Configuring The Switch For Secure Socket Layer Http; Understanding Secure Http Servers And Clients; Certificate Authority Trustpoints - Cisco Catalyst 3750-E Software Configuration Manual

Chapter 9 Configuring Switch-Based Authentication
For more information about these commands, see the "Secure Shell Commands" section in the "Other
Security Features" chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2.

Configuring the Switch for Secure Socket Layer HTTP

This section describes how to configure Secure Socket Layer (SSL) Version 3.0 support for the
HTTP 1.1 server and client. SSL provides server authentication, encryption, and message integrity, as
well as HTTP client authentication, to allow secure HTTP communications.
These sections contain this information:
•
•
•
For configuration examples and complete syntax and usage information for the commands used in this
section, see the "HTTPS - HTTP Server and Client with SSL 3.0" feature description for Cisco IOS
Release 12.2(15)T.

Understanding Secure HTTP Servers and Clients

On a secure HTTP connection, data to and from an HTTP server is encrypted before being sent over the
Internet. HTTP with SSL encryption provides a secure connection to allow such functions as configuring
a switch from a Web browser. Cisco's implementation of the secure HTTP server and secure HTTP client
uses an implementation of SSL Version 3.0 with application-layer encryption. HTTP over SSL is
abbreviated as HTTPS; the URL of a secure connection begins with https:// instead of http://.
The primary role of the HTTP secure server (the switch) is to listen for HTTPS requests on a designated
port (the default HTTPS port is 443) and pass the request to the HTTP 1.1 Web server. The HTTP 1.1
server processes requests and passes responses (pages) back to the HTTP secure server, which, in turn,
responds to the original request.
The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application
requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and
pass the response back to the application.

Certificate Authority Trustpoints

Certificate authorities (CAs) manage certificate requests and issue certificates to participating network
devices. These services provide centralized security key and certificate management for the participating
devices. Specific CA servers are referred to as trustpoints.
When a connection attempt is made, the HTTPS server provides a secure connection by issuing a
certified X.509v3 certificate, obtained from a specified CA trustpoint, to the client. The client (usually
a Web browser), in turn, has a public key that allows it to authenticate the certificate.
For secure HTTP connections, we highly recommend that you configure a CA trustpoint. If a CA
trustpoint is not configured for the device running the HTTPS server, the server certifies itself and
generates the needed RSA key pair. Because a self-certified (self-signed) certificate does not provide
adequate security, the connecting client generates a notification that the certificate is self-certified, and
the user has the opportunity to accept or reject the connection. This option is useful for internal network
topologies (such as testing).
OL-9775-08
Understanding Secure HTTP Servers and Clients, page 9-49
Configuring Secure HTTP Servers and Clients, page 9-51
Displaying Secure HTTP Server and Client Status, page 9-55
Configuring the Switch for Secure Socket Layer HTTP
Catalyst 3750-E and 3560-E Switch Software Configuration Guide
9-49