Enabling HTTPS

1. Enter system view.

system-view

N/A

2. (Optional.) Apply an SSL server policy to control HTTPS access.

ip https ssl-server-policy policy-name

By default, no SSL server policy is applied. The HTTP service uses a self-signed certificate.

If the HTTPS service has been enabled, any changes to the applied SSL server policy do not take effect. For the changes to take effect, you must disable HTTP and HTTPS, and then apply the policy and enable HTTP and HTTPS again.

To restore the default, you must disable HTTP and HTTPS, execute the undo ip https ssl-server-policy command, and then enable HTTP and HTTPS again.

3. Enable the HTTPS service.

ip https enable

By default, HTTPS is disabled.

Enabling the HTTPS service triggers the SSL handshake negotiation process.

• If the device has a local certificate, the SSL handshake negotiation succeeds and the HTTPS service starts up.

• If the device does not have a local certificate, the certificate application process starts. Because the certificate application process takes a long time, the SSL handshake negotiation might fail and the HTTPS service might not be started. To solve the problem, execute this command again until the HTTPS service is enabled.

4. (Optional.) Apply a certificate-based access control policy to control HTTPS access.

ip https certificate access-control-policy policy-name

By default, no certificate-based access control policy is applied for HTTPS access control.

For clients to log in through HTTPS, you must configure the client-verify enable command and a minimum of one permit rule in the applied SSL server policy.

For more information about certificate-based access control policies, see the chapter on PKI in Security Configuration Guide.

5. (Optional.) Specify the HTTPS service port number.

ip https port port-number

The default HTTPS service port number is 443.

6. (Optional.) Apply an ACL to the HTTPS service

ip https acl { acl-number | name acl-name }

N/A