Configuring HTTPS certificates

In order to support HTTPS, the device needs to be configured with an Identity certificate. This task generates the key pair, then configures the trust points and certificates required for HTTPS security.

When the Apache (web server) boots. it enables HTTPS service only in the presence of HTTPS crypto certificates.

HTTP and HTTPS are mutually exclusive.

The labels for the trust point and the key pair have to be consistent throughout this process.

Enter configure terminal mode.
```
device#configure terminal
```
Generate a key pair (either RSA, ECDSA, or DSA) to sign and encrypt the security payload during the security protocol exchanges with the crypto key command.
```
device(config)# crypto key label k1 rsa modulus 2048
```
Configure a trusted Certificate Authority (CA) so that the imported identity certificate can be verified that it was issued by one of the locally trusted CAs with the crypto ca command.
```
device(config)# crypto ca trustpoint t1
device(config-ca-t1)#
```
Associate the key pair to the trust point with the keypair command. The association between the trust point, key pair, and identity certificate is valid until it is explicitly removed by deleting the certificate, key pair, or trust point.
```
device(config-ca-t1)# keypair k1
```
Return to privileged EXEC mode with the end command.
```
device(config-ca-t1)# end
```
You must authenticate the device to the CA by obtaining the self-signed certificate of the CA with the crypto ca authenticate command. Because the certificate of the CA is self-signed, the public key of the CA should be manually authenticated by contacting the CA administrator to compare the fingerprint of the CA certificate.
```
device# crypto ca authenticate t1 cert-type https protocol SCP host 10.70.12.102 user fvt directory /users/home/
crypto file cacert.pem
Password: **********
```

Export the enrollment certificate to the location specified for the remote host with the crypto ca enroll command.

device# crypto ca enroll t1 cert-type htttps country US state CA locality SJ organization BRC orgunit SFI common
myhost.extreme.com protocol SCP host 10.70.12.102 user fvt directory /users/home/crypto

Password: **********

Import the identity certificate from the trust point CA with the crypto ca import command. This installs the identity certificate on the device.

device# crypto ca import t1 certificate cert-type https protocol SCP host 10.70.12.102 user fvt directory /users/
home/crypto file swcert.pem
Password: **********

Confirm the configuration with the show commands in the example below.

device# show crypto ca certificates
Trustpoint: t1
certificate:
SHA1 Fingerprint=B7:5B:DB:9B:24:69:40:39:36:66:4D:59:2C:69:83:8E:93:CA:23:0C
Subject: C=US, ST=CA, L=SJ, O=BRC, OU=SFI, CN=10:00:00:27:F8:87:70:29
Issuer: C=US, ST=CA, L=SJ, O=BR, OU=SF, CN=SOUND/emailAddress=sravi
Not Before: Oct 6 23:44:27 2014 GMT
Not After : Oct 6 23:44:27 2015 GMT
purposes: sslserver
CA certificate:
SHA1 Fingerprint=76:5B:D4:2C:CB:54:FE:6B:C5:E0:E3:FD:11:B0:88:70:80:12:C6:63
Subject: C=US, ST=CA, L=SJ, O=BR, OU=SF, CN=SOUND/emailAddress=sravi
Issuer: C=US, ST=CA, L=SJ, O=BR, OU=SF, CN=SOUND/emailAddress=sravi
Not Before: Sep 19 20:56:49 2014 GMT
Not After : Oct 19 20:56:49 2014 GMT
purposes: sslserver

device# show running-config crypto
crypto key label k1 rsa modulus 2048
crypto ca trustpoint t1
keypair k1

The HTTP server (either web server or apache server) must be restarted to activate the HTTPS service. Use only one of the following methods:
- If HTTP is in an enabled state (by default HTTP is enabled), then execute the http server command to shutdown the service, followed by no http server command to enable HTTPS.
- If HTTP is in a disabled state, then execute the no http server command to enable HTTPS.
- Reboot the device.