Manage Certificates

About this task

If you do not want to use an existing certificate or key with a selected device, an existing stored certificate can be leveraged from a different device. Device certificates can be imported and exported to a secure remote location for archive and retrieval as required for application to other devices.

To configure trustpoints for use with certificates:

Procedure

  1. Select Launch Manager from the SSH RSA Key section.

    The Certificate Management screen displays, with the Manage Certificates tab selected by default. This screen displays all existing trustpoints.

    Click to expand in new window
    Certificate Management - Manage Certificates Screen
    GUID-6D9EF28B-6D83-47D7-A437-9974C4578C4F-low.png
  2. Select a device from amongst those displayed to review its certificate information.

    Refer to Certificate Details field to review the certificate‘s properties, self-signed credentials, validity period and CA information.

  3. To optionally import a certificate, select the Import button from the Certificate Management screen.

    The import trustpoint window displays.

    Click to expand in new window
    Import New Trustpoint Window
    GUID-058B880B-8801-47D6-8F21-1ECEE87ACC7A-low.png
  4. Define the following configuration parameters required to import the trustpoint:

    Import

    Select the type of Trustpoint to import. The following Trustpoints can be imported:
    • Import – Select to import any trustpoint.

    • Import CA – Select to import a Certificate Authority (CA) certificate on to the access point.

    • Import CRL – Select to import a CRL (Certificate Revocation List), CRLs are used to identify and remove those installed certificates that have been revoked or are no longer valid.

    • Import Signed Cert – Select to import a self signed certificate.

    Trustpoint Name

    Enter the 32 character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual.

    A CA is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate.

    If a certificate displays within the Certificate Management screen with a CRL, that CRL can be imported. A CRL (certificate revocation list) is a list of revoked certificates, or certificates no longer valid. A certificate can be revoked if the CA improperly issued a certificate, or if a private key is compromised. The most common reason for revocation is the user no longer being in sole possession of the private key.

    Signed certificates (or root certificates) avoid the use of public or private CAs. A self-signed certificate is an identity certificate signed by its own creator, thus the certificate creator also signs off on its legitimacy. The lack of mistakes or corruption in the issuance of self signed certificates is central.

  5. Define the following configuration to import the Trustpoint from a location on the network. To do so, select From Network and provide the following information.

    URL

    Provide the complete URL to the location of the trustpoint. This option is available by default. Click the Advanced link next to this field to display more fields to provide detailed trustpoint location information. This option is only available when the Basic link is clicked.

    Protocol

    If using Advanced settings, select the protocol used for importing the target trustpoint. Available options include:
    • tftp

    • ftp

    • sftp

    • http

    • cf

    • usb1

    • usb2

    • usb3

    • usb4

    Port

    If using Advanced settings, use the spinner control to set the port. This option is not valid for cf, usb1, usb2, usb3 and usb4.

    Host

    If using Advanced settings, provide the hostname of the server used to import the trustpoint. Select IPv4 Address or IPv6 Address to provide the IP address of a host device appropriately. This option is not valid for cf, usb1, usb2, usb3 and usb4.

    Username/Password

    These fields are enabled if using ftp or sftp protocols. Specify the username and the password for that username to access the remote servers using these protocols.

    Path/File

    If using Advanced settings, specify the path to the trustpoint. Enter the complete path to the file on the server.

  6. Select the Cut and Paste option to paste the trustpoint information in text. When this option is selected, the text box next to it is enabled. Paste the trustpoint details into the text box. This option is only available when Import CA, Import CRL or Import Signed Cert is selected.
  7. Select OK to import the defined trustpoint.

    Select Cancel to revert the screen to its last saved configuration.

  8. To optionally export a trustpoint to a remote location, select the Export button.

    Once a certificate has been generated on the authentication server, export the self-signed certificate.

    A digital CA certificate is different from a self-signed certificate. The CA certificate contains the public and private key pairs. The self certificate only contains a public key. Export the self certificate for publication on a Web server or file server for certificate deployment or export it in to an Active Directory Group Policy for automatic root-certificate deployment.

    Additionally export the key to a redundant RADIUS server so it can be imported without generating a second key. If there are more than one RADIUS authentication servers, export the certificate and do not generate a second key unless you want to deploy two root certificates.

    The Export Trustpoint screen displays.

    Click to expand in new window
    Export Trustpoint Window
    GUID-2DB50D74-6320-4501-B1D7-B16E56D15D66-low.png
  9. Define the following configuration parameters to export a trustpoint:

    Trustpoint Name

    Enter the 32 character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual.

    URL

    Provide the complete URL to the location of the trustpoint. If needed, select Advanced to expand the dialog to display network address information to the location of the target trustpoint. The number of additional fields that populate the screen is dependent on the selected protocol. This option is only available when the Basic link is clicked.

    Protocol

    Select the protocol used for exporting the target trustpoint. Available options include:
    • tftp

    • ftp

    • sftp

    • http

    • cf

    • usb1

    • usb2

    • usb3

    • usb4

    Port

    If using Advanced settings, use the spinner control to set the port. This option is not valid for cf, usb1, usb2, usb3 and usb4.

    Host

    If using Advanced settings, provide the hostname of the server used to export the trustpoint. Select IPv4 Address or IPv6 Address to provide the IP address of a host device appropriately. This option is not valid for cf, usb1, usb2, usb3 and usb4.

    Username/Password

    These fields are enabled if using ftp or sftp protocols,. Specify the username and the password for that username to access the remote servers using these protocols.

    Path/File

    If using Advanced settings, specify the path to the trustpoint. Enter the complete relative path to the file on the server.

  10. Select OK to export the defined trustpoint.

    Select Cancel to revert the screen to its last saved configuration.

    To optionally delete a trustpoint, select the Delete button from within the Certificate Management screen. Provide the trustpoint name within the Delete Trustpoint screen and optionally select the Delete RSA Key option to remove the RSA key along with the trustpoint. Select OK to proceed with the deletion, or Cancel to revert to the Certificate Management screen.