HP Switch Certificate
Setting up a SSL certificate on a HP (HPE/Aruba) 2530 switch is not hard or complicated but it is frustrating when you try to figure out exactly how it’s done. There’s some terminology that isn’t immediately obvious and the switch tends to be a bit picky about how things are done.
So with that said, let’s dive in.
I’ll assume here that you have a functioning PKI on your site, or that you’re able to get a certificate request signed somehow. I’ll briefly touch on self signed certs local to the switch, but that’s just a kluge until you have “proper” PKI up and running.
I’ll also assume that you can have a command line connection to your switch, either by console or ssh. Make that connection now. Connect, authenticate, and enter the magic word
Also: friends don’t let friends use telnet.
In the code below, substitute the stuff
IN_CAPITAL_LETTERS to what’s relevant in your environment. For example, my Trust Anchor and Identity Profile names are the hostname of the switch, a dash, and
You should, eventually, have a DNS entry for your switch, but you don’t need DNS support on the switch itself.
The Trust Anchor
I really don’t know what a Trust Anchor is for, but you’ll need one.
crypto pki ta-profile YOUR_TRUST_ANCHOR
After this, you’ll need to assign the certificate, or certificate chain of your PKI to the Trust Anchor. This is, rather inexplicably, done using
sftp. If you don’t have a PKI but intend to use a self signed certificate on the switch (for now), skip this step.
copy sftp ta-certificate YOUR_TRUST_ANCHOR USERNAME@HOST PATH_TO_CERT_CHAIN.pem
That’s it. I’ve probably missed something. This whole TA stuff is a bit confusing to me.
Next, you’ll create a profile to describe your switch’s identity for the certificate. Here, pressing TAB for autofill is your friend. Though i’ve split the command on several lines, you’ll need to have them on one line for the spell to work. Country should be the two letter (ISO 3166-1) country code, like FI for Finland.
crypto pki identity-profile YOUR_IDENTITY_PROFILE subject common-name SWITCH_FQDN org 'THE_NAME_OF_YOUR_ORGANISATION' org-unit 'YOUR_ORG_UNIT' locality 'WHERE_YOU_ARE_LOCATED' state 'WHERE_THAT_IS_LOCATED' country 'FO'
The Certificate Request
Alright. Now you’ll create a certificate request. This has less stuff to type. Still, and again, do write the following on a single line.
crypto pki create-csr certificate-name YOUR_CERT_NAME ta-profile YOUR_TRUST_ANCHOR ta-profile key-size 2048 valid-start TODAY_IN_MM/DD/YYYY_FORMAT valid-end FUTURE_DATE_IN_SAME_FORMAT
If you don’t have a proper PKI on your site, instead enter the following spell and be done with it:
crypto pki enroll-self-signed certificate-name YOUR_CERT_NAME key-size 2048 valid-start TODAY_IN_MM/DD/YYYY_FORMAT valid-end FUTURE_DATE_IN_SAME_FORMAT
Sign the CSR
Assuming you’re still here, you followed the
create-csr command above, not the
enroll-self-signed path. Copy-paste the certificate request (
-----BEGIN CERTIFICATE REQUEST----- etc etc) to your PKI, sign it, and receive a nice certificate in
Now issue the command
crypto pki install-signed-certificate
Paste the certificate (
-----BEGIN CERTIFICATE----- etc etc) and press enter (twice if needed). If there were no errors (sorry, no hurrahs given), you should be able to check that you have a certificate in place by
show crypto pki local-certificate
Enable SSL (TLS) on your switch