WESM zl Management and Configuration Guide WT.01.XX and greater

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

271

272

273

274

275

276

277

278

279

280

2-167

Configuring the ProCurve Wireless Edge Services zl Module

Digital Certificates

A host authenticates itself by sending its certificate, to which it appends its

digital signature. It creates the digital signature by hashing the certificate and

then encrypting the hash with its private key.

When the peer receives the digital certificate, the peer extracts the host’s

public key and hash function. The peer decrypts and unhashes the signature

and compares it to the certificate. If the signature and certificate match, the

peer knows that no one has tampered with the certificate en route.

To fully authenticate a host, the peer must also have the CA’s certificate in its

system. This certificate includes the CA’s public key, which the peer uses to

verify the CA’s signature. A genuine CA signature attests that the holder of a

certificate is who it says it is. CAs also issue certificate revocation lists (CRLs),

which list certificates that are no longer valid.

Because a host can freely distribute its public key, it can authenticate itself to

anyone who trusts the host’s CA. However, no one can pose as the host,

because only the host’s unshared, private key can encrypt and “sign” the

certificate.

Configuring Digital Certificates

On the Wireless Edge Services zl Module, you create and manage trustpoints,

in which you create or load the following elements:

■ Server certificate, which is the certificate that identifies and authenticates

the module

For a self-signed certificate, you create the server certificate yourself and

have the Wireless Edge Services zl Module sign it. Otherwise, you create

a certificate request, which you submit to a CA. After the CA returns the

certificate, you install it on the module as a server certificate.

Part of creating a certificate or certificate request is generating the public/

private key pair.

■ CA certificate, which is the certificate of the CA that issues the server

certificate

This certificate is not necessary if the server certificate is self-signed.

Otherwise, however, you must load the CA certificate before or at the

same time that you load the server certificate.

■ CRL

This element is optional, but recommended to prevent your module from

accepting invalid certificates. Your CA should provide you with a CRL.