Robin Laurén

Exploring my way out of Imposter Syndrome

HP Switch Certificate

Setting up a SSL certificate on a HP (HPE/Aruba) 2530 switch is not hard or complicated but it is frustrating when you try to figure out exactly how it’s done. There’s some terminology that isn’t immediately obvious and the switch tends to be a bit picky about how things are done.

So with that said, let’s dive in.

I’ll assume here that you have a functioning PKI on your site, or that you’re able to get a certificate request signed somehow. I’ll briefly touch on self signed certs local to the switch, but that’s just a kluge until you have “proper” PKI up and running.

I’ll also assume that you can have a command line connection to your switch, either by console or ssh. Make that connection now. Connect, authenticate, and enter the magic word config.

Also: friends don’t let friends use telnet.

In the code below, substitute the stuff IN_CAPITAL_LETTERS to what’s relevant in your environment. For example, my Trust Anchor and Identity Profile names are the hostname of the switch, a dash, and ta or id respectively.

You should, eventually, have a DNS entry for your switch, but you don’t need DNS support on the switch itself.

The Trust Anchor

I really don’t know what a Trust Anchor is for, but you’ll need one.

crypto pki ta-profile YOUR_TRUST_ANCHOR

After this, you’ll need to assign the certificate, or certificate chain of your PKI to the Trust Anchor. This is, rather inexplicably, done using sftp. If you don’t have a PKI but intend to use a self signed certificate on the switch (for now), skip this step.

copy sftp ta-certificate YOUR_TRUST_ANCHOR USERNAME@HOST PATH_TO_CERT_CHAIN.pem

That’s it. I’ve probably missed something. This whole TA stuff is a bit confusing to me.

Identity Profile

Next, you’ll create a profile to describe your switch’s identity for the certificate. Here, pressing TAB for autofill is your friend. Though i’ve split the command on several lines, you’ll need to have them on one line for the spell to work. Country should be the two letter (ISO 3166-1) country code, like FI for Finland.

crypto pki identity-profile YOUR_IDENTITY_PROFILE subject common-name SWITCH_FQDN
  org 'THE_NAME_OF_YOUR_ORGANISATION' org-unit 'YOUR_ORG_UNIT'
  locality 'WHERE_YOU_ARE_LOCATED' state 'WHERE_THAT_IS_LOCATED' country 'FO'

The Certificate Request

Alright. Now you’ll create a certificate request. This has less stuff to type. Still, and again, do write the following on a single line.

crypto pki create-csr certificate-name YOUR_CERT_NAME
  ta-profile YOUR_TRUST_ANCHOR ta-profile key-size 2048
  valid-start TODAY_IN_MM/DD/YYYY_FORMAT valid-end FUTURE_DATE_IN_SAME_FORMAT

If you don’t have a proper PKI on your site, instead enter the following spell and be done with it:

crypto pki enroll-self-signed certificate-name YOUR_CERT_NAME key-size 2048
  valid-start TODAY_IN_MM/DD/YYYY_FORMAT valid-end FUTURE_DATE_IN_SAME_FORMAT

Sign the CSR

Assuming you’re still here, you followed the create-csr command above, not the enroll-self-signed path. Copy-paste the certificate request (-----BEGIN CERTIFICATE REQUEST----- etc etc) to your PKI, sign it, and receive a nice certificate in .pem format

Now issue the command

crypto pki install-signed-certificate

Paste the certificate (-----BEGIN CERTIFICATE----- etc etc) and press enter (twice if needed). If there were no errors (sorry, no hurrahs given), you should be able to check that you have a certificate in place by

show crypto pki local-certificate

Enable SSL (TLS) on your switch

web-management ssl

Congratulate yourself

Yay!