Setting up YANG Suite TLS/SSL
=============================

A user can use any naming convention they want for cryptography keys and certificate
files, so it is best to have a general understanding of them.  We will not go into the
different types of encryption, but basically, you want to use the strongest possible
that both the client and device can understand.

Public Certificate Authority
----------------------------

- **TLS Root Key** – openssl key used to create **TLS Root Certificate**
- **TLS Root Certificate** – Common certificate created using the **TLS Root Key** (used as the common link between a device and a client certificate).
- **TLS Root Chain** – A list of **TLS Root Certificates** (allows for multiple certificates to authenticate against)

Client (for example, YANG Suite)
--------------------------------

- **TLS Client Key** – The openssl key used to create the **TLS Client Certificate**
- **TLS Client Certificate** – Certificate created using the **TLS Client Key** and the **TLS Root Certificate**

Device (for example, Cisco router)
----------------------------------

- **TLS Device Key** – openssl key used to create **TLS Device Certificate**
- **TLS Device Certificate** – router (referred to as “device”) certificate which is created using **TLS Device Key** and **TLS Root Certificate**.

In a real world setting it is likely that the **TLS Root Certificate** or **TLS Root Chain** is
stored on public root authority servers and not on the Cisco router itself.

TLS Host Override
-----------------

When creating a certificate, you are prompted for input such as City, State, etc..  When
it gets to CN (common name) you can enter the IP Address or the FQDN (host/domain name).
If you setup your certificate to use the FQDN, the connection to a third party will
authenticate against that.  If the server hosting the TLS Root Certificate or Chain cannot
associate the requesters IP Address to the FQDN, the connection is refused.

So should I set the CN to an IP Address on my certificate?  Sure, if you are confident the
IP Address will not change as a result of using DHCP or a VPN connection and server hosting
the root receives my request on the same IP Address.

So should I set the CN to a FQDN?  Sure, if the FQDN can be associated to the IP Address by
a DNS server, or from the /etc/hosts file on the server hosting the root.

So should I just leave CN blank?  Sure, if you do not enter a challenge password when generating
the client or device certificate.

What do we end up with?
-----------------------

A TLS Root Certificate  that can be validated by 2 different keys.  The Root certificate
authority can now act as a go-between for 2 devices, eventually authorizing their connection.

Is YANG Suite Setup Overkill?
-----------------------------

Well, yes, kind of.  If you think about it, if the client has the TLS Root Certificate or Chain,
the client can use that to authenticate a device connection if the device has a certificate
created using the same TLS Root Certificate or Chain.  The YANG Suite client can actually make a
successful connection to the device having only the TLS Root Certificate or Chain.  But, by
having all 3 files available, this allows YANG Suite to act as a client, a root authority, or a device.
