Certificate validation – Allied Telesis AT-S60 User Manual

AT-S60 Management Software User’s Guide

Section V: Security Features

505

Certification Authorities

A Certification Authority is an entity which issues, updates, revokes and
otherwise manages public keys and their certificates. A CA receives
requests for certification, validates the requester’s identity according to
the CA’s requirements, and issues the certificate, signed with one of the
CA’s keys. CAs may also perform the functions of End Entities, in that
they may make use of other CAs’ certificates for message encryption and
verification of digital signatures.

An organization may own a Certification Authority and issue certificates
for use within its own networks. In addition, an organization’s certificates
may be accepted by another network, after an exchange of certificates
has validated a certificate for use by both parties. As an alternative, an
outside CA may be used. The switch can interact with the CA, whether a
CA is part of the organization or not, by sending the CA requests for
certification.

The usefulness of certificates depends on how much you trust the
source of the certificate. You must be able to trust the issuing CA to
verify identities reliably. The level of verification required in a given
situation depends on the organization’s security needs.

Certificate

Validation

To validate a certificate, the End Entity verifies the signature in the
certificate, using the public key of the CA who issued the certificate.

CA Hierarchies and Certificate Chains

It may not be practical for every individual certificate in an organization
to be signed by one Certification Authority. A certification hierarchy may
be formed, in which one CA (for example, national headquarters) is
declared to be the root CA. This CA issues certificates to the next level
down in the hierarchy (for example, regional headquarters), who
become subordinate CAs and issue certificates to the next level down,
and so on. A hierarchy may have as many levels as needed.

Certificate hierarchies allow validation of certificates through certificate
chains and cross-certification. If a switch X, which holds a certificate
signed by CA X, wishes to communicate securely with a switch Y, which
holds a certificate signed by CA Y, there are two ways in which the
switches can validate each other’s certificates. Cross-certification occurs
when switch X validates switch Y's CA (CA Y) by obtaining a certificate for
switch Y's CA which has been issued by its own CA (CA X). A certificate
chain is formed if both CA X and CA Y hold a certificate signed by a root
CA Z, which the switches have verified out of band. Switch X can validate
switch Y’s certificate (and vice versa) by following the chain up to CA Z.