Certificates, X.509 certificates – Allied Telesis AT-S63 User Manual
Page 580
Chapter 27: PKI Certificates and SSL
580
Section IV: Security
Caution
Although a certificate binds a public key to a subject to ensure the
public key’s security, it does not guarantee that the security of the
associated private key has not been breached. A secure system is
dependent upon private keys being kept secret, by protecting them
from malicious physical and virtual access.
Certificates
A certificate is an electronic identity document. To create a certificate for
a subject, a trusted third party (known as the Certification Authority)
verifies the subject’s identity, binds a public key to that identity, and
digitally signs the certificate. A person receiving a copy of the certificate
can verify the Certification Authority’s digital signature and be sure that
the public key is owned by the identity in it.
The switch can generate a self-signed certificate but this should only be
used with an SSL enabled HTTP server, or where third party trust is not
required.
X.509 Certificates
The X.509 specification specifies a format for certificates. Almost all
certificates use the X.509 version 3 format, described in RFC 2459,
Internet X.509 Public Key Infrastructure Certificate and CRL Profile. This is
the format which is supported by the switch.
An X.509 v3 certificate consists of:
❑ A serial number, which distinguishes the certificate from all others
issued by that issuer. This serial number is used to identify the
certificate in a Certificate Revocation List, if necessary.
❑ The owner’s identity details, such as name, company and address.
❑ The owner’s public key, and information about the algorithm with
which it was produced.
❑ The identity details of the organization which issued the
certificate.
❑ The issuer’s digital signature and the algorithm used to produce it.
❑ The period for which the certificate is valid.
❑ Optional information is included, such as the type of application
with which the certificate is intended to be used.
The issuing organization’s digital signature is included in order to
authenticate the certificate. As a result, if a certificate is tampered with
during transmission, the tampering is detected.