KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

501

502

503

504

505

506

507

508

509

510

17 Certificate manager

Certificate Manager enables Public Key Infrastructure (PKI) capability on the switch providing

authentication of network entities. This feature enables configuration and management of digital

certificates on HP Networking switches, a key component of establishing digital identity in PKI.

Each entity in the PKI has their identity validated by a CA/RA. The CA issues a digital certificate

as part of enrolling each entity into the PKI. This digital certificate is used by replying parties (e.g.,

network connection peers) to set up secure communication. Based on the information present in

the certificate of the sender, the receiving entity can validate the authenticity of the sender and

subsequently establish a secure communication channel.

Configuration support

The certificate manager CLI provides configuration support for integrating the switch into a customer’s

PKI.

Trust anchor profile

The profile defines required Anchor Trust for several certificate-specific operations, such as certificate

enrollment and certificate validations. A trust anchor may be a Root CA certificate or an Intermediate

CA certificate. The following command creates a trust anchor profile.

Syntax

(config)# [no] crypto pki ta-profile [profile-name]

Definitions

profile-name

A name (maximum 100 characters) with a unique identifier for the Trust Anchor

Profile. Two TA profiles are supported: one for each allowed trust anchor (Root

CA certificate.)

Web User’s Interface

When permitted by the existing configuration, the Web UI creates a “default” Trust Anchor profile

(the profile name is “default”) when a TA certificate is installed. The Web UI may only manage

the TA certificate installed against the“default” profile—no other certificates are visible or installed

via Web UI. An administrator may create this same “default” TA profile. Restrictions on the “default”

profile are described in Local Certificate Installation.

The Web UI manages a TA profile implicitly and only under the following conditions:

• If a TA Profile with the name “default” exists.

• If a TA Profile with the name “default” does not exist but one of the TA Profiles is not configured.

In these cases the Web UI may configure the “default” TA Profile.

When a default profile does not exist and both TA Profiles have been configured by the CLI (i.e.,

they both have a name that is not ‘default’), the Web UI may not alter either TA profile and the

usage web certificate to be installed must fit within a certificate chain belonging to an existing TA

Profile.

Switch identity profile

The switch (stack) can have multiple certificates using the same base identity but with different

protocol usage. This profile captures the common identity data for use in multiple certificates. The

switch identity profile is a configuration aid that configures default values used when creating

multiple certificates. This profile is not used for any other purpose and is therefore completely

Configuration support 505