routerhostname, IP:_routerip
With such parameters +my usual method, everything works fine !
Now, the thing is, I didn't find anything stating that such parameters are required in the Nokia SR OS Manual (maybe I didn't look correctly). So I wanted to know if these parameters are required by Nokia SR OS or gNMIc OR maybe something different ?
Are all these parameters required or just a few of them (which ones ?) ?
I'm sorry to post this here, maybe it would have best fit in the gNMIc Github, as it was linked to your "tools cert" command I thought this maybe was the best place :)