trustpoint (device-config-mode)

Device Config Commands

Assigns trustpoints to validate various services, such as HTTPS, RADIUS CA, RADIUS server, external LDAP server, etc.

For more information on digital certificates and certificate authorities, see trustpoint (profile-config-mode).

Note

Note

Certificates/trustpoints used in this command should be verifiable as existing on the device.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

trustpoint [cloud-client|cmp-auth-operator|https|radius-ca|radius-ca-ldaps| radius-server|radius-server-ldaps] <TRUSTPOINT-NAME>

Parameters

trustpoint [cloud-client|cmp-auth-operator|https|radius-ca|radius-ca-ldaps|
radius-server|radius-server-ldaps] <TRUSTPOINT-NAME>
trustpoint Assigns trustpoints to validate various services. The assigned trustpoint is used as the CA for validating the services.
cloud-client Assigns trustpoint to validate cloud client. The trustpoint should be existing and installed on the device.

Use this option on cloud-enabled access points and cloud-adopted, to secure the communication between the cloud AP and cloud client. The trustpoint should be existing and installed on the AP. The cloud-enabled access points are AP7502, AP7522, AP7532, and AP7562. For local-controller adopted APs, this configuration is not required,

cmp-auth-operator Assigns an existing trustpoint to validate CMP auth operator. Once validated, CMP is used to obtain and manage digital certificates in a PKI network. Digital certificates link identity information with a public key enclosed within the certificate, and are issued by the CA.

Use this command to specify the CMP-assigned trustpoint. When specified, devices send a certificate request to the CMP supported CA server, and download the certificate directly from the CA server. CMP supports multiple request options through for device communicating to a CMP supported CA server. The device can initiate a request for getting the certificates from the server. It can also auto update the certificates which are about to expire.

Note: When configured, this cmp-auth-operator trustpoint setting overrides the profile-level configuration.
https Assigns an existing trustpoint to validate HTTPS
radius-ca Assigns an existing trustpoint to validate client certificates in EAP
radius-ca-ldaps Assigns an existing trustpoint to validate external LDAP server
radius-server Assigns an existing trustpoint to validate RADIUS server certificate
radius-server-ldaps Assigns an existing trustpoint to RADIUS server certificate to validate LDAP server
<TRUSTPOINT-NAME> The following keyword is common to all of the above parameters:
  • <TRUSTPOINT-NAME> – After selecting the service to validate, specify the trustpoint name (should be existing and stored on the device).
    Note: By default, the system assigns the default-trustpoint to validate the following: https, radius-server, and radius-server-ldaps.

Example

A device‘s default HTTPS, RADIUS, and CMP certificate/trustpoint configuration is as follows:

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory | include trustpoint
 trustpoint https default-trustpoint
 no trustpoint radius-ca
 trustpoint radius-server default-trustpoint
 no trustpoint radius-ca-ldaps
 trustpoint radius-server-ldaps default-trustpoint
 no trustpoint cmp-auth-operator
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#trustpoint https test

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory | include trustpoint
 trustpoint https test
 no trustpoint radius-ca
 trustpoint radius-server default-trustpoint
 no trustpoint radius-ca-ldaps
 trustpoint radius-server-ldaps default-trustpoint
 no trustpoint cmp-auth-operator
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#