Filter
Top Products
AT-9000 Switch Command Line User’s Guide
1335
Private CAs allow companies to keep track of the certificates and control
access to various network devices.
If your company is large enough, it might have a private CA, and you might
want that group to issue the certificate for the switch so that you are in
compliance with company policy.
If you choose to have a public or private CA issue the certificate, you must
first create a self-signed certificate. Afterwards, you have to generate a
digital document, called an enrollment request, which you send to the CA.
The document contains the public key and other information that the CA
will use to create the certificate.
Before sending an enrollment request to a CA, you should contact the CA
to determine what other documents or procedures might be required in
order for the CA to process the certificate. This is particularly important
with public CAs, which typically have strict guidelines on issuing
certificates.
Distinguished
Name
A certificate, whether its self-signed by the switch or issued by a CA, must
identity its owner, which, in the case of a certificate for the switch, is the
switch itself and your company. The name of the owner is entered in the
form of a distinguished name, which has six parts.
Common name (cn): This is the IP address or name of the switch.
Organizational unit (ou): This is the name of the department, such
as Network Support or IT, that the switch is serving.
Organization (o): This is the name of your company.
Location: The location of the switch or company, such as the city.
State (st): The state where the switch or company is located.
Country (c): This is the country.
The common name of a certificate for the switch should be its IP address.
At the start of an HTTPS web browser management session with the
switch, the web browser on your management station checks to see if the
name to whom the certificate was issued matches the name of the web
site. In the case of the switch, the web site’s name is the switch’s IP
address. If they do not match, your web browser displays a security
warning. It is for this reason that the common name in the distinguished
name should be the IP address of the switch. Of course, even if you see
the security warning, you can close the warning prompt and still configure
the switch using your web browser.
Alternatively, if your network has a Domain Name System, and you
mapped a name to the IP address of the switch, you can specify the
switch’s name, instead of the IP address as the common name in the
distinguished name.