Product Documentation

Create a FIPS key for an instance on an SDX 14030/14060/14080 FIPS appliance

You can create a FIPS key on your instance or import an existing FIPS key into the instance. An SDX 14030/14060/14080 FIPS appliance supports only 2048-bit and 3072-bit keys and an exponent value of F4. For PEM keys, an exponent is not required. Verify that the FIPS key is created correctly. Create a certificate signing request and a server certificate. Finally, add the certificate-key pair to your instance.

Note:

1024-bit and 4096-bit keys and an exponent value of 3 are not supported.

Create a FIPS key by using the CLI

At the command prompt, type:

create ssl fipsKey <fipsKeyName> -keytype ( RSA | ECDSA ) [-exponent (3 | F4 )] [-modulus <positive_integer>] [-curve ( P_256 | P_384 )]

Example:

create fipsKey f1 -keytype RSA -modulus 2048 -exponent F4

Done

show ssl fipskey ddvws

FIPS Key Name: f1  Key Type: RSA Modulus: 2048   Public Exponent: F4 (Hex: 0x10001)

Done

Import a FIPS key by using the CLI

At the command prompt, type:

import ssl fipsKey <fipsKeyName> -key <string> [-inform <inform>] [-wrapKeyName <string>] [-iv<string>] [-exponent F4 ]

Example:

import fipskey Key-FIPS-2 -key Key-FIPS-2.key -inform SIM -exponent F4
Done
import fipskey Key-FIPS-2 -key Key-FIPS-2.key -inform PEM
Done

Verify that the FIPS key is created or imported correctly by running the show fipskey command.

show fipskey
1)      FIPS Key Name: Key-FIPS-2
Done

Create a certificate signing request by using the CLI

At the command prompt, type:

create ssl certReq <reqFile> (-keyFile <input_filename> | -fipsKeyName <string>) [-keyform ( DER | PEM )  {-PEMPassPhrase }] -countryName <string> -stateName <string> -organizationName<string> [-organizationUnitName <string>] [-localityName <string>] [-commonName <string>] [-emailAddress <string>] {-challengePassword } [-companyName <string>] [-digestMethod ( SHA1 | SHA256 )]

Example:

create certreq f1.req –fipsKeyName f1 -countryName US -stateName CA -organizationName Citrix -companyName Citrix -commonName ctx -emailAddress test@example.com`
`Done

Create a server certificate by using the CLI

At the command prompt, type:

create ssl cert <certFile> <reqFile> <certType> [-keyFile <input_filename>] [-keyform ( DER | PEM ) {-PEMPassPhrase }] [-days <positive_integer>] [-certForm ( DER | PEM )] [-CAcert <input_filename>] [-CAcertForm ( DER | PEM )] [-CAkey <input_filename>] [-CAkeyForm ( DER | PEM )] [-CAserial <output_filename>]

Example:

create cert f1.cert f1.req SRVR_CERT -CAcert ns-root.cert -CAkey ns-root.key -CAserial ns-root.srl -days 1000
Done

The above example creates a server certificate using a local root CA on the appliance.

Add a certificate-key pair by using the CLI

At the command prompt, type:

add ssl certKey <certkeyName> (-cert <string> [-password]) [-key <string> | -fipsKey <string> | -hsmKey <string>] [-inform <inform>] [-expiryMonitor ( ENABLED | DISABLED ) [-notificationPeriod   <positive_integer>]] [-bundle ( YES | NO )]

Example:

add certkey cert1 -cert f1.cert -fipsKey f1
Done

After creating the FIPS key and server certificate, you can add the generic SSL configuration. Enable the features that are required for your deployment. Add servers, services, and SSL virtual servers. Bind the certificate-key pair and the service to the SSL virtual server, and save the configuration.

enable ns feature SSL LB
Done
add server s1 10.217.2.5
Done
add service sr1 s1 HTTP 80
Done
add lb vserver v1 SSL 10.217.2.172 443
Done
bind ssl vserver v1 –certkeyName cert1
Done
bind lb vserver v1 sr1
Done
saveconfig
Done

For information about configuring secure HTTPS and secure RPC, click here.