API Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4148F-ON/S4148T-ON/S4148FE-ON

1051

X.509v3 certificates

OS10 supports X.509v3 certificates to secure communications between the switch and a host, such as a RADIUS server. Both

the switch and the server exchange a public key in a signed X.509v3 certificate issued by a certificate authority (CA) to

authenticate each other. The certificate authority uses its private key to sign the switch and host certificates.

The information in the certificate allows both devices to prove ownership and the validity of a public key. Assuming the CA is

trusted, the switch and authentication server validate each other's identity and set up a secure, encrypted communications

channel.

User authentication with a public key certificate is usually preferred over password-based authentication, although you can use

both at the same time, to:

● Avoid the security risk of using low-strength passwords and provide greater resistance to brute-force attacks.

● Provide assurance of trusted, provable identities (when using certificates digitally signed by a trusted CA).

● Provide security and confidentiality in switch-server communications in addition to user authentication.

For example, you can download and install a X.509v3 certificate to enable public-key authentication in RADIUS over TLS

authentication — also called RadSec. OS10 supports a public key infrastructure (PKI), including:

● Generation of self-signed certificates and certificate signing requests (CSRs), and their corresponding private keys

● Installation and deletion of self-signed certificates and CA-signed certificates

● Secure deletion of corresponding private keys

● Installation and deletion of CA certificates in the system "trust store"

● Display of certificate information

X.509v3 concepts

Certificate

A document that associates a network device with its public key. When exchanged between participating

devices, certificates are used to validate device identity and the public key associated with the device. A

PKI uses the following certificate types:

● CA certificate: The certificate of a CA that is used to sign host certificates. A CA certificate may be

issued by other CAs or be self-signed. A self-signed CA certificate is called a root certificate.

● Host certificate: A certificate that is issued to a network device. A host certificate may be signed by a

CA or self-signed.

● Self-signed certificate: A host-signed certificate, compared to a CA-signed certificate.

Certificate

authority (CA)

An entity that verifies the contents of a certificate and signs it, indicating that the certificate is trusted

and correct. An intermediate CA signs certificates transmitted between a root CA and a host.

Certificate

revocation list

(CRL)

A CA-signed document that contains a list of certificates that are no longer valid, even though they have

not yet expired. For example, when a new certificate is generated for a server, and the old certificate is

no longer supported.

Certificate

signing request

(CSR)

After generating a key pair, a switch signs a request to obtain a certificate using its secret private key,

and sends the request to a certificate authority. The CSR contains information that identifies the switch

and its public key. This public key is used to verify the private signature of the CSR and the distinguished

name (DN) of the switch. A CSR is signed by a CA and returned to a host for use as a signed host

certificate.

Privacy

Enhanced Mail

(PEM)

PKI standard used to format X.509v3 data in a secure message exchange; described in RFC 1421.

Public key

infrastructure

(PKI)

Application that manages the generation of private and public encryption keys, and the download,

installation, and exchange of CA-signed certificates with network devices.

X.509v3 Standard for the public key infrastructure that manages digital certificates and public key encryption.

1056 Security