Users Guide

The information in the certificate allows both devices to prove ownership and the validity of a public key. Assuming the CA is
trusted, the switch and authentication server validate each other's identity and set up a secure, encrypted communications
channel.
User authentication with a public key certificate is usually preferred over password-based authentication, although you can use
both at the same time, to:
Avoid the security risk of using low-strength passwords and provide greater resistance to brute-force attacks.
Provide assurance of trusted, provable identities (when using certificates digitally signed by a trusted CA).
Provide security and confidentiality in switch-server communications in addition to user authentication.
For example, you can download and install a X.509v3 certificate to enable public-key authentication in RADIUS over TLS
authentication also called RadSec. OS10 supports a public key infrastructure (PKI), including:
Generation of self-signed certificates and certificate signing requests (CSRs), and their corresponding private keys
Installation and deletion of self-signed certificates and CA-signed certificates
Secure deletion of corresponding private keys
Installation and deletion of CA certificates in the system "trust store"
Display of certificate information
X.509v3 concepts
Certificate A document that associates a network device with its public key. When exchanged between participating
devices, certificates are used to validate device identity and the public key associated with the device. A
PKI uses the following certificate types:
CA certificate: The certificate of a CA that is used to sign host certificates. A CA certificate may be
issued by other CAs or be self-signed. A self-signed CA certificate is called a root certificate.
Host certificate: A certificate that is issued to a network device. A host certificate may be signed by a
CA or self-signed.
Self-signed certificate: A host-signed certificate, compared to a CA-signed certificate.
Certificate
authority (CA)
An entity that verifies the contents of a certificate and signs it, indicating that the certificate is trusted
and correct. An intermediate CA signs certificates transmitted between a root CA and a host.
Certificate
revocation list
(CRL)
A CA-signed document that contains a list of certificates that are no longer valid, even though they have
not yet expired. For example, when a new certificate is generated for a server, and the old certificate is
no longer supported.
Certificate
signing request
(CSR)
After generating a key pair, a switch signs a request to obtain a certificate using its secret private key,
and sends the request to a certificate authority. The CSR contains information that identifies the switch
and its public key. This public key is used to verify the private signature of the CSR and the distinguished
name (DN) of the switch. A CSR is signed by a CA and returned to a host for use as a signed host
certificate.
Privacy
Enhanced Mail
(PEM)
PKI standard used to format X.509v3 data in a secure message exchange; described in RFC 1421.
Public key
infrastructure
(PKI)
Application that manages the generation of private and public encryption keys, and the download,
installation, and exchange of CA-signed certificates with network devices.
X.509v3 Standard for the public key infrastructure that manages digital certificates and public key encryption.
Public key infrastructure
To use X.509v3 certificates for secure communication and user authentication on OS10 switches in a network, a public key
infrastructure (PKI) with a certificate authority (CA) is required. The CA signs certificates that prove the trustworthiness of
network devices.
When an organization wants to assure customers that the connection to their network is secure, it may pay a commercial
Certificate Authority, such as VeriSign or DigiCert, to sign a certificate for their domain. However, to implement an X.509v3
infrastructure, you can act as your own CA. While acting as your own CA, you can set up CAs to issue certificates to hosts in
the same trusted domain to authenticate each other.
X.509v3 public key infrastructure
Security
1381