Print this pagePrint this page

Email this topicEmail this topic

View PDFView PDF

Download EPUBDownload EPUB

Certificate Management

A stored certificate can be used from a different managed device if you prefer not to use an existing certificate or key. Device certificates can be imported and exported to and from the controller or service platform to a secure remote location for archive and retrieval as required for other managed devices.

To configure trustpoints for use with certificates:

  1. Select Launch Manager from either the HTTPS Trustpoint, SSH RSA Key, RADIUS Certificate Authority, or RADIUS Server Certificate parameters..
    The Certificate Management screen displays with the Manage Certificates tab displayed by default.
  2. Select a device from among those displayed to review its certificate information.
  3. Refer to All Certificate Details to review the certificate's properties, self-signed credentials, validity duration, and CA information.
  4. To optionally import a certificate, click the Import button at the bottom of the Manage Certificates screen.
    The Import New Trustpoint screen displays.
  5. Define the following configuration parameters required for the Import of the trustpoint.
    Trustpoint Name Enter the 32-character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, a corporation, or an individual.
    URL Provide the complete URL to the location of the trustpoint. If needed, click Advanced to expand the dialog to display network address information to the location of the target trustpoint. The number of additional fields that populate the screen is also dependent on the selected protocol.
    Protocol Select the protocol used for importing the target trustpoint. Available options include:
    • tftp
    • ftp
    • sftp
    • http
    • cf
    • usb1-4
    Port Set the port. This option is not valid for cf and usb1-4.
    Host Provide the hostname string or numeric IP address of the server used to import the trustpoint. Hostnames cannot include an underscore character. This option is not valid for cf and usb1-4.

    Select IPv4 Address to use an IPv4 formatted address as the host. Select IPv6 Address to use an IPv6 formatted address as the host. IPv6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.
    Path/File Specify the path to the trustpoint file. Enter the complete relative path to the file on the server.
  6. Click OK to import the defined trustpoint.
    Click Cancel to revert to the last saved configuration.
  7. To optionally import a CA certificate, select Import CA from the Certificate Management screen.
    A CA is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate.
  8. Define the following configuration parameters required for the Import of the CA certificate:
    Trustpoint Name Enter the 32-character maximum name assigned to the target trustpoint signing the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate.
    URL Provide the complete URL to the location of the trustpoint. If needed, click Advanced to expand the dialog to display network address information to the location of the target trustpoint. The number of additional fields populating the screen depends on the selected protocol.
    Advanced/Basic Click Advanced or Basic to switch between a basic URL and an advanced location to specify trustpoint location.
    Protocol Select the protocol used for importing the target CA certificate. Available options include:
    • tftp
    • ftp
    • sftp
    • http
    • cf
    • usb1-4
    Port Set the port. This option is not valid for cf and usb1-4.
    Host Provide the hostname string or numeric IP address of the server used to import the CA. Hostnames cannot include an underscore character. This option is not valid for cf and usb1-4.

    Select IPv4 Address to use an IPv4 formatted address as the host. Select IPv6 Address to use an IPv6 formatted address as the host. IPv6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.
    Path/File Specify the path to the CA file. Enter the complete relative path to the file on the server.
    Cut and Paste Select Cut and Paste to copy an existing CA into the field. When pasting, no additional network address information is required.
  9. Click OK to import the defined CA certificate.
    Click Cancel to revert to the last saved configuration.
  10. To optionally import a a CRL to a controller or service platform, select Import CRL in the Certificate Management screen.
    If a certificate displays in the Certificate Management screen with a CRL, that CRL can be imported. A certificate revocation list (CRL) is a list of certificates that have been revoked or are no longer valid. A certificate can be revoked if the CA had improperly issued a certificate, or if a private key is compromised. The most common reason for revocation is the user no longer being in sole possession of the private key.

    For information on creating a CRL to use with a trustpoint, refer to Setting the Certificate Revocation List (CRL) Configuration.

  11. Define the following configuration parameters required for the Import of the CRL:
    Trustpoint Name Enter the 32-character maximum name assigned to the target trustpoint signing the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate.
    From Network Select From Network to provide network address information to the location of the target CRL. The number of additional fields that populate the screen is also dependent on the selected protocol. This is the default setting.
    URL Provide the complete URL to the location of the CRL. If needed, click Advanced to expand the dialog to display network address information to the location of the CRL. The number of additional fields populating the screen depends on the selected protocol.
    Advanced/Basic Click Advanced or Basic to switch between a basic URL and an advanced location to specify trustpoint location.
    Protocol Select the protocol used for importing the CRL. Available options include:
    • tftp
    • ftp
    • sftp
    • http
    • cf
    • usb1-4
    Port Set the port. This option is not valid for cf and usb1-4.
    Host Provide the hostname string or numeric IP address of the server used to import the CRL. Hostnames cannot include an underscore character. This option is not valid for cf and usb1-4.

