Pki implementation, Pki standards, Certificate retrieval and storage – Allied Telesis AT-S60 User Manual

AT-S60 Management Software User’s Guide

Section III: Security Features

363

PKI Implementation

The following sections discuss Allied Telesyn’s implementation of PKI for
the AT-8400 Series Switch. The following topics are covered:

❑ PKI Standards

❑ Certificate Retrieval and Storage

❑ Certificate Validation

❑ Root CA Certificates

PKI Standards

The following standards are supported by the switch:

❑ draft-ietf-pkix-roadmap-05 — PKIX Roadmap

❑ RFC 1779 — A String Representation of Distinguished Names

❑ RFC 2459 — PKIX Certificate and CRL Profile

❑ RFC 2511 — PKIX Certificate Request Message Format

❑ PKCS #10 v1.7 — Certification Request Syntax Standard

Certificate

Retrieval and

Storage

Certificates are stored by CAs in publicly accessible repositories for
retrieval by end entities. The following repositories used in PKI are
commonly accessed via the following protocols: Hypertext Transfer
Protocol (HTTP), File Transfer Protocol (FTP).

Before the switch can use a certificate, it must be retrieved and manually
added to the switch’s Certificate Database, which is stored in RAM
memory. The switch attempts to validate the certificate, and if validation
is successful the certificate’s public key is available for use.

Root CA Certificate Validation

Root CA certificates are verified out of band by comparing the
certificate’s fingerprint (the encrypted one-way hash with which the
issuing CA signs the certificate) with the fingerprint which the CA has
supplied by a non-network-based method. To view a certificate’s
fingerprint, use the procedure described in Creating Certificates on
page 364.

To manually set a verified root certificate to trusted, see Viewing
Certificates on page 374.