Assign Certificates

About this task

A certificate links identity information with a public key enclosed in the certificate. Certificates are issued by a certificate authority (CA).

A CA is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate. A browser must contain the CA certificate in its Trusted Root Library so it can trust certificates signed by the CA's private key.

Depending on the public key infrastructure, the digital certificate includes the owner's public key, the certificate expiration date, the owner's name and other public key owner information.

Each certificate is digitally signed by a trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate.

SSH keys are a pair of cryptographic keys used to authenticate users instead of, or in addition to, a username/password. One key is private and the other is public key. Secure Shell (SSH) public key authentication can be used by a requesting client to access resources, if properly configured. A RSA key pair must be generated on the client. The public portion of the key pair resides with the controller or access point locally, while the private portion remains on a secure area of the client.

To configure certificate usage:

Procedure

  1. Go to Configuration → Devices . The Device Configuration screen displays. It lists devices or peers (other access points, controllers or service platforms) within the managed network.
  2. Select a target device by double-clicking on the device name. The selected device's configuration menu displays.
  3. Select Certificates.
    Click to expand in new window
    Configuration - Device Certificates Screen
  4. Set the following Management Security certificate configuration:
    SSH RSA Key Either use the default_rsa_key or select Stored to enable a drop-down menu where an existing certificate can be used. To use an existing key, select Launch Manager. For more information, see Manage RSA Key .
    Note: Pending trustpoints and RSA keys are typically not verified as existing on a device.
  5. Set the following RADIUS Security certificate configurations:
    RADIUS Certificate Authority Either use the default-trustpoint or select Stored to enable a drop-down menu where an existing certificate can be used. To use an existing certificate, select Launch Manager.
    RADIUS Server Certificate Either use the default-trustpoint or select Stored to enable a drop-down menu where an existing certificate/trustpoint can be used. To use an existing trustpoint, select Launch Manager.
    RADIUS Certificate Authority LDAPS Either use the LDAP server default-trustpoint or select Stored to enable a drop-down menu where an existing certificate can be used. To use an existing certificate, select Launch Manager.
    RADIUS Server LDAPS Trustpoint Either use the LDAP server default-trustpoint or select Stored to enable a drop-down menu where an existing certificate/trustpoint can be used. To use an existing trustpoint, select Launch Manager.
  6. Refer to the CMP Certificate field to optionally use Certificate Management Protocol (CMP) as an Internet protocol to obtain and manage digital certificates in a Public Key Infrastructure (PKI) network. A CA issues the certificates using the defined CMP. Using CMP, a device can communicate to a CMP supported CA server, initiate a certificate request and download the required certificates from the CA server. CMP supports multiple request options through for device communicating to a CMP supported CA server. The device can initiate a request for getting the certificates from the server. It can also auto update the certificates which are about to expire.
    Either use the server default-trustpoint or select Stored to enable a drop-down menu where an existing certificate/trustpoint can be used. To use an existing trustpoint, select Launch Manager.
  7. Click OK to save the changes.
    Click Reset to revert the screen to its last saved configuration.

What to do next

For more information on the certification activities supported, refer to the following: