Manualshelf

WESM zl Management and Configuration Guide WT.01.03 and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
61626364656667686970
1-45
Introduction
ProCurve Wireless Edge Services zl Module
PKI and Digital Certificates
The Wireless Edge Services zl Module’s security capabilities often require it
to authenticate itself with a digital certificate and the data it sends with a
digital signature.
Digital signatures, created by a public-private key pair, authenticate data. To
create the digital signature, a key pair relies on asymmetric encryption, which
means that data encrypted by a private key is decrypted by the corresponding
public key. A host “signs” data by encrypting it with its private key—something
only that host can do because only it knows the private key. Other hosts verify
the signature by decrypting the signature with the public key, which is distrib-
uted freely.
A digital certificate distributes the public key, tying it to a particular host’s
identity, which can be presented as an LDAP distinguished name, a hostname,
or an IP address. Typically, a trusted third-party, called the certificate authority
(CA), signs and issues certificates. A less secure option is a self-signed
certificate, which is issued by the host itself.
Remember that verifying a signature requires a public key in a digital certifi-
cate. To verify the CAs signature, a host must have the CAs certificate. The
CAs certificate is signed either by itself or by another CA, higher in the PKI
hierarchy. The root CA is the top of the PKI hierarchy and trusted implicitly;
the root CAs certificate is self-signed.
A set of certificates from the host’s own certificate up to the root CAs is
grouped together as a trustpoint. The Wireless Edge Services zl Module
supports up to six trustpoints, each of which can store one of the following
sets of certificates:
One self-signed certificate—No CA certificate is required because the
module is the root of the trustpoint.
One root CA certificate, one server certificate issued by that CA,
and one certificate revocation list (CRL)
The advantage of a trustpoint that terminates in a root CA is, of course, that
a host is more likely to trust the module’s certificate when it is signed by a
well-known CA.
To obtain a CA-signed certificate, the module generates a certificate request,
which you transfer from the module and submit to the CA. The Wireless Edge
Services zl Module supports:
Privacy Enhanced Mail (PEM)-formatted certificates
Distinguished Encoding Rules (DER)-formatted certificates