    Select IPv4 Address to use an IPv4 formatted address as the host. Select IPv6 Address to use an IPv6 formatted address as the host. IPv6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.
    Path/File Specify the path to the CRL file. Enter the complete relative path to the file on the server.
    Cut and Paste Select Cut and Paste to copy an existing CRL into the field. When pasting, no additional network address information is required.
  12. Click OK to import the CRL.
    Click Cancel to revert to the last saved configuration.
  13. To import a a signed certificate, select Import Signed Cert in the Certificate Management screen.
    Signed certificates (or root certificates) avoid the use of public or private CAs. A self-signed certificate is an identity certificate signed by its own creator, thus the certificate creator also signs off on its legitimacy. The lack of mistakes or corruption in the issuance of self-signed certificates is central.

    Self-signed certificates cannot be revoked which may allow an attacker who has already gained access to monitor and inject data into a connection to spoof an identity if a private key has been compromised. However, CAs have the ability to revoke a compromised certificate, preventing its further use.

  14. Define the following configuration parameters required for the Import of the signed certificate:
    Certificate Name Enter the 32-character maximum trustpoint name with which the certificate should be associated.
    From Network Select From Network to provide network address information to the location of the signed certificate. The number of additional fields that populate the screen is also dependent on the selected protocol. From Network is the default setting.
    URL Provide the complete URL to the location of the signed certificate. If needed, click Advanced to expand the dialog to display network address information to the location of the signed certificate. The number of additional fields populating the screen depends on the selected protocol.
    Protocol Select the protocol used for importing the signed certificate. Available options include:
    • tftp
    • ftp
    • sftp
    • http
    • cf
    • usb1-4
    Port Set the port. This option is not valid for cf and usb1-4.
    Host Provide the hostname string or numeric IP address of the server used to import the signed certificate. Hostnames cannot include an underscore character. This option is not valid for cf and usb1-4.

    Select IPv4 Address to use an IPv4 formatted address as the host. Select IPv6 Address to use an IPv6 formatted address as the host. IPv6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.
    Path/File Specify the path to the signed certificate file. Enter the complete relative path to the file on the server.
    Cut and Paste Select Cut and Paste to copy an existing certificate into the field. When pasting, no additional network address information is required.
  15. Click OK to import the signed certificate.
    Click Cancel to revert to the last saved configuration.
  16. To optionally export a trustpoint to a remote location, select Export from the Certificate Management screen.
    Once a certificate has been generated on the controller or service platform‘s authentication server, export the self signed certificate. A digital CA certificate is different from a self signed certificate. The CA certificate contains the public and private key pairs. The self certificate only contains a public key. Export the self certificate for publication on a web server or file server for certificate deployment or export it in to an active directory group policy for automatic root certificate deployment.
  17. Additionally export the key to a redundant RADIUS server so it can be imported without generating a second key.
    If there is more than one RADIUS authentication server, export the certificate and do not generate a second key unless you want to deploy two root certificates.
  18. Define the following configuration parameters required for the Export of the trustpoint:
    Trustpoint Name Enter the 32-character maximum name assigned to the trustpoint. The trustpoint signing the certificate can be a certificate authority, a corporation, or an individual..
    URL Provide the complete URL to the location of the trustpoint. If needed, click Advanced to expand the dialog to display network address information to the location of the trustpoint. The number of additional fields populating the screen depends on the selected protocol.
    Protocol Select the protocol used for exporting the target trustpoint. Available options include:
    • tftp
    • ftp
    • sftp
    • http
    • cf
    • usb1-4
    Port Set the port. This option is not valid for cf and usb1-4.
    Host Provide the hostname string or numeric IP address of the server used to export the trustpoint. Hostnames cannot include an underscore character. This option is not valid for cf and usb1-4.

    Select IPv4 Address to use an IPv4 formatted address as the host. Select IPv6 Address to use an IPv6 formatted address as the host. IPv6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.
    Path/File Specify the path to the signed trustpoint file. Enter the complete relative path to the file on the server.
    Cut and Paste Select Cut and Paste to copy an existing trustpoint into the field. When pasting, no additional network address information is required.
  19. Click OK to export the defined trustpoint.
    Click Cancel to revert to the last saved configuration.
  20. To optionally delete a trustpoint, click Delete in the Certificate Management screen.
    Provide the trustpoint name in the Delete Trustpoint screen and optionally select Delete RSA Key to remove the RSA key along with the trustpoint. Click OK to proceed with the deletion, or Cancel to revert to the Certificate Management screen.
Published May 2018prev | next

Email this topicEmail this topic

Print this pagePrint this page