Configuring Secure Socket Layer (SSL)

General Operating Rules and Notes

 

to connect via SSL to the switch. (The session key pair mentioned above is

 

not visible on the switch. It is a temporary, internally generated pair used for

 

a particular switch/client session, and then discarded.)

 

The server certificate is stored in the switch’s flash memory. The server

 

certificate should be added to your certificate folder on the SSL clients who

 

you want to have access to the switch. Most browser applications automati-

 

cally add the switch’s host certificate to there certificate folder on the first

 

use. This method does allow for a security breach on the first access to the

 

switch. (Refer to the documentation for your browser application.)

 

There are two types of certificated that can be used for the switch’s host

 

certificate. The first type is a self-signed certificate, which is generated and

 

digitally signed by the switch. Since self-signed certificates are not signed by

 

a third-party certificate authority, there is no audit trail to a root CA certificate

 

and no fool-proof means of verifying authenticity of certificate. The second

 

type is a certificate authority-signed certificate, which is digitally signed by a

 

certificate authority, has an audit trail to a root CA certificate, and can be

 

verified unequivocally

 

 

Note:

There is usually a fee associated with receiving a verified certificate and the

 

valid dates are limited by the root certificate authority issuing the certificate.

 

When you generate a certificate key pair and/or certificate on the switch, the

 

 

switch places the key pair and/or certificate in flash memory (and not in

 

running config). Also, the switch maintains the certificate across reboots,

 

including power cycles. You should consider this certificate to be “perma-

 

nent”; that is, avoid re-generating the certificate without a compelling reason.

 

Otherwise, you will have to re-introduce the switch’s host certificate on all

 

management stations you have set up for SSL access to the switch using the

 

earlier certificate.

 

Removing (zeroizing) the switch's certificate key pair or certificate render the

 

switch unable to engage in SSL operation and automatically disables SSL on

 

the switch. (To verify whether SSL is enabled, execute show config.)

 

To Generate or Erase the Switch’s Server Certificate with the

 

CLI

 

Because the host certificate is stored in flash instead of the running-config

 

file, it is not necessary to use write memory to save the certificate. Erasing the

 

host certificate automatically disables SSL.

7-9