Allied Telesis AT-S63 User Manual
AT-S63 Management Software Features Guide
Section IX: Management Security
399
Overview
This chapter describes the second part of the encryption feature of the
AT-S63 Management Software—PKI certificates. The first part is
explained in Chapter 33, “Encryption Keys” on page 387. Encryption keys
and certificates allow you to encrypt the communications between your
management station and a switch during a web browser management
session, and so protect your switch from intruders who might be using a
sniffer to monitor the network for management packets.
AT-S63 Management Software—PKI certificates. The first part is
explained in Chapter 33, “Encryption Keys” on page 387. Encryption keys
and certificates allow you to encrypt the communications between your
management station and a switch during a web browser management
session, and so protect your switch from intruders who might be using a
sniffer to monitor the network for management packets.
Types of Certificates
As explained in the previous chapter, an encryption key encrypts the
information in the frames exchanged between a switch and a web browser
during a web browser management session. An encryption key consists of
two parts: a private key and a public key. The private key remains on the
switch and is used by the device to encrypt its messages.
information in the frames exchanged between a switch and a web browser
during a web browser management session. An encryption key consists of
two parts: a private key and a public key. The private key remains on the
switch and is used by the device to encrypt its messages.
The public key is incorporated into a certificate and is used by your
management station when you perform a web browser management
session. Your web browser downloads the certificate with the public key
from the switch when you begin a management session.
management station when you perform a web browser management
session. Your web browser downloads the certificate with the public key
from the switch when you begin a management session.
The quickest and easiest way to create a certificate is to have the switch
create it. This type of certificate is called a self-signed certificate. If you
have a small to medium sized network, this will probably be the best
approach. To review all the steps to configuring the web server for a self-
signed certificate, refer to “Configuring the Web Server for HTTPS” on
page 385.
create it. This type of certificate is called a self-signed certificate. If you
have a small to medium sized network, this will probably be the best
approach. To review all the steps to configuring the web server for a self-
signed certificate, refer to “Configuring the Web Server for HTTPS” on
page 385.
Another option is to create the key but have someone else issue the
certificate. That person, group, or organization is called a certification
authority (CA).
certificate. That person, group, or organization is called a certification
authority (CA).
There are two kinds of CAs: public and private. A public CA issues
certificates typically intended for use by the general public for other
companies and organizations. A public CA requires proof of the identify of
the company or organization before issuing a certificate. VeriSign is an
example of a public CA.
certificates typically intended for use by the general public for other
companies and organizations. A public CA requires proof of the identify of
the company or organization before issuing a certificate. VeriSign is an
example of a public CA.
Because a certificate for the AT-9400 Switch is not intended for general
use and will only be used by you and other network managers in managing
the switch, it probably will not be necessary for you to have a public CA
issue the certificate for the switch.
use and will only be used by you and other network managers in managing
the switch, it probably will not be necessary for you to have a public CA
issue the certificate for the switch.
Some large companies have private CAs. This is a person or group within
the company that is responsible for issuing certificates for the company’s
the company that is responsible for issuing certificates for the company’s