Certificates – Allied Telesis AT-S63 User Manual

AT-S63 Management Software Menus Interface User’s Guide

Section VIII: Management Security

793

Both the exchange of encrypted messages and digital signatures are
secure only if the public key used for encryption or decryption belongs to
the message’s expected recipient. If a public key is insecurely distributed,
it is possible a malicious agent could intercept it and replace it with the
malicious agent’s public key (the Man-in-the-Middle attack). To prevent
this, and other attacks, PKI provides a means for secure transfer of public
keys by linking an identity and that identity’s public key in a secure
certificate.

Caution

Although a certificate binds a public key to a subject to ensure the
public key’s security, it does not guarantee that the security of the
associated private key has not been breached. A secure system is
dependent upon private keys being kept secret, by protecting them
from malicious physical and virtual access.

Certificates

A certificate is an electronic identity document. To create a certificate for a
subject, a trusted third party (known as the Certification Authority) verifies
the subject’s identity, binds a public key to that identity, and digitally signs
the certificate. A person receiving a copy of the certificate can verify the
Certification Authority’s digital signature and be sure that the public key is
owned by the identity in it.

The switch can generate a self-signed certificate but this should only be
used with an SSL enabled HTTP server, or where third party trust is not
required.

X.509 Certificates

The X.509 specification specifies a format for certificates. Almost all
certificates use the X.509 version 3 format, described in RFC 2459,
Internet X.509 Public Key Infrastructure Certificate and CRL Profile. This is
the format which is supported by the switch.

An X.509 v3 certificate consists of:

ˆ

A serial number, which distinguishes the certificate from all others
issued by that issuer. This serial number is used to identify the
certificate in a Certificate Revocation List, if necessary.

ˆ

The owner’s identity details, such as name, company and address.

ˆ

The owner’s public key, and information about the algorithm with which
it was produced.

ˆ

The identity details of the organization which issued the certificate.

ˆ

The issuer’s digital signature and the algorithm used to produce it.

ˆ

The period for which the certificate is valid.

ˆ

Optional information is included, such as the type of application with
which the certificate is intended to be used.