AOS-CX switches use certificates for various purposes, such as securing HTTPS access to the switch's web interface, authenticating the switch as a RadSec client, or securing other communications. Managing local certificates on AOS-CX switches involves ensuring that the switch trusts the certificate authority (CA) that issued the certificate, which is critical for proper operation.
Option C, "Before installing the local certificate, create a trust anchor (TA) profile with the root CA certificate for the certificate that you will install," is correct. A trust anchor (TA) profile on AOS-CX switches contains the root CA certificate (or intermediate CA certificate) that issued the local certificate. This TA profile allows the switch to validate the certificate chain when the local certificate is installed. For example, if you install a CA-signed certificate for the HTTPS server, the switch needs the root CA certificate in a TA profile to trust the certificate. This is a standard guideline for certificate management on AOS-CX switches to ensure secure and proper operation.
Option A, "Understand that the switch must use the same certificate for all usages, such as its HTTPS server and RadSec client," is incorrect. AOS-CX switches support using different certificates for different purposes. For example, you can have one certificate for the HTTPS server and another for RadSec client authentication, as long as each certificate is associated with the appropriate service and trusted by the switch.
Option B, "Create a self-signed certificate online on the switch because AOS-CX switches do not support CA-signed certificates," is incorrect. AOS-CX switches fully support CA-signed certificates, and using CA-signed certificates is recommended for production environments to ensure trust and security. Self-signed certificates can be used for testing but are not a guideline for general certificate management.
Option D, "Install an Online Certificate Status Protocol (OCSP) certificate to simplify the process of enrolling and re-enrolling for certificates," is incorrect. OCSP is a protocol used to check the revocation status of certificates, not to simplify certificate enrollment. AOS-CX switches support OCSP for certificate validation, but installing an "OCSP certificate" is not a concept in certificate management, and it's not a guideline for managing local certificates.
The HPE Aruba Networking AOS-CX 10.12 Security Guide states:
"Before installing a CA-signed local certificate on the switch, you must create a trust anchor (TA) profile that includes the root CA certificate (or intermediate CA certificate) that issued the local certificate. This ensures that the switch can validate the certificate chain. For example, to install a CA-signed certificate for the HTTPS server, use the command crypto pki ta-profile <profile-name> to create the TA profile, and then import the root CA certificate into the profile using crypto pki import ta-profile <profile-name>. Then, install the local certificate using crypto pki import local-certificate <certificate-name> and associate it with the HTTPS server." (Page 201, Certificate Management Section) Additionally, the guide notes:
"AOS-CX switches support both self-signed and CA-signed certificates. For production environments, it is recommended to use CA-signed certificates and ensure that the appropriate trust anchor profiles are configured to validate the certificate chain." (Page 202, Best Practices Section)
:
HPE Aruba Networking AOS-CX 10.12 Security Guide, Certificate Management Section, Page 201.
HPE Aruba Networking AOS-CX 10.12 Security Guide, Best Practices Section, Page 202.