Certificate authorities (CAs) are responsible for managing certificate requests and issuing certificates to participating
IPSec network devices. These services provide centralized security key and certificate management for the participating devices.
Specific CA servers are referred to as “trustpoints.”
The HTTPS server provides a secure connection by providing a certified X.509v3 certificate to the client when a connection
attempt is made. The certified X.509v3 certificate is obtained from a specified CA trustpoint. The client (usually a web browser),
in turn, has a public key that allows it to authenticate the certificate.
Configuring a CA trustpoint is highly recommended for secure HTTP connections. However, if a CA trustpoint is not configured
for the routing device running the HTTPS server, the server will certify itself and generate the needed RSA key pair. Because
a self-certified (self-signed) certificate does not provide adequate security, the connecting client will generate a notification
that the certificate is self-certified, and the user will have the opportunity to accept or reject the connection. This option
is available for internal network topologies (such as testing).
The HTTPS--HTTP Server and Client with SSL 3.0 feature also provides an optional command (ip http secure-client-auth ) that, when enabled, has the HTTPS server request an X.509v3 certificate from the client. Authenticating the client provides
more security than server authentication by itself.
For additional information on certificate authorities, see the “Configuring Certification Authority Interoperability” chapter
in the
Cisco IOS XE Security Configuration Guide
.