Allied Telesis AT-S63 User Manual

AT-S63 Management Software Menus Interface User’s Guide

Section IV: Security

577

Following are a few examples. This distinguished name contains only
one part, the name of the switch:

cn=Production Switch

This distinguished name omits the common name, but includes
everything else:

ou=Network Support,o=XYZ Inc.,st=CA,c=US

So what would be a good distinguished name for a certificate for an
AT-8524M switch? If the switch has an IP address, such as a master
switch, you could use its address as the name. The following example is a
distinguished name for a certificate for a master switch with the IP
address 149.11.11.11:

cn=149.11.11.11

If your network has a Domain Name System and you mapped a name to
the IP address of a switch, you can specify the switch’s name instead of
the IP address as the distinguished name.

For those switches that do not have an IP address, such as slave switches,
you could assign their certificates a distinguished name using the IP
address of the master switch of the enhanced stack.

There is a benefit to giving a certificate a distinguished name equivalent
to a master switch’s IP address or domain name. This relates to what
happens when you start a web browser management session with a
switch using SSL. The web browser on your management station checks
to see if the name to whom the certificate was issued matches the name
of the web site. In the case of a master or slave AT-9400 Series switch, the
web site’s name is the master switch’s IP address or domain name. If the
names do not match, the web browser displays a security warning. Of
course, even if you see the security warning, you can close the warning
prompt and still configure the switch using your web browser.

Note

If the certificate will be issued by a private or public CA, you should
check with the CA to see if they have any rules or guidelines on
distinguished names for the certificates they issue.