8-40
Catalyst 2960 Switch SoftwareConfiguration Guide
78-16881-01
Chapter8 Configuring Switch-Based Authentication
Configuring the Switch for Secure Socket Layer HTTP
SSL Configuration Guidelines
When SSL is used in a switch cluster, the SSL session terminates at the cluster commander. Cluster
member switches must run standard HTTP.
Before you configure a CA trustpoint, you should ensure that the system clock is set. I f the clock is not
set, the certificate is rejected due to an incorrect date.
Configuring a CA Trustpoint
For secure HTTP connections, we recommend that you co nfigure an official CA trustpoint.
ACA t rustpoint is more secure than a self-signed certificate.
Beginning in privileged EXEC mode, follow these steps to configure a CA trustpoint:
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 hostname hostname Specify the hostname of the switch (required only if you have not
previously configured a hostname). The hostname is required for security
keys and certificates.
Step3 ip domain-name domain-name Specify the IP domain name of the switch (required only i f you have not
previously configured an IP domain name). The domain name is required
for security keys and certificates.
Step4 crypto key generate rsa (Optional) Generate an RSA key pair. RSA key pairs are required before
you can obtain a certificate for the switch. RSA key pairs are generated
automatically. You can use this command to regenerate the keys, if
needed.
Step5 crypto ca trustpoint name Specify a local configuration name for the CA trustpoint and enter CA
trustpoint configuration mode.
Step6 enrollment url url Specify the URL to which the switch should send certificate requests.
Step7 enrollment http-proxy host-name
port-number
(Optional) Configure the switch to obtain certificates from the CA
through an HTTP proxy server.
Step8 crl query url Configure the switch to request a certificate revocation list (CRL) to
ensure that the certificate of the peer has not been revoked.
Step9 primary (Optional) Specify that the trustpoint should be used as the primary
(default) trustpoint for CA requests.
Step10 exit Exit CA trustpoint configuration mode and return to global configuration
mode.
Step11 crypto ca authentication name Authenticate the CA by getting the public key of the CA. Use the same
name used in Step 5.
Step12 crypto ca enroll name Obtain the certificate from the specified CA trustpoint. This command
requests a signed certificate for each RSA key pair.
Step13 end Return to privileged EXEC mode.
Step14 show crypto ca trustpoints Verify the configuration.
Step15 copy running-config startup-config (Optional) Save your entries in the configuration file.