Import Certificates and Trustpoints

A certificate links identity information with a public key enclosed in the certificate. Each certificate is digitally signed by a trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters and an association with an enrolled identity certificate.
Click to expand in new window
Import New Trustpoint Screen
  1. To optionally import a CA certificate, select the Import CA button on the Import New Trustpoint screen.
    A CA is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate.
    Click to expand in new window
  2. Define the following configuration parameters required to import a CA certificate:
    Trustpoint Name Enter the 32-character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, a corporation, or an individual.
    URL Provide the complete URL to the location of the trustpoint. If needed, click Advanced to expand the dialog to display network address information to the location of the target trustpoint. The number of additional fields that populate the screen is also dependent on the selected protocol.
    Protocol Select the protocol used for importing the target trustpoint. Available options include:
    • tftp
    • ftp
    • sftp
    • http
    • cf
    • usb1-4
    Port Set the port. This option is not valid for cf and usb1-4.
    Host Provide the hostname string or numeric IP address of the server used to import the trustpoint. Hostnames cannot include an underscore character. This option is not valid for cf and usb1-4.

    Select IPv4 Address to use an IPv4 formatted address as the host. Select IPv6 Address to use an IPv6 formatted address as the host. IPv6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.

    Path/File Specify the path to the trustpoint file. Enter the complete relative path to the file on the server.
  3. Select OK to import the defined CA certificate. Click Cancel to revert the screen to its last saved configuration.
  4. To optionally import a CA certificate, select Import CRL button on the Certificate Management screen.

    If a certificate displays in the Certificate Management screen with a CRL, that CRL can be imported. A certificate revocation list (CRL) is a list of certificates that have been revoked or are no longer valid. A certificate can be revoked if the CA had improperly issued a certificate, or if a private key is compromised. The most common reason for revocation is the user no longer being in sole possession of the private key.

    For information on creating a CRL to use with a trustpoint, refer to Setting the Certificate Revocation List (CRL) Configuration .

    Click to expand in new window
  5. Define the following configuration parameters required to import a CRL:
    Trustpoint Name Enter the 32-character maximum name assigned to the target trustpoint signing the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate.
    From Network Select From Network to provide network address information to the location of the target CRL. The number of additional fields that populate the screen is also dependent on the selected protocol. This is the default setting.
    URL Provide the complete URL to the location of the CRL. If needed, click Advanced to expand the dialog to display network address information to the location of the CRL. The number of additional fields populating the screen depends on the selected protocol.
    Advanced/Basic Click Advanced or Basic to switch between a basic URL and an advanced location to specify trustpoint location.
    Protocol Select the protocol used for importing the CRL. Available options include:
    • tftp
    • ftp
    • sftp
    • http
    • cf
    • usb1-4
    Port Set the port. This option is not valid for cf and usb1-4.
    Host Provide the hostname string or numeric IP address of the server used to import the CRL. Hostnames cannot include an underscore character. This option is not valid for cf and usb1-4.

    Select IPv4 Address to use an IPv4 formatted address as the host. Select IPv6 Address to use an IPv6 formatted address as the host. IPv6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.

    Path/File Specify the path to the CRL file. Enter the complete relative path to the file on the server.
    Cut and Paste Select Cut and Paste to copy an existing CRL into the field. When pasting, no additional network address information is required.
  6. Select OK to import the CRL. Select Cancel to revert the screen to its last saved configuration.
  7. To import a signed certificate, select the Import Signed Cert button on the Import New Trustpoint screen.

    Signed certificates (or root certificates) avoid the use of public or private CAs. A self-signed certificate is an identity certificate signed by its own creator, thus the certificate creator also signs off on its legitimacy. The lack of mistakes or corruption in the issuance of self signed certificates is central.

    Self-signed certificates cannot be revoked which may allow an attacker who has already gained controller access to monitor and inject data into a connection to spoof an identity if a private key has been compromised. However, CAs have the ability to revoke a compromised certificate, preventing its further use.

    Click to expand in new window
  8. Define the following parameters required to Import a Signed Certificate:
    Certificate Name Enter the 32-character maximum trustpoint name with which the certificate should be associated.
    From Network Select From Network to provide network address information to the location of the signed certificate. The number of additional fields that populate the screen is also dependent on the selected protocol. From Network is the default setting.
    URL Provide the complete URL to the location of the signed certificate. If needed, click Advanced to expand the dialog to display network address information to the location of the signed certificate. The number of additional fields populating the screen depends on the selected protocol.
    Protocol Select the protocol used for importing the signed certificate. Available options include:
    • tftp
    • ftp
    • sftp
    • http
    • cf
    • usb1-4
    Port Set the port. This option is not valid for cf and usb1-4.
    Host Provide the hostname string or numeric IP address of the server used to import the signed certificate. Hostnames cannot include an underscore character. This option is not valid for cf and usb1-4.

    Select IPv4 Address to use an IPv4 formatted address as the host. Select IPv6 Address to use an IPv6 formatted address as the host. IPv6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons.

    Path/File Specify the path to the signed certificate file. Enter the complete relative path to the file on the server.
    Cut and Paste Select Cut and Paste to copy an existing certificate into the field. When pasting, no additional network address information is required.
  9. Select OK to import the signed certificate. Select Cancel to revert the screen to its last saved configuration.