Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
A self-signed certificate is added to a Cisco Catalyst switch that is managed through HTTPS
Certificate Authorities (CAs) manage certificate requests and issue certificates to participant network devices. Specific CA servers are referred to as trustpoints.
When a connection attempt is made, the secure HTTP (HTTPS) server issues a certified X.509v3 certificate to provide a secure connection. The HTTPS server obtains the certificate from a specified CA trustpoint and issues the certificate to the client. The client (usually a Web browser), in turn, has a public key that enables authentication to the certificate.
For HTTPS connections, Cisco highly recommends the configuration of a CA trustpoint.
If a CA trustpoint is not configured for the device that runs the HTTPS server, the server certifies itself with a self-signed certificate, and generates the necessary Rivest, Shamir, and Adelman (RSA) key pair. A self-signed certificate does not provide adequate security. Therefore, the connecting client generates a notification that the certificate is self-signed, and the user has the option to accept or reject the connection. This option is useful for internal network topologies (for example, testing).
In addition, when a CA trustpoint is not configured, either a temporary or a persistent self-signed certificate for the HTTPS server (or client) is automatically generated when a HTTPS connection is enabled.
For a Cisco Catalyst switch, consider these scenarios:
If the switch is not configured with a hostname and a domain name, a temporary self-signed certificate is generated. If the switch reboots, any temporary self-signed certificate is lost, and a new temporary self-signed certificate is assigned.
If the switch has been configured with a host and domain name, a persistent self-signed certificate is generated. This certificate remains active if the switch reboots or if the HTTPS server is disabled. Therefore, the certificate is available the next time the HTTPS connection is enabled.
The output of the show running-config privileged EXEC command contains information about a self-signed certificate that has been generated.
To remove a self-signed certificate, disable the HTTPS server, and issue the no crypto pki trustpointTP-self-signed-30890755072 global configuration command. If the HTTPS server is enabled later, a new self-signed certificate is generated.
Note: The values that follow TP self-signed depend on the serial number of the device.
The ip http secure-client-auth command is optional. Issue this command to allow the HTTPS server to request an X.509v3 certificate from the client. Authentication of the client provides more security than server authentication.