Basic overview, Types of certificates – Allied Telesis AT-S63 User Manual

Chapter 34: PKI Certificates and SSL

792

Section IX: Management Security

Basic Overview

This chapter describes the second part of the encryption feature of the
AT-S63 management software—PKI certificates. The first part is
explained in Chapter 33, “Encryption Keys” on page 769. Encryption keys
and certificates allow you to encrypt the communications between your
management station and a switch during a web browser management
session, and so protect your switch from intruders who might be using a
sniffer to monitor the network for management packets.

Types of

Certificates

As explained in the previous chapter, an encryption key encrypts the
information in the frames exchanged between a switch and a web browser
during a web browser management session. An encryption key consists of
two parts: a private key and a public key. The private key remains on the
switch and is used by the device to encrypt its messages.

The public key is incorporated into a certificate and is used by your
management station when you perform a web browser management
session. Your web browser downloads the certificate with the public key
from the switch when you begin a management session.

The quickest and easiest way to create a certificate is to have the switch
create it. This type of certificate is called a self-signed certificate. If you
have a small to medium sized network, this will probably be the best
approach. The procedure for creating this kind of certificate can be found
in “Creating a Self-signed Certificate” on page 803. To review all the steps
to configuring the web server for a self-signed certificate, refer to “General
Steps for Configuring the Web Server for Encryption” on page 766.

Another option is to create the key but have someone else issue the
certificate. That person, group, or organization is called a certification
authority (CA).

There are two kinds of CAs: public and private. A public CA issues
certificates typically intended for use by the general public for other
companies and organizations. A public CA requires proof of the identify of
the company or organization before issuing a certificate.. VeriSign is an
example of a public CA.

Because a certificate for an AT-9400 Series switch is not intended for
general use and will only be used by you and other network managers in
managing the switch, it probably will not be necessary for you to have a
public CA issue the certificate for the switch.

Some large companies have private CAs. This is a person or group within
the company that is responsible for issuing certificates for the company’s
network equipment. With private CAs, companies can keep track of the
certificates and control access to various network devices.