Certificate Authority Trustpoints - Cisco Catalyst 2960-X Security Configuration Manual
Cisco ios release 15.0(2)ex
Hide thumbs
Also See for Catalyst 2960-X:
- Command reference manual (135 pages) ,
- Hardware installation manual (34 pages) ,
- Getting started manual (25 pages)
Table of Contents
Advertisement
Certificate Authority Trustpoints
SSL evolved into Transport Layer Security (TLS) in 1999, but is still used in this particular context.
Note
The primary role of the HTTP secure server (the switch) is to listen for HTTPS requests on a designated port
(the default HTTPS port is 443) and pass the request to the HTTP 1.1 Web server. The HTTP 1.1 server
processes requests and passes responses (pages) back to the HTTP secure server, which, in turn, responds to
the original request.
The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests
for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response
back to the application.
Certificate Authority Trustpoints
Certificate authorities (CAs) manage certificate requests and issue certificates to participating network devices.
These services provide centralized security key and certificate management for the participating devices.
Specific CA servers are referred to as trustpoints.
When a connection attempt is made, the HTTPS server provides a secure connection by issuing a certified
X.509v3 certificate, obtained from a specified CA trustpoint, to the client. The client (usually a Web browser),
in turn, has a public key that allows it to authenticate the certificate.
For secure HTTP connections, we highly recommend that you configure a CA trustpoint. If a CA trustpoint
is not configured for the device running the HTTPS server, the server certifies itself and generates the needed
RSA key pair. Because a self-certified (self-signed) certificate does not provide adequate security, the connecting
client generates a notification that the certificate is self-certified, and the user has the opportunity to accept
or reject the connection. This option is useful for internal network topologies (such as testing).
If you do not configure a CA trustpoint, when you enable a secure HTTP connection, either a temporary or
a persistent self-signed certificate for the secure HTTP server (or client) is automatically generated.
• If the switch is not configured with a hostname and a domain name, a temporary self-signed certificate
• If the switch has been configured with a host and domain name, a persistent self-signed certificate is
The certificate authorities and trustpoints must be configured on each device individually. Copying them
Note
from other devices makes them invalid on the switch.
When a new certificate is enrolled, the new configuration change is not applied to the HTTPS server until
the server is restarted. You can restart the server using either the CLI or by physical reboot. On restarting
the server, the switch starts using the new certificate.
If a self-signed certificate has been generated, this information is included in the output of the show
running-config privileged EXEC command. This is a partial sample output from that command displaying
a self-signed certificate.
Switch# show running-config
Building configuration...
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
126
is generated. If the switch reboots, any temporary self-signed certificate is lost, and a new temporary
new self-signed certificate is assigned.
generated. This certificate remains active if you reboot the switch or if you disable the secure HTTP
server so that it will be there the next time you re-enable a secure HTTP connection.
Configuring Secure Socket Layer HTTP
OL-29048-01
Hide quick links:
Advertisement
Table of Contents
