Basic overview, Types of certificates – Allied Telesis AT-S63 User Manual

AT-S63 Management Software Menus Interface User’s Guide

Section IV: Security

575

Basic Overview

This chapter describes the second part of the encryption feature of the
AT-S63 management software—PKI certificates. The first part is
explained in Chapter 26, ”Encryption Keys” on page 547. Encryption keys
and certificates allow you to encrypt the communications between your
management station and a switch when you manage the device with a
web browser. Encryption helps protect your switch from any intruder
who might be using a sniffer to monitor the network.

Types of

Certificates

As explained in the previous chapter, an encryption key is used to
encrypt the information in the frames that are exchanged between a
switch and a web browser during a web browser management session.

An encryption key consists of two parts: a private key and a public key.
The private key remains on the switch and is used by the device to
encrypt its messages.

The public key is incorporated into a certificate. This is the key that your
management station uses when you perform a web browser
management session. Your web browser downloads the certificate from
the switch when you begin a management session.

The quickest and easiest way to create a certificate is to have the switch
create it itself. This type of certificate is called a self-signed certificate. If
you have a small to medium sized network, then this might be the way
to go. The procedure for creating this kind of certificate can be found in
”Creating a Self-signed Certificate” on page 584. To review all the steps
to configuring the web server for this type of certificate, refer to ”General
Steps for a Self-signed Certificate” on page 545.

Another option is to create the key but have someone else issue the
certificate. That person, group, or organization is called a certification
authority (CA).

There are two kinds of CAs: public and private. A public CA issues
certificates for other companies and organizations. A prominent
example of a public CA is VeriSign. A public CA requires proof of the
identify of the company or organization that wants a certificate before it
issues it.

Public CAs issue certificates that are typically intended for use by the
general public. Because a certificate for an AT-9400 Series switch is used
only by you and other network managers, you might decide that it is not
necessary to have a public CA issue an AT-9400 Series switch certificate.

Some large companies have private CAs. This is a person or group within
the company that is responsible for issuing certificates for the