Configuring Secure Socket Layer (SSL)
Configuring the Switch for SSL Operation
The server certificate is stored in the switch’s flash memory. The server
certificate should be added to your certificate folder on the SSL clients who
you want to have access to the switch. Most browser applications automati
cally add the switch’s host certificate to there certificate folder on the first
use. This method does allow for a security breach on the first access to the
switch. (Refer to the documentation for your browser application.)
There are two types of certificated that can be used for the switch’s host
certificate. The first type is a self-signed certificate, which is generated and
digitally signed by the switch. Since self-signed certificates are not signed by
a third-party certificate authority, there is no audit trail to a root CA certificate
and no fool-proof means of verifying authenticity of certificate. The second
type is a certificate authority-signed certificate, which is digitally signed by a
certificate authority, has an audit trail to a root CA certificate, and can be
verified unequivocally
N o t e
There is usually a fee associated with receiving a verified certificate and the
valid dates are limited by the root certificate authority issuing the certificate.
When you generate a certificate key pair and/or certificate on the switch, the
switch places the key pair and/or certificate in flash memory (and not in
running config). Also, the switch maintains the certificate across reboots,
including power cycles. You should consider this certificate to be “perma
nent”; that is, avoid re-generating the certificate without a compelling reason.
Otherwise, you will have to re-introduce the switch’s host certificate on all
management stations you have set up for SSL access to the switch using the
earlier certificate.
Removing (zeroizing) the switch's certificate key pair or certificate render the
switch unable to engage in SSL operation and automatically disables SSL on
the switch. (To verify whether SSL is enabled, execute
show config
.)
To Generate or Erase the Switch’s Server Certificate
with the CLI
Because the host certificate is stored in flash instead of the running-config
file, it is not necessary to use
write memory
to save the certificate. Erasing the
host certificate automatically disables SSL.
8-9
Summary of Contents for PROCURVE 2910AL
Page 1: ...Access Security Guide ProCurve Switches W 14 03 2910al www procurve com ...
Page 2: ......
Page 3: ...HP ProCurve 2910al Switch February 2009 W 14 03 Access Security Guide ...
Page 84: ...Configuring Username and Password Security Front Panel Security 2 36 ...
Page 156: ...TACACS Authentication Operating Notes 4 30 ...
Page 288: ...Configuring Secure Socket Layer SSL Common Errors in SSL setup 8 22 ...
Page 416: ...Configuring Advanced Threat Protection Using the Instrumentation Monitor 10 28 ...
Page 572: ...Using Authorized IP Managers Operating Notes 14 14 ...
Page 592: ...12 Index ...
Page 593: ......