Chapter 9 Configuring Switch-Based Authentication

Configuring the Switch for Secure Socket Layer HTTP

SSL Configuration Guidelines

When SSL is used in a switch cluster, the SSL session terminates at the cluster commander. Cluster member switches must run standard HTTP.

Before you configure a CA trustpoint, you should ensure that the system clock is set. If the clock is not set, the certificate is rejected due to an incorrect date.

In a Catalyst 3750-E switch stack, the SSL session terminates at the stack master.

Configuring a CA Trustpoint

For secure HTTP connections, we recommend that you configure an official CA trustpoint.

A CA trustpoint is more secure than a self-signed certificate.

Beginning in privileged EXEC mode, follow these steps to configure a CA trustpoint:

 

 

Command

Purpose

 

 

Step 1

 

 

 

 

configure terminal

Enter global configuration mode.

 

 

Step 2

 

 

 

 

hostname hostname

Specify the hostname of the switch (required only if you have not

 

 

 

 

previously configured a hostname). The hostname is required for security

 

 

 

 

keys and certificates.

 

 

Step 3

 

 

 

 

ip domain-name domain-name

Specify the IP domain name of the switch (required only if you have not

 

 

 

 

previously configured an IP domain name). The domain name is required

 

 

 

 

for security keys and certificates.

 

 

Step 4

 

 

 

 

crypto key generate rsa

(Optional) Generate an RSA key pair. RSA key pairs are required before

 

 

 

 

you can obtain a certificate for the switch. RSA key pairs are generated

 

 

 

 

automatically. You can use this command to regenerate the keys, if

 

 

 

 

needed.

 

 

Step 5

 

 

 

 

crypto ca trustpoint name

Specify a local configuration name for the CA trustpoint and enter CA

 

 

 

 

trustpoint configuration mode.

 

 

Step 6

 

 

 

 

enrollment url url

Specify the URL to which the switch should send certificate requests.

 

 

Step 7

 

 

 

 

enrollment http-proxy host-name

(Optional) Configure the switch to obtain certificates from the CA

 

 

 

port-number

through an HTTP proxy server.

 

 

Step 8

 

 

 

 

crl query url

Configure the switch to request a certificate revocation list (CRL) to

 

 

 

 

ensure that the certificate of the peer has not been revoked.

 

 

Step 9

 

 

 

 

primary

(Optional) Specify that the trustpoint should be used as the primary

 

 

 

 

(default) trustpoint for CA requests.

 

 

Step 10

 

 

 

 

exit

Exit CA trustpoint configuration mode and return to global configuration

 

 

 

 

mode.

 

 

Step 11

 

 

 

 

crypto ca authentication name

Authenticate the CA by getting the public key of the CA. Use the same

 

 

 

 

name used in Step 5.

 

 

Step 12

 

 

 

 

crypto ca enroll name

Obtain the certificate from the specified CA trustpoint. This command

 

 

 

 

requests a signed certificate for each RSA key pair.

 

 

Step 13

 

 

 

 

end

Return to privileged EXEC mode.

 

 

Step 14

 

 

 

 

show crypto ca trustpoints

Verify the configuration.

 

 

Step 15

 

 

 

 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

 

 

 

 

 

 

 

 

 

 

 

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

OL-9775-02

 

 

9-45

 

 

 

 

 

Page 247
Image 247
Cisco Systems 3750E manual SSL Configuration Guidelines, Configuring a CA Trustpoint