Manualshelf

WESM zl Management and Configuration Guide WT.01.28 and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
61626364656667686970
1-43
Introduction
ProCurve Wireless Edge Services zl Module
Digital signatures, created by a public-private key pair, authenticate data. To create
the digital signature, a key pair relies on asymmetric encryption, which means that
data encrypted by a private key is decrypted by the corresponding public key. A host
“signs” data by encrypting it with its private key—something only that host can do
because only it knows the private key. Other hosts verify the signature by decrypting
the signature with the public key, which is distributed freely.
A digital certificate distributes the public key, tying it to a particular host’s identity,
which can be presented as an LDAP distinguished name, a hostname, or an IP address.
Typically, a trusted third-party, called the certificate authority (CA), signs and issues
certificates. A less secure option is a self-signed certificate, which is issued by the
host itself.
Remember that verifying a signature requires a public key in a digital certificate. To
verify the CAs signature, a host must have the CAs certificate. The CAs certificate
is signed either by itself or by another CA, higher in the PKI hierarchy. The root CA
is the top of the PKI hierarchy and trusted implicitly; the root CAs certificate is self-
signed.
A set of certificates from the host’s own certificate up to the root CAs is grouped
together as a trustpoint. The Wireless Edge Services zl Module supports up to six
trustpoints, each of which can store one of the following sets of certificates:
One self-signed certificate—No CA certificate is required because the module
is the root of the trustpoint.
One root CA certificate, one server certificate issued by that CA, and one
certificate revocation list (CRL)
The advantage of a trustpoint that terminates in a root CA is, of course, that a host is
more likely to trust the module’s certificate when it is signed by a well-known CA.
To obtain a CA-signed certificate, the module generates a certificate request, which
you transfer from the module and submit to the CA. The Wireless Edge Services zl
Module supports:
Privacy Enhanced Mail (PEM)-formatted certificates
Distinguished Encoding Rules (DER)-formatted certificates
You can load these certificates to the module from an FTP server, a TFTP server, or
the local disk of the management station.
Before creating a certificate or certificate request, the Wireless Edge Services zl
Module must generate a public/private key pair. The module can create Rivest-Shamir-
Adleman (RSA) keys of between 1024 and 2048 bytes. Each certificate can use a unique
key pair, or multiple certificates can share a key pair.
The Wireless Edge Services zl Module uses certificates for several purposes: