Lindy 32530 User Manual

Section 5 IP Access Configuration & Operation

62

Certificate

The U8/16-IP uses the Secure Socket Layer (SSL) protocol for any encrypted network traffic

between itself and a connected client. During the connection establishment the U8/16-IP has to

expose its identity to a client using a cryptographic certificate.

This certificate and the underlying secret key is the same for all U8/16-IP units and certainly will

not match the network configuration that will be applied to the U8/16-IP by its user. The

certificate's underlying secret key is also used for securing the SSL handshake. Hence, this is a

security risk (but far better than no encryption at all).

However, it is possible to generate and install a new certificate that is unique for a particular

U8/16-IP. In order to do this, the U8/16-IP is able to generate a new cryptographic key and the

associated Certificate Signing Request (CSR) that needs to be certified by a certification

authority (CA). A certification authority verifies that you are the person you claim you are, and

signs and issues a SSL certificate to you.

The following steps are necessary to create and install an SSL certificate for the U8/16-IP:

1. Create an SSL Certificate Signing Request using the panel shown in the screen shot

above. You need to fill out a number of fields that are explained on the next page. Once

this is done, click on the Create button to initiate the Certificate Signing Request

generation. The CSR can be downloaded to your administration machine with the

Download CSR button (see the illustration on the next page).

2. Send the saved CSR to a CA for certification. You will get the new certificate from the CA

after a more or less complicated traditional authentication process (depending on the

CA).

3. Upload the certificate to the U8/16-IP switch using the Upload button.

Section 5 IP Access Configuration & Operation

63

After completing these three steps, the U8/16-IP has its own certificate that is used to identify it

to its clients.

Common name

This is the network name of the U8/16-IP once it is installed in the user's network It is identical

to the name that is used to access the U8/16-IP with a web browser (without the “ http:// ”

prefix). In case the name given here and the actual network name differ, the browser will pop up

a security warning when the U8/16-IP is accessed using HTTPS.

Organizational unit

This field is used for specifying to which department within an organization the U8/16-IP

belongs.

Organization

The name of the organization to which the U8/16-IP belongs.

Locality/City

The city where the organization is located.

State/Province

The state or province where the organization is located.

Country (ISO code)

The country where the organization is located. This is the two-letter ISO code, e.g. DE for

Germany, or US for the USA.

Challenge Password

Some certification authorities require a challenge password to authorize later changes on the

certificate (e.g. revocation of the certificate). The minimal length of this password is 4

characters.

Note:

If you destroy the CSR on the U8/16-IP there is no way to get it back! In case you

deleted it by mistake, you have to repeat the three steps as described previously.