Cisco Catalyst 2975 Software Configuration Manual page 243
Ios release 12.2(55)se
Hide thumbs
Also See for Catalyst 2975:
- Hardware installation manual (62 pages) ,
- Brochure (19 pages) ,
- Getting started manual (17 pages)
Table of Contents
Advertisement
Chapter 9
Configuring Switch-Based Authentication
If you do not configure a CA trustpoint, when you enable a secure HTTP connection, either a temporary
or a persistent self-signed certificate for the secure HTTP server (or client) is automatically generated.
•
If the switch is not configured with a hostname and a domain name, a temporary self-signed
certificate is generated. If the switch reboots, any temporary self-signed certificate is lost, and a new
temporary new self-signed certificate is assigned.
If the switch has been configured with a host and domain name, a persistent self-signed certificate
•
is generated. This certificate remains active if you reboot the switch or if you disable the secure
HTTP server so that it will be there the next time you re-enable a secure HTTP connection.
The certificate authorities and trustpoints must be configured on each device individually. Copying them
Note
from other devices makes them invalid on the switch.
If a self-signed certificate has been generated, this information is included in the output of the show
running-config privileged EXEC command. This is a partial sample output from that command
displaying a self-signed certificate.
Switch# show running-config
Building configuration...
<output truncated>
crypto pki trustpoint TP-self-signed-3080755072
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3080755072
revocation-check none
rsakeypair TP-self-signed-3080755072
!
!
crypto ca certificate chain TP-self-signed-3080755072
certificate self-signed 01
3082029F 30820208 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
59312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303830 37353530 37323126 30240609 2A864886 F70D0109
<output truncated>
You can remove this self-signed certificate by disabling the secure HTTP server and entering the no
crypto pki trustpoint TP-self-signed-30890755072 global configuration command. If you later
re-enable a secure HTTP server, a new self-signed certificate is generated.
Note
The values that follow TP self-signed depend on the serial number of the device.
You can use an optional command (ip http secure-client-auth) to allow the HTTPS server to request an
X.509v3 certificate from the client. Authenticating the client provides more security than server
authentication by itself.
For additional information on Certificate Authorities, see the "Configuring Certification Authority
Interoperability" chapter in the Cisco IOS Security Configuration Guide, Release 12.2 from the
Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command
References.
OL-19720-02
Configuring the Switch for Secure Socket Layer HTTP
Catalyst 2975 Switch Software Configuration Guide
9-47
- Quick Links:
- Management Options
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
