Basic overview, Types of certificates – Allied Telesis AT-S63 User Manual

Chapter 34: PKI Certificates and SSL

786

Section VIII: Management Security

Basic Overview

This chapter describes the second part of the encryption feature of the
AT-S63 management software—PKI certificates. The first part is
explained in Chapter 33, “Encryption Keys” on page 763. Encryption keys
and certificates allow you to encrypt the communications between your
management station and a switch when you manage the device with a
web browser. Encryption helps protect your switch from any intruder who
might be using a sniffer to monitor the network.

Types of

Certificates

As explained in the previous chapter, an encryption key is used to encrypt
the information in the frames that are exchanged between a switch and a
web browser during a web browser management session.

An encryption key consists of two parts: a private key and a public key.
The private key remains on the switch and is used by the device to encrypt
its messages.

The public key is incorporated into a certificate. This is the key that your
management station uses when you perform a web browser management
session. Your web browser downloads the certificate from the switch when
you begin a management session.

The quickest and easiest way to create a certificate is to have the switch
create it itself. This type of certificate is called a self-signed certificate. If
you have a small to medium sized network, then this might be the way to
go. The procedure for creating this kind of certificate can be found in
“Creating a Self-signed Certificate” on page 797. To review all the steps to
configuring the web server for this type of certificate, refer to “General
Steps for Configuring the Web Server for Encryption” on page 760.

Another option is to create the key but have someone else issue the
certificate. That person, group, or organization is called a certification
authority (CA).

There are two kinds of CAs: public and private. A public CA issues
certificates for other companies and organizations. A prominent example
of a public CA is VeriSign. A public CA requires proof of the identify of the
company or organization that wants a certificate before it issues it.

Public CAs issue certificates that are typically intended for use by the
general public. Because a certificate for an AT-9400 Series switch is used
only by you and other network managers, you might decide that it is not
necessary to have a public CA issue an AT-9400 Series switch certificate.

Some large companies have private CAs. This is a person or group within
the company that is responsible for issuing certificates for the company’s
network equipment. The value of a private CA is that the company can
keep track of the certificates and control access to various network