WESM zl Management and Configuration Guide WT.01.28 and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

261

262

263

264

265

266

267

268

269

270

2-164

Configuring the ProCurve Wireless Edge Services zl Module

Digital Certificates

A certificate itself consists of:

■ the host’s identification information

■ the host’s public key

■ the function used to hash the certificate

■ the CA’s digital signature

A host authenticates itself by sending its certificate, to which it appends its digital

signature. It creates the digital signature by hashing the certificate and then encrypting

the hash with its private key.

When the peer receives the digital certificate, the peer extracts the host’s public key

and hash function. The peer decrypts and unhashes the signature and compares it to

the certificate. If the signature and certificate match, the peer knows that no one has

tampered with the certificate en route.

To fully authenticate a host, the peer must also have the CA’s certificate in its system.

This certificate includes the CA’s public key, which the peer uses to verify the CA’s

signature. A genuine CA signature attests that the holder of a certificate is who it says

it is. CAs also issue certificate revocation lists (CRLs), which list certificates that are

no longer valid.

Because a host can freely distribute its public key, it can authenticate itself to anyone

who trusts the host’s CA. However, no one can pose as the host, because only the

host’s unshared, private key can encrypt and “sign” the certificate.

Configuring Digital Certificates

On the Wireless Edge Services zl Module, you create and manage trustpoints, in

which you create or load the following elements:

■ Server certificate, which is the certificate that identifies and authenticates the

module

For a self-signed certificate, you create the server certificate yourself and have

the Wireless Edge Services zl Module sign it. Otherwise, you create a certificate

request, which you submit to a CA. After the CA returns the certificate, you

install it on the module as a server certificate.

Part of creating a certificate or certificate request is generating the public/private

key pair.

■ CA certificate, which is the certificate of the CA that issues the server certificate

This certificate is not necessary if the server certificate is self-signed. Otherwise,

however, you must load the CA certificate before or at the same time that you

load the server certificate.