Owner manual
Table Of Contents
- Contents
- Figures
- Tables
- Preface
- Section I
- Basic Operations
- Chapter 1
- Overview
- Chapter 2
- Enhanced Stacking
- Chapter 3
- SNMPv1 and SNMPv2c
- Chapter 4
- MAC Address Table
- Chapter 5
- Static Port Trunks
- Chapter 6
- LACP Port Trunks
- Chapter 7
- Port Mirror
- Section II
- Advanced Operations
- Chapter 8
- File System
- Chapter 9
- Event Logs and the Syslog Client
- Chapter 10
- Classifiers
- Chapter 11
- Access Control Lists
- Chapter 12
- Class of Service
- Chapter 13
- Quality of Service
- Chapter 14
- Denial of Service Defenses
- Chapter 15
- Power Over Ethernet
- Section III
- Snooping Protocols
- Chapter 16
- IGMP Snooping
- Chapter 17
- MLD Snooping
- Chapter 18
- RRP Snooping
- Chapter 19
- Ethernet Protection Switching Ring Snooping
- Section IV
- SNMPv3
- Chapter 20
- SNMPv3
- Section V
- Spanning Tree Protocols
- Chapter 21
- Spanning Tree and Rapid Spanning Tree Protocols
- Chapter 22
- Multiple Spanning Tree Protocol
- Section VI
- Virtual LANs
- Chapter 23
- Port-based and Tagged VLANs
- Chapter 24
- GARP VLAN Registration Protocol
- Chapter 25
- Multiple VLAN Modes
- Chapter 26
- Protected Ports VLANs
- Chapter 27
- MAC Address-based VLANs
- Section VII
- Routing
- Chapter 28
- Internet Protocol Version 4 Packet Routing
- Supported Platforms
- Overview
- Routing Interfaces
- Interface Names
- Static Routes
- Routing Information Protocol (RIP)
- Default Routes
- Equal-cost Multi-path (ECMP) Routing
- Routing Table
- Address Resolution Protocol (ARP) Table
- Internet Control Message Protocol (ICMP)
- Routing Interfaces and Management Features
- Local Interface
- AT-9408LC/SP AT-9424T/GB, and AT-9424T/SP Switches
- Routing Command Example
- Non-routing Command Example
- Upgrading from AT-S63 Version 1.3.0 or Earlier
- Chapter 29
- BOOTP Relay Agent
- Chapter 30
- Virtual Router Redundancy Protocol
- Section VIII
- Port Security
- Chapter 31
- MAC Address-based Port Security
- Chapter 32
- 802.1x Port-based Network Access Control
- Section IX
- Management Security
- Chapter 33
- Web Server
- Chapter 34
- Encryption Keys
- Chapter 35
- PKI Certificates and SSL
- Chapter 36
- Secure Shell (SSH)
- Chapter 37
- TACACS+ and RADIUS Protocols
- Chapter 38
- Management Access Control List
- Appendix A
- AT-S63 Management Software Default Settings
- Address Resolution Protocol Cache
- Boot Configuration File
- BOOTP Relay Agent
- Class of Service
- Denial of Service Defenses
- 802.1x Port-Based Network Access Control
- Enhanced Stacking
- Ethernet Protection Switching Ring (EPSR) Snooping
- Event Logs
- GVRP
- IGMP Snooping
- Internet Protocol Version 4 Packet Routing
- MAC Address-based Port Security
- MAC Address Table
- Management Access Control List
- Manager and Operator Account
- Multicast Listener Discovery Snooping
- Public Key Infrastructure
- Port Settings
- RJ-45 Serial Terminal Port
- Router Redundancy Protocol Snooping
- Server-based Authentication (RADIUS and TACACS+)
- Simple Network Management Protocol
- Simple Network Time Protocol
- Spanning Tree Protocols (STP, RSTP, and MSTP)
- Secure Shell Server
- Secure Sockets Layer
- System Name, Administrator, and Comments Settings
- Telnet Server
- Virtual Router Redundancy Protocol
- VLANs
- Web Server
- Appendix B
- SNMPv3 Configuration Examples
- Appendix C
- Features and Standards
- 10/100/1000Base-T Twisted Pair Ports
- Denial of Service Defenses
- Ethernet Protection Switching Ring Snooping
- Fiber Optic Ports (AT-9408LC/SP Switch)
- File System
- DHCP and BOOTP Clients
- Internet Protocol Multicasting
- Internet Protocol Version 4 Routing
- MAC Address Table
- Management Access and Security
- Management Access Methods
- Management Interfaces
- Management MIBs
- Port Security
- Port Trunking and Mirroring
- Spanning Tree Protocols
- System Monitoring
- Traffic Control
- Virtual LANs
- Virtual Router Redundancy Protocol
- Appendix D
- MIB Objects
- Index
Chapter 35: PKI Certificates and SSL
416 Section IX: Management Security
Certificate
Validation
To validate a certificate, the end entity verifies the signature in the
certificate, using the public key of the CA who issued the certificate.
CA Hierarchies and Certificate Chains
It may not be practical for every individual certificate in an organization to
be signed by one certification authority. A certification hierarchy may be
formed, in which one CA (for example, national headquarters) is declared
to be the root CA. This CA issues certificates to the next level down in the
hierarchy (for example, regional headquarters), who become subordinate
CAs and issue certificates to the next level down, and so on. A hierarchy
may have as many levels as needed.
Certificate hierarchies allow validation of certificates through certificate
chains and cross-certification. If a switch X, which holds a certificate
signed by CA X, wishes to communicate securely with a switch Y, which
holds a certificate signed by CA Y, there are two ways in which the
switches can validate each other’s certificates. Cross-certification occurs
when switch X validates switch Y's CA (CA Y) by obtaining a certificate for
switch Y's CA which has been issued by its own CA (CA X). A certificate
chain is formed if both CA X and CA Y hold a certificate signed by a root
CA Z, which the switches have verified out of band. Switch X can validate
switch Y’s certificate (and vice versa) by following the chain up to CA Z.
Root CA Certificates
A root CA must sign its own certificate. The root CA is the most critical link
in the certification chain, because the validity of all certificates issued by
any CA in the hierarchy depends on the root CA’s validity. Therefore,
every device which uses the root CA’s certificate must verify it out-of-
band.
Out-of-band verification involves both the owner of a certificate and the
user who wishes to verify that certificate generating a one-way hash (a
fingerprint) of the certificate. These two hashes must then be compared
using at least one non-network-based communication method. Examples
of suitable communication methods are mail, telephone, fax, or transfer by
hand from a storage device such as a smart card or floppy disk. If the two
hashes are the same, the certificate can be considered valid.
Certificate
Revocation Lists
(CRLs)
A certificate may become invalid because some of the details in it change
(for example, the address changes), because the relationship between the
Certification Authority (CA) and the subject changes (for example, an
employee leaves a company), or because the associated private key is
compromised. Every CA is required to keep a publicly accessible list of its
certificates which have been revoked.