Basic overview, Types of certificates – Allied Telesis AT-S62 User Manual

Chapter 32: PKI Certificates and SSL

706

Section VII: Management Security

Basic Overview

This chapter explains how to implement encryption for your web browser
management sessions. Encryption can protect your managed switches
from unauthorized access by making it impossible for an intruder
monitoring network traffic to decipher the contents of the management
packets exchanged between your workstation and a switch during a web
browser management session.

Web browser encryption involves an encryption key pair and a digital
document called a certificate. The key, as explained in Chapter 31,
“Encryption Keys” on page 687, consists of two parts, a private key and a
public key. The private key always remains on the switch. The public key
is incorporated into a certificate. Your web browser downloads the
certificate from the switch when you begin a management session.

Web browser encryption is provided by the Secure Sockets Layer (SSL)
protocol. SSL was originally designed to offer security in Internet
commerce and other web transactions, so as to provide Internet users a
means of protecting their information from prying eyes as it crosses the
Internet.

Of course, managing a switch with a web browser cannot be characterized
as Internet commerce. But the sensitive nature of the information
contained within the management packets makes protecting the packets a
critical component of network security, and SSL provides the means for
doing just that.

Types of

Certificates

The AT-S62 management software supports two types of certificates. The
first is called a self-signed certificate. This is the quickest and easiest to
create because the switch creates it itself. For small to medium sized
networks, this might be the way to go. The procedure for creating this kind
of certificate is found in “Creating a Self-signed Certificate” on page 718.
To review all the steps to configuring the web server on the switch for this
type of certificate, refer to “General Steps for a Self-signed Certificate” on
page 685.

The second type of certificate is a CA certificate. Here, you create the
encryption key pair on the switch but someone else issues the certificate,
which you then load onto the switch. That person, group, or organization
that issues the certificate is called a certification authority (CA).

There are two kinds of CAs: public and private. A public CA issues
certificates for other companies and organizations. A well known example
is Verisign. A public CA will require proof of the identify of the company or
organization that wants a certificate before it will issue it.

Public CAs issue certificates typically intended for use by the general
public. Since a certificate for an AT-8500 Series switch is not intended for