Certificate Authorities (CAs) manage certificate requests and issue certificates to participant network devices. Specific CA servers are referred to as trustpoints.
When a connection attempt is made, the secure HTTP (HTTPS) server issues a certified X.509v3 certificate to provide a secure connection. The HTTPS server obtains the certificate from a specified CA trustpoint and issues the certificate to the client. The client (usually a Web browser), in turn, has a public key that enables authentication to the certificate.
For HTTPS connections, Cisco highly recommends the configuration of a CA trustpoint.
If a CA trustpoint is not configured for the device that runs the HTTPS server, the server certifies itself with a self-signed certificate, and generates the necessary Rivest, Shamir, and Adelman (RSA) key pair. A self-signed certificate does not provide adequate security. Therefore, the connecting client generates a notification that the certificate is self-signed, and the user has the option to accept or reject the connection. This option is useful for internal network topologies (for example, testing).
In addition, when a CA trustpoint is not configured, either a temporary or a persistent self-signed certificate for the HTTPS server (or client) is automatically generated when a HTTPS connection is enabled.
For a Cisco Catalyst switch, consider these scenarios:
If the switch is not configured with a hostname and a domain name, a temporary self-signed certificate is generated. If the switch reboots, any temporary self-signed certificate is lost, and a new temporary self-signed certificate is assigned.
If the switch has been configured with a host and domain name, a persistent self-signed certificate is generated. This certificate remains active if the switch reboots or if the HTTPS server is disabled. Therefore, the certificate is available the next time the HTTPS connection is enabled.
The output of the show running-config privileged EXEC command contains information about a self-signed certificate that has been generated.
To remove a self-signed certificate, disable the HTTPS server, and issue the no crypto pki trustpointTP-self-signed-30890755072 global configuration command. If the HTTPS server is enabled later, a new self-signed certificate is generated.
Note: The values that follow TP self-signed depend on the serial number of the device.
The ip http secure-client-auth command is optional. Issue this command to allow the HTTPS server to request an X.509v3 certificate from the client. Authentication of the client provides more security than server authentication.
primeInfra/admin# application upgrade PI-Upgrade-31x_32x_33x_34x_to_220.127.116.11.159.tar.gz defaultRepoSave the current ADE-OS running configuration? (yes/no) [yes] ?Generating configuration...Saved the ADE-OS running configuration to startup successfullyPleas...
Hi AllI am looking at a Nexus 9300 switch, just to do switchingWith regards to licences do you have to buy the subscription licence and the switch licence, so basically I would need the below? - ACI & NX-OS Subscription Essential package for 1G N...
I am trying to get an imaging server (Microsoft WDS) to be able to image clients on a different subnet than the server. A few questions maybe you guys could help me with. 1. From my readings the L2 switches that the clients are connected to must have...
Hello guys, I'm working on a project to plan full redundancy for our client. There are going to be two data centers (primary and standby).Each DC will have MPLS connectivity to the client's locations, Internet connectivity, connectivity to different ...
Hi I've been wrestling with this for a few weeks and would appreciate pointers, I haven't seen this type of configuration anywhere, but assume it's pretty standard. I started working on 2911 hardware with EHWIC VDSL card but due to faulty card (now ...