3Com WX2200 3CRWX220095A Switch User Manual


 
About Keys and Certificates 415
About Keys and
Certificates
Public-private key pairs and digital signatures and certificates allow keys
to be generated dynamically so that data can be securely encrypted and
delivered. You generate the key pairs and certificates on the WX switch
or install them on the switch after enrolling with a certificate authority
(CA). The WX switch can generate key pairs, self-signed certificates, and
Certificate Signing Requests (CSRs), and can install key pairs, server
certificates, and certificates generated by a CA.
The WX switch uses separate server certificates for Admin, EAP (802.1X),
and WebAAA authentication. Where applicable, the manuals refer to
these server certificates as Admin, EAP (or 802.1X), or WebAAA
certificates respectively.
When the WX switch needs to communicate with 3Com Wireless Switch
Manager, Web Manager, or an 802.1X or WebAAA client, MSS requests
a private key from the switch’s certificate and key store:
If no private key is available in the WX switch’s certificate and key
store, the switch does not respond to the request from MSS. If the
switch does have a private key in its key store, MSS requests a
corresponding certificate.
If the WX switch has a self-signed certificate in its certificate and key
store, the switch responds to the request from MSS. If the certificate is
not self-signed, the switch looks for a CA’s certificate with which to
validate the server certificate.
If the WX switch has no corresponding CA certificate, the switch does
not respond to the request from MSS. If the switch does have a
corresponding CA certificate, and the server certificate is validated
(date still valid, signature approved), the switch responds.
If the WX switch does not respond to the request from MSS,
authentication fails and access is denied.
For EAP (802.1X) users, the public-private key pairs and digital certificates
can be stored on a RADIUS server. In this case, the WX switch operates as
a pass-through authenticator.