Cisco Systems 3560 사용자 설명서
9-45
Catalyst 3560 Switch Software Configuration Guide
OL-8553-06
Chapter 9 Configuring Switch-Based Authentication
Configuring the Switch for Secure Socket Layer HTTP
Default SSL Configuration
The standard HTTP server is enabled.
SSL is enabled.
No CA trustpoints are configured.
No self-signed certificates are generated.
SSL Configuration Guidelines
When SSL is used in a switch cluster, the SSL session terminates at the cluster commander. Cluster
member switches must run standard HTTP.
member switches must run standard HTTP.
Before you configure a CA trustpoint, you should ensure that the system clock is set. If the clock is not
set, the certificate is rejected due to an incorrect date.
set, the certificate is rejected due to an incorrect date.
Configuring a CA Trustpoint
For secure HTTP connections, we recommend that you configure an official CA trustpoint.
A CA trustpoint is more secure than a self-signed certificate.
A CA trustpoint is more secure than a self-signed certificate.
Beginning in privileged EXEC mode, follow these steps to configure a CA trustpoint:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
hostname hostname
Specify the hostname of the switch (required only if you have not
previously configured a hostname). The hostname is required for security
keys and certificates.
previously configured a hostname). The hostname is required for security
keys and certificates.
Step 3
ip domain-name domain-name
Specify the IP domain name of the switch (required only if you have not
previously configured an IP domain name). The domain name is required
for security keys and certificates.
previously configured an IP domain name). The domain name is required
for security keys and certificates.
Step 4
crypto key generate rsa
(Optional) Generate an RSA key pair. RSA key pairs are required before
you can obtain a certificate for the switch. RSA key pairs are generated
automatically. You can use this command to regenerate the keys, if
needed.
you can obtain a certificate for the switch. RSA key pairs are generated
automatically. You can use this command to regenerate the keys, if
needed.
Step 5
crypto ca trustpoint name
Specify a local configuration name for the CA trustpoint and enter CA
trustpoint configuration mode.
trustpoint configuration mode.
Step 6
enrollment url url
Specify the URL to which the switch should send certificate requests.
Step 7
enrollment http-proxy host-name
port-number
port-number
(Optional) Configure the switch to obtain certificates from the CA
through an HTTP proxy server.
through an HTTP proxy server.
Step 8
crl query url
Configure the switch to request a certificate revocation list (CRL) to
ensure that the certificate of the peer has not been revoked.
ensure that the certificate of the peer has not been revoked.
Step 9
primary
(Optional) Specify that the trustpoint should be used as the primary
(default) trustpoint for CA requests.
(default) trustpoint for CA requests.
Step 10
exit
Exit CA trustpoint configuration mode and return to global configuration
mode.
mode.
Step 11
crypto ca authentication name
Authenticate the CA by getting the public key of the CA. Use the same
name used in Step 5.
name used in Step 5.