Cisco Systems IE 2000 Default SSL Settings, Certificate Authority Trustpoints

12-23

Cisco IE 2000 Switch Software Configuration Guide

OL-25866-01

Chapter 12 Configuring Switch-Based Authentication

Information About Configuring Switch-Based Authentication

The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application

requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and

pass the response back to the application.

When SSL is used in a switch cluster, the SSL session terminates at the cluster commander. Cluster

member switches must run standard HTTP.

For secure HTTP connections, we recommend that you co nfigure an official CA trustpoint.

A CA trustpoint is more secure than a self-signed certificate.

Before you configure a CA trustpoint, you should ensure that the system clock is set. I f the clock is not

set, the certificate is rejected due to an incorrect date.

Default SSL SettingsCertificate Authority Trustpoints

Certificate authorities (CAs) manage certificate requests and issue certificates to participating network

devices. These services provide centralized security key and certificate management for the participating

devices. Specific CA servers are referred to as trustpoints.

When a connection attempt is made, the HTTPS server provides a secure connection by issuing a

certified X.509v3 certificate, obtained from a specified CA trustpoint, to the client. The client (usually

a Web browser), in turn, has a public key that allows it to authenticate the certificate.

For secure HTTP connections, we highly recommend that you configure a CA trustpoint. If a CA

trustpoint is not configured for the device running the HTTPS server, the server certifies itself and

generates the needed RSA key pair. Because a self-certified (self-signed) certificate does not provide

adequate security, the connecting client generates a notification that the certificate is self-certified, and

the user has the opportunity to accept or reject the connection. This option is useful for internal network

topologies (such as testing).

If you do not configure a CA trustpoint, when you enable a secure HTTP c onnection, either a temporary

or a persistent self-signed certificate for the secure HTTP server (or client) is automatically generated.

• If the switch is not configured with a hostname and a domain name, a temporary self-signed

certificate is generated. If the switch reboots, any temporary self-signed certificate is lost, and a new

temporary new self-signed certificate is assigned.

• If the switch has been configured with a host and domain name, a persistent self-signed certificate

is generated. This certificate remains active if you reboot the switch or if you disable the secure

HTTP server so that it will be there the next time you reenable a secure HTTP connection.

Tab l e 12-6 Default SSL Settings

Default Setting

The standard HTTP server is enabled.

SSL is enabled.

No CA trustpoints are configured.

No self-signed certificates are generated.