Allied Telesis AT-S63 User Manual

Chapter 32: PKI Certificates and SSL

722

Section VII: Management Security

This distinguished name omits the common name, but includes everything
else:

ou=Network Support,o=XYZ Inc.,st=CA,c=US

So what would be a good distinguished name for a certificate for an
AT-8524M switch? If the switch has an IP address, such as a master
switch, you could use its address as the name. The following example is a
distinguished name for a certificate for a master switch with the IP address
149.11.11.11:

cn=149.11.11.11

If your network has a Domain Name System and you mapped a name to
the IP address of a switch, you can specify the switch’s name instead of
the IP address as the distinguished name.

For those switches that do not have an IP address, such as slave
switches, you could assign their certificates a distinguished name using
the IP address of the master switch of the enhanced stack.

There is a benefit to giving a certificate a distinguished name equivalent to
a master switch’s IP address or domain name. This relates to what
happens when you start a web browser management session with a
switch using SSL. The web browser on your management station checks
to see if the name to whom the certificate was issued matches the name of
the web site. In the case of a master or slave AT-9400 Series switch, the
web site’s name is the master switch’s IP address or domain name. If the
names do not match, the web browser displays a security warning. Of
course, even if you see the security warning, you can close the warning
prompt and still configure the switch using your web browser.

Note

If the certificate will be issued by a private or public CA, you should
check with the CA to see if they have any rules or guidelines on
distinguished names for the certificates they issue.