Manualshelf

Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S3048-ON
978979980981982983984985986987
Advantages of X.509v3 certificates
Public key authentication is preferred over password-based authentication, although both may be used in conjunction, for various reasons.
Public-key authentication provides the following advantages over normal password-based authentication:
Public-key authentication avoids the human problems of low-entropy password selection and provides more resistance to brute-force
attacks than password-based authentication.
It facilitates trusted, provable identities—when using certificates signed by trusted CAs.
It also provides integrity and confidentiality in addition to authentication.
X.509v3 support in
supports X.509v3 standards.
Many organizations or entities need to let their customers know that the connection to their devices and network is secure. These
organizations pay an internationally trusted Certificate Authorities (CAs) such as VeriSign, DigiCert, and so on, to sign a certificate for their
domain.
To implement a X.509v3 infrastructure, recommends you to act as your own CA. Common use cases for acting as your own CA include
issuing certificates to clients to allow them to authenticate to a server. For example, Apache, OpenVPN, and so on.
Acting as a certificate authority (CA) means dealing with cryptographic pairs of private keys and public certificates. The first
cryptographic pair you create is the root pair. This root pair consists of the root key (ca.key.pem) and root certificate—ca.cert.pem. This
pair forms the identity of your CA.
Typically, a root CA does not sign server or client certificates directly. The root CA is only ever used to create one or more intermediate
CAs. These intermediate CAs are trusted by the root CA to sign certificates on their behalf. This is the best practice. It allows the root key
to be kept offline and used to a minimal extent, as any compromise of the root key is disastrous.
For more generic information on setting up your own Certificate Authority (CA), see https://jamielinux.com/docs/openssl-certificate-
authority/index.html#
The following figure illustrates a sample network topology in which a simple X.509v3 infrastructure is implemented:
The Root CA generates a private key and a self-signed CA certificate.
The Intermediate CA generates a private key and a Certificate Signing Request (CSR).
Using its private key, the root CA signs the intermediate CA’s CSR generating a CA certificate for the Intermediate CA. This intermediate
CA can then sign certificates for hosts in the network and also for further intermediate CAs. These CA certificates (root CA and any
intermediate CAs), but not the corresponding private keys, are made publicly available on the network.
NOTE:
CA certificates may also be bundled together for ease of installation. Their .PEM files are concatenated in order
from the “lowest” ranking CA certificate to the Root CA certificate. handles installation of bundled certificate files.
X.509v3 981