Ssl Configuration Guidelines; Configuring A Ca Trustpoint - Cisco 3020 - Catalyst Blade Switch Configuration Manual

Chapter 6 Configuring Switch-Based Authentication

SSL Configuration Guidelines

Before you configure a CA trustpoint, you should ensure that the system clock is set. If the clock is not
set, the certificate is rejected due to an incorrect date.

Configuring a CA Trustpoint

For secure HTTP connections, we recommend that you configure an official CA trustpoint.
A CA trustpoint is more secure than a self-signed certificate.
Beginning in privileged EXEC mode, follow these steps to configure a CA trustpoint:
Command
Step 1 configure terminal
Step 2
hostname hostname
Step 3
ip domain-name domain-name
Step 4
crypto key generate rsa
Step 5 crypto ca trustpoint name
Step 6
enrollment url url
Step 7 enrollment http-proxy host-name
port-number
Step 8 crl query url
Step 9 primary
Step 10 exit
Step 11 crypto ca authentication name
Step 12
crypto ca enroll name
Step 13
end
Step 14 show crypto ca trustpoints
Step 15 copy running-config startup-config
Use the no crypto ca trustpoint name global configuration command to delete all identity information
and certificates associated with the CA.
OL-8915-01
Purpose
Enter global configuration mode.
Specify the hostname of the switch (required only if you have not
previously configured a hostname). The hostname is required for security
keys and certificates.
Specify the IP domain name of the switch (required only if you have not
previously configured an IP domain name). The domain name is required
for security keys and certificates.
(Optional) Generate an RSA key pair. RSA key pairs are required before
you can obtain a certificate for the switch. RSA key pairs are generated
automatically. You can use this command to regenerate the keys, if
needed.
Specify a local configuration name for the CA trustpoint and enter CA
trustpoint configuration mode.
Specify the URL to which the switch should send certificate requests.
(Optional) Configure the switch to obtain certificates from the CA
through an HTTP proxy server.
Configure the switch to request a certificate revocation list (CRL) to
ensure that the certificate of the peer has not been revoked.
(Optional) Specify that the trustpoint should be used as the primary
(default) trustpoint for CA requests.
Exit CA trustpoint configuration mode and return to global configuration
mode.
Authenticate the CA by getting the public key of the CA. Use the same
name used in Step 5.
Obtain the certificate from the specified CA trustpoint. This command
requests a signed certificate for each RSA key pair.
Return to privileged EXEC mode.
Verify the configuration.
(Optional) Save your entries in the configuration file.
Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide
Configuring the Switch for Secure Socket Layer HTTP
6-45