Cisco Systems IE3010 Configuring a CA Trustpoint

9-54

Cisco IE 3010 Switch Software Configuration Guide

OL-23145-01

Chapter 9 Configuring Switch-Based Authentication

Configuring the Switch for Secure Socket Layer HTTP

Configuring a CA Trustpoint

For secure HTTP connections, we recommend that you co nfigure an official CA trustpoint.

A CA trustpoint is more secure than a self-signed certificate.

Beginning in privileged EXEC mode, follow these steps to configure a CA trustpoint:

Use the no crypto ca trustpoint name global configuration command to delete all identity information

and certificates associated with the CA.

Command Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 hostname hostname Specify the hostname of the switch (required only if you have not

previously configured a hostname). The hostname is required for security

keys and certificates.

Step 3 ip domain-name domain-name Specify the IP domain name of the switch (required only i f you have not

previously configured an IP domain name). The domain name is required

for security keys and certificates.

Step 4 crypto key generate rsa (Optional) Generate an RSA key pair. RSA key pairs are required before

you can obtain a certificate for the switch. RSA key pairs are generated

automatically. You can use this command to regenerate the keys, if

needed.

Step 5 crypto ca trustpoint name Specify a local configuration name for the CA trustpoint and enter CA

trustpoint configuration mode.

Step 6 enrollment url url Specify the URL to which the switch should send certificate requests.

Step 7 enrollment http-proxy host-name

port-number

(Optional) Configure the switch to obtain certificates from the CA

through an HTTP proxy server.

Step 8 crl query url Configure the switch to request a certificate revocation list (CRL) to

ensure that the certificate of the peer has not been revoked.

Step 9 primary (Optional) Specify that the trustpoint should be used as the primary

(default) trustpoint for CA requests.

Step 10 exit Exit CA trustpoint configuration mode and return to global configuration

mode.

Step 11 crypto ca authentication name Authenticate the CA by getting the public key of the CA. Use the same

name used in Step 5.

Step 12 crypto ca enroll name Obtain the certificate from the specified CA trustpoint. This command

requests a signed certificate for each RSA key pair.

Step 13 end Return to privileged EXEC mode.

Step 14 show crypto ca trustpoints Verify the configuration.

Step 15 copy running-config startup-config (Optional) Save your entries in the configuration file.