Configure Device Trustpoints

Before proceeding with configuring device trustpoints, review existing RSA keys and certificates for possible reuse with your application. You can use the default default_rsa_key and default_trustpoint or, if required, you can generate or import an RSA key, or generate a self-signed certificate, or generate a certificate signing request (CSR).

Use this procedure to assign trustpoints for the selected device.

  1. Go to Devices and select a target device.
    By default, the Trustpoint tab displays.
  2. Configure Management Security as described in Management Security Parameters.
    Table 1. Management Security Parameters
    Parameter Description
    SSH RSA Key Assign an RSA key to the selected device for SSH authentication and encryption of connections between devices. Use the drop-down menu to invoke the use of either a Stored key or a Pending key.
    • Pending (default) — Enter the name (up to 32 characters) of the pending RSA key.
    • Stored — Use the drop-down menu to select an existing RSA key.
    Note: Pending RSA keys are not verified as existing on a device.
  3. Configure RADIUS Security as described in RADIUS Security Parameters.
    Table 2. RADIUS Security Parameters
    Parameter Description
    RADIUS Certificate Authority LDAPS Assign a trustpoint to RADIUS server certificate to validate an external LDAPS server. Use the drop-down menu to invoke the use of either a Stored trustpoint or a Pending trustpoint.
    • Pending (default) — Enter the name (up to 32 characters) of the pending trustpoint.
    • Stored — Use the drop-down menu to select an existing trustpoint.
    Note: Pending trustpoints are not verified as existing on a device.
    RADIUS Server LDAPS Trustpoint Use the drop-down menu to select a trustpoint to validate an external LDAPS server. Options include:
    • Pending (default) — Enter the name (up to 32 characters) of the pending trustpoint.
    • Stored — Use the drop-down menu to select an existing trustpoint.
    Note: Pending trustpoints are not verified as existing on a device.
  4. Configure CMP Certificate as described in CMP Certificate Parameters.
    Table 3. CMP Certificate Parameters
    Parameter Description
    Authenticate Operator Certificate Optionally, use Certificate Management Protocol (CMP) as an Internet protocol to obtain and manage digital certificates in a Public Key Infrastructure (PKI) network. A CA issues the certificates using the defined CMP. Using CMP, a device can communicate with a CMP supported CA server, initiate a certificate request and download the required certificates from the CA server. CMP supports multiple request options through for device communicating with a CMP supported CA server. The device can initiate a request for getting the certificates from the server. It can also auto update the certificates which are about to expire.

    Use the drop-down menu to invoke the use of either a Stored trustpoint or a Pending trustpoint.

    • Pending (default) — Enter the name (up to 32 characters) of the pending trustpoint.
    • Stored — Use the drop-down menu to select an existing trustpoint.
    Note: Pending trustpoints are not verified as existing on a device.
  5. Configure HTTPS Trustpoint Security as described in HTTPS Trustpoint Security Parameters.
    Table 4. HTTPS Trustpoint Security Parameters
    Parameter Description
    HTTPS Trustpoint Assigns a trustpoint to validate HTTPS.

    Use the drop-down menu to invoke the use of either a Stored trustpoint or a Pending trustpoint.

    • Pending (default) — Enter the name (up to 32 characters) of the pending trustpoint.
    • Stored — Use the drop-down menu to select an existing trustpoint.
    Note: Pending trustpoints are not verified as existing on a device.
  6. Configure Cloud Client Certificate as described in Cloud Client Certificate Parameters.
    Table 5. Cloud Client Certificate Parameters
    Parameter Description
    Cloud Client Certificate Assigns a trustpoint to validate a cloud client. Use this option on cloud-enabled APs to secure the communication between the cloud AP and cloud client. The trustpoint should be existing and installed on the AP. The cloud-enabled access points are AP7502, AP7522, AP7532, and AP7562. For local-controller adopted APs, this configuration is not required.

    Use the drop-down menu to invoke the use of either a Stored trustpoint or a Pending trustpoint.

    • Pending (default) — Enter the name (up to 32 characters) of the pending trustpoint.
    • Stored — Use the drop-down menu to select an existing trustpoint.
    Note: Pending trustpoints are not verified as existing on a device.
  7. After you have completed configuring the settings, choose from the following actions:
    1. Select Revert to restore default settings.
      Note

      Note

      You cannot restore default settings after applying or saving changes.
    2. Select Apply to commit the configured settings.
      Note

      Note

      This does not permanently save the settings you configured. If you perform a Reload (warm reboot), applied settings will be lost.
    3. Select Save to commit and save the configured settings.
      Note

      Note

      If you do not select Apply or Save, the settings that you configured are not saved when you move away from the configuration window.

9037761-04 Rev AB