Configuring HTTPS Access
Certificate authorities (CAs) manage certificate requests and issue certificates to participating network devices. These services provide centralized security key and certificate management for the participating devices. Specific CA servers are referred to as trustpoints. When a connection attempt is made, the HTTPS server provides a secure connection by issuing a certified X.509v3 certificate, obtained from a specified CA trustpoint, to the client.
The client (usually a Web browser), in turn, has a public key that allows it to authenticate the certificate. For secure HTTP connections, we highly recommend that you configure a CA trustpoint. If a CA trustpoint is not configured for the device running the HTTPS server, the server certifies itself and generates the needed RSA key pair. Because a self-certified (self-signed) certificate does not provide adequate security, the connecting client generates a notification that the certificate is self-certified, and the user has the opportunity to accept or reject the connection. This option is useful for internal network topologies (such as testing). If you do not configure a CA trustpoint, when you enable a secure HTTP connection, either a temporary or a persistent self-signed certificate for the secure HTTP server (or client) is automatically generated.
If the device is not configured with a hostname and a domain name, a temporary self-signed certificate is generated. If the switch reboots, any temporary self-signed certificate is lost, and a new temporary new self-signed certificate is assigned. If the device has been configured with a host and domain name, a persistent self-signed certificate is generated. This certificate remains active if you reboot the device or if you disable the secure HTTP server so that it will be there the next time you re-enable a secure HTTP connection.
Procedure
Step 1 |
Check the HTTPS Access check box to enable HTTPS on the device, and enter the designated port to listen for HTTPS requests. The default port is 1025. Valid values are 443, and ports between 1025 and 65535. On a secure HTTP connection, data to and from an HTTP server is encrypted before being sent over the Internet. HTTP with SSL encryption provides a secure connection to allow such functions as configuring a switch from a Web browser. |
Step 2 |
In the Trust Point Configuration section, check the Enable Trust Point check box to use Certificate Authority servers as trustpoints. |
Step 3 |
To keep track of hosts connecting to the device, check the IP Device Tracking check box. |
Step 4 |
In the Timeout Policy Configuration section, enter the number of minutes of inactivity allowed before the session times out. |
Step 5 |
Enter the server life time in seconds. Valid values can range from 1 to 86400 seconds. |
Step 6 |
Enter the maximum number of requests the device can accept. Valid values range from 1 to 86400 requests. |
Step 7 |
Click Apply. |