HP (Hewlett-Packard) 2600 Switch User Manual


 
Configuring Secure Socket Layer (SSL)
Configuring the Switch for SSL Operation
2. Generating the Switch’s Server Host Certificate
You must generate a server certificate on the switch before enabling SSL. The
switch uses this server certificate, along with a dynamically generated session
key pair to negotiate an encryption method and session with a browser trying
to connect via SSL to the switch. (The session key pair mentioned above is
not visible on the switch. It is a temporary, internally generated pair used for
a particular switch/client session, and then discarded.)
The server certificate is stored in the switch’s flash memory. The server
certificate should be added to your certificate folder on the SSL clients who
you want to have access to the switch. Most browser applications automati-
cally add the switch’s host certificate to there certificate folder on the first
use. This method does allow for a security breach on the first access to the
switch. (Refer to the documentation for your browser application.)
There are two types of certificated that can be used for the switch’s host
certificate. The first type is a self-signed certificate, which is generated and
digitally signed by the switch. Since self-signed certificates are not signed by
a third-party certificate authority, there is no audit trail to a root CA certificate
and no fool-proof means of verifying authenticity of certificate. The second
type is a certificate authority-signed certificate, which is digitally signed by a
certificate authority, has an audit trail to a root CA certificate, and can be
verified unequivocally
Note: There is usually a fee associated with receiving a verified certificate and the
valid dates are limited by the root certificate authority issuing the certificate.
When you generate a certificate key pair and/or certificate on the switch, the
switch places the key pair and/or certificate in flash memory (and not in
running config). Also, the switch maintains the certificate across reboots,
including power cycles. You should consider this certificate to be “perma-
nent”; that is, avoid re-generating the certificate without a compelling reason.
Otherwise, you will have to re-introduce the switch’s host certificate on all
management stations you have set up for SSL access to the switch using the
earlier certificate.
Removing (zeroizing) the switch's certificate key pair or certificate render the
switch unable to engage in SSL operation and automatically disables SSL on
the switch. (To verify whether SSL is enabled, execute show config.)
7-9