beautypg.com

Allied Telesis AT-S62 User Manual

Page 657

background image

AT-S62 Menus Interface User’s Guide

Section VII: Management Security

657

A certificate name does not have to contain all of these parts. You can
use as many or as few as you want. You separate the parts with a comma.
You can use alphanumeric characters, as well as spaces in the name
strings. You cannot use quotation marks. To use the following special
characters {=,+<>#;\}, type a “\” before the character

Here are a few examples. This distinguished name contains only one
part, the name of the switch:

cn=Production Switch

This distinguished name omits the common name, but includes
everything else:

ou=Network Support,o=XYZ Inc.,st=CA,c=US

So what would be a good distinguished name for a certificate for an
AT-8500 Series switch? If the switch has an IP address, such as a master
switch, you could use its address as the name. The following example is a
distinguished name for a certificate for a master switch with the IP
address 149.11.11.11:

cn=149.11.11.11

If your network has a Domain Name System and you mapped a name to
the IP address of a switch, you can specify the switch’s name instead of
the IP address as the distinguished name.

For those switches that do not have an IP address, such as slave switches,
you could assign their certificates a distinguished name using the IP
address of the master switch of the enhanced stack.

There is a benefit to giving a certificate a distinguished name equivalent
to a master switch’s IP address or domain name. It relates to what
happens when you start a web browser management session with a
switch using SSL. The web browser on your workstation will check to see
if the name to whom the certificate was issued matches the name of the
web site. In the case of a master or slave AT-8500 Series switch, the web
site’s name is the master switch’s IP address or domain name. If the
names do not match, the web browser displays a security warning. Of
course, even if you see the security warning, you can simply close the
warning prompt. The management session will still use encryption.

Note

If the certificate will be issued by a private or public CA, you should
check with the CA to see if they have any rules or guidelines on
distinguished names for the certificates they issue.

See also other documents in the category Allied Telesis Computer hardware: