I've spent the better part of my day bashing my head against my 2960 switch. Due to an office policy, I need to install a "real" cert on this thing, signed by our central CA, for https access. Our CA runs MS Cert Services. Because of our firewalling policies, all I can do is PEM. None of the easy auto stuff.
The problem is:1) Any cert that I try to generate has the wrong information. Basically, I cannot make a "web server" cert because the common name is hosed.
The router asks me what information I want in the SUBJECT -- and even though I say "yes, use the hostname" it generates with a null CN field (according to MS cert services).2) Why, oh why, do I have to create a trust point -- shouldn't it be as simple as saying "yeah, that key you created when I turned on crypto? Let me sign that -- I'm not looking to have the router trust every connecting user, nor am I using this for persitent VPN's...just simple "don't throw the pass in the clear when I https into it".
3) I decided "okay, this syntax is hosed, let's generate keys and certs elsewhere". Except that any key I install has to be protected by a passphrase. Which completely screws things on a reboot, no?4) Is it me or is there NO way to just delete a certificate without blowing away the whole trustpoint? I've tried "no certificate xxxxxxxxx, and gotten "certificate not found".
Has anyone made an easy howto for "here's how you make an SSL cert that validates against your CA, with your hostname as the CN?"