Connectivity Guide
X.509v3 concepts
Certicate A document that associates a network device with its public key. When exchanged between participating devices,
certicates are used to validate device identity and the public key associated with the device. A PKI uses the
following certicate types:
• CA certicate: The certicate of a CA that is used to sign host certicates. A CA certicate may be issued by
other CAs or be self-signed. A self-signed CA certicate is called a root certicate.
• Host certicate: A certicate that is issued to a network device. A host certicate can be signed by a CA or
self-signed.
• Self-signed certicate: A host-signed certicate, compared to a CA-signed certicate.
Certicate authority
(CA)
An entity that veries the contents of a certicate and signs it, indicating that the certicate is trusted and correct.
An intermediate CA signs certicates transmitted between a root CA and a host.
Certicate
revocation list (CRL)
A CA-signed document that contains a list of certicates that are no longer valid, even though they have not yet
expired. For example, when a new certicate is generated for a server, and the old certicate is no longer
supported.
Certicate signing
request (CSR)
After generating a key pair, a switch signs a request to obtain a certicate using its secret private key, and sends
the request to a certicate authority. The CSR contains information that identies the switch and its public key.
This public key is used to verify the private signature of the CSR and the distinguished name (DN) of the switch. A
CSR is signed by a CA and returned to a host for use as a signed host certicate.
Privacy Enhanced
Mail (PEM)
PKI standard used to format X.509v3 data in a secure message exchange; described in RFC 1421.
Public key
infrastructure (PKI)
Application that manages the generation of private and public encryption keys, and the download, installation, and
exchange of CA-signed certicates with network devices.
X.509v3 Standard for the public key infrastructure that manages digital certicates and public key encryption.
Public key infrastructure
To use X.509v3 certicates for secure communication and user authentication on OS10 switches in a network, a public key infrastructure
(PKI) with a certicate authority (CA) is required. The CA signs certicates that prove the trustworthiness of network devices.
When an organization wants to assure customers that the connection to their network is secure, it may pay a commercial Certicate
Authority, such as VeriSign or DigiCert, to sign a certicate for their domain. However, to implement an X.509v3 infrastructure, you can act
as your own CA. While acting as your own CA, you can set up CAs to issue certicates to hosts in the same trusted domain to authenticate
each other.
X.509v3 public key infrastructure
To set up a PKI using X.509v3 certicates, Dell EMC Networking recommends:
1 Congure a root CA that generates a private key and a self-signed CA certicate.
2 Congure one or more intermediate CAs that generate a private key and a certicate signing request (CSR), and send the CSR to the
root CA.
• Using its private key, the root CA signs an intermediate CA’s CSR and generates a CA certicate for the Intermediate CA.
• The intermediate CA downloads and installs the CA certicate. Afterwards, the intermediate CA can sign certicates for hosts in
the network and for other intermediate CAs that are lower in the PKI hierarchy.
• The root and intermediate CA certicates, but not the corresponding private keys, are made publicly available on the network for
network hosts to download.
• Whenever possible, store private keys oine or in a location restricted from general access.
828
Security