Allied Telesis AT-S63 User Manual
Chapter 34: PKI Certificates and SSL
408
Section IX: Management Security
this, and other attacks, PKI provides a means for secure transfer of public
keys by linking an identity and that identity’s public key in a secure
certificate.
keys by linking an identity and that identity’s public key in a secure
certificate.
Caution
Although a certificate binds a public key to a subject to ensure the
public key’s security, it does not guarantee that the security of the
associated private key has not been breached. A secure system is
dependent upon private keys being kept secret, by protecting them
from malicious physical and virtual access.
public key’s security, it does not guarantee that the security of the
associated private key has not been breached. A secure system is
dependent upon private keys being kept secret, by protecting them
from malicious physical and virtual access.
Certificates
A certificate is an electronic identity document. To create a certificate for a
subject, a trusted third party (known as the Certification Authority) verifies
the subject’s identity, binds a public key to that identity, and digitally signs
the certificate. A person receiving a copy of the certificate can verify the
Certification Authority’s digital signature and be sure that the public key is
owned by the identity in it.
subject, a trusted third party (known as the Certification Authority) verifies
the subject’s identity, binds a public key to that identity, and digitally signs
the certificate. A person receiving a copy of the certificate can verify the
Certification Authority’s digital signature and be sure that the public key is
owned by the identity in it.
The switch can generate a self-signed certificate but this should only be
used with an SSL enabled HTTP server, or where third party trust is not
required.
used with an SSL enabled HTTP server, or where third party trust is not
required.
X.509 Certificates
The X.509 specification specifies a format for certificates. Almost all
certificates use the X.509 version 3 format, described in RFC 2459,
Internet X.509 Public Key Infrastructure Certificate and CRL Profile. This
is the format which is supported by the switch.
certificates use the X.509 version 3 format, described in RFC 2459,
Internet X.509 Public Key Infrastructure Certificate and CRL Profile. This
is the format which is supported by the switch.
An X.509 v3 certificate consists of:
A serial number, which distinguishes the certificate from all others
issued by that issuer. This serial number is used to identify the
certificate in a Certificate Revocation List, if necessary.
issued by that issuer. This serial number is used to identify the
certificate in a Certificate Revocation List, if necessary.
The owner’s identity details, such as name, company and address.
The owner’s public key, and information about the algorithm with
which it was produced.
which it was produced.
The identity details of the organization which issued the certificate.
The issuer’s digital signature and the algorithm used to produce it.
The period for which the certificate is valid.
Optional information is included, such as the type of application with
which the certificate is intended to be used.
which the certificate is intended to be used.
The issuing organization’s digital signature is included in order to
authenticate the certificate. As a result, if a certificate is tampered with
during transmission, the tampering is detected.
authenticate the certificate. As a result, if a certificate is tampered with
during transmission, the tampering is detected.