If you do not want to use an existing certificate or key with a selected device, an existing stored certificate can be leveraged from a different device. Device certificates can be imported and exported to a secure remote location for archive and retrieval as required for application to other devices.
To configure trustpoints for use with certificates:
The Certificate Management screen displays, with the Manage Certificates tab selected by default. This screen displays all existing trustpoints.
Refer to Certificate Details field to review the certificate‘s properties, self-signed credentials, validity period and CA information.
The import trustpoint window displays.
Import |
Select the type of Trustpoint to import. The following
Trustpoints can be imported:
|
Trustpoint Name |
Enter the 32 character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. |
A CA is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate.
If a certificate displays within the Certificate Management screen with a CRL, that CRL can be imported. A CRL (certificate revocation list) is a list of revoked certificates, or certificates no longer valid. A certificate can be revoked if the CA improperly issued a certificate, or if a private key is compromised. The most common reason for revocation is the user no longer being in sole possession of the private key.
Signed certificates (or root certificates) avoid the use of public or private CAs. A self-signed certificate is an identity certificate signed by its own creator, thus the certificate creator also signs off on its legitimacy. The lack of mistakes or corruption in the issuance of self signed certificates is central.
URL |
Provide the complete URL to the location of the trustpoint. This option is available by default. Click the Advanced link next to this field to display more fields to provide detailed trustpoint location information. This option is only available when the Basic link is clicked. |
Protocol |
If using Advanced settings, select the protocol used for
importing the target trustpoint. Available options
include:
|
Port |
If using Advanced settings, use the spinner control to set the port. This option is not valid for cf, usb1, usb2, usb3 and usb4. |
Host |
If using Advanced settings, provide the hostname of the server used to import the trustpoint. Select IPv4 Address or IPv6 Address to provide the IP address of a host device appropriately. This option is not valid for cf, usb1, usb2, usb3 and usb4. |
Username/Password |
These fields are enabled if using ftp or sftp protocols. Specify the username and the password for that username to access the remote servers using these protocols. |
Path/File |
If using Advanced settings, specify the path to the trustpoint. Enter the complete path to the file on the server. |
Select Cancel to revert the screen to its last saved configuration.
Once a certificate has been generated on the authentication server, export the self-signed certificate.
A digital CA certificate is different from a self-signed certificate. The CA certificate contains the public and private key pairs. The self certificate only contains a public key. Export the self certificate for publication on a Web server or file server for certificate deployment or export it in to an Active Directory Group Policy for automatic root-certificate deployment.
Additionally export the key to a redundant RADIUS server so it can be imported without generating a second key. If there are more than one RADIUS authentication servers, export the certificate and do not generate a second key unless you want to deploy two root certificates.
The Export Trustpoint screen displays.
Trustpoint Name |
Enter the 32 character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. |
URL |
Provide the complete URL to the location of the trustpoint. If needed, select Advanced to expand the dialog to display network address information to the location of the target trustpoint. The number of additional fields that populate the screen is dependent on the selected protocol. This option is only available when the Basic link is clicked. |
Protocol |
Select the protocol used for exporting the target
trustpoint. Available options include:
|
Port |
If using Advanced settings, use the spinner control to set the port. This option is not valid for cf, usb1, usb2, usb3 and usb4. |
Host |
If using Advanced settings, provide the hostname of the server used to export the trustpoint. Select IPv4 Address or IPv6 Address to provide the IP address of a host device appropriately. This option is not valid for cf, usb1, usb2, usb3 and usb4. |
Username/Password |
These fields are enabled if using ftp or sftp protocols,. Specify the username and the password for that username to access the remote servers using these protocols. |
Path/File |
If using Advanced settings, specify the path to the trustpoint. Enter the complete relative path to the file on the server. |
Select Cancel to revert the screen to its last saved configuration.
To optionally delete a trustpoint, select the Delete button from within the Certificate Management screen. Provide the trustpoint name within the Delete Trustpoint screen and optionally select the Delete RSA Key option to remove the RSA key along with the trustpoint. Select OK to proceed with the deletion, or Cancel to revert to the Certificate Management screen.