Allied Telesis AT-S62 User Manual
Page 708
Chapter 32: PKI Certificates and SSL
708
Section VII: Management Security
You cannot use quotation marks. To use the following special characters
{=,+<>#;\
Here are a few examples. This distinguished name contains only one part,
the name of the switch:
cn=Production Switch
This distinguished name omits the common name, but includes everything
else:
ou=Network Support,o=XYZ Inc.,st=CA,c=US
So what would be a good distinguished name for a certificate for an
AT-8500 Series switch? If the switch has an IP address, such as a master
switch, you could use its address as the name. The following example is a
distinguished name for a certificate for a master switch with the IP address
149.11.11.11:
cn=149.11.11.11
If your network has a Domain Name System and you mapped a name to
the IP address of a switch, you can specify the switch’s name instead of
the IP address as the distinguished name.
For those switches that do not have an IP address, such as slave
switches, you could assign their certificates a distinguished name using
the IP address of the master switch of the enhanced stack.
There is a benefit to giving a certificate a distinguished name equivalent to
a master switch’s IP address or domain name. It relates to what happens
when you start a web browser management session with a switch using
SSL. The web browser on your workstation will check to see if the name to
whom the certificate was issued matches the name of the web site. In the
case of a master or slave AT-8500 Series switch, the web site’s name is
the master switch’s IP address or domain name. If the names do not
match, the web browser displays a security warning. Of course, even if
you see the security warning, you can simply close the warning prompt.
The management session will still use encryption.
Note
If the certificate will be issued by a private or public CA, you should
check with the CA to see if they have any rules or guidelines on
distinguished names for the certificates they issue.