User's Manual Part 2
December 20, 2004 SCP-LPS20x-011-012-01H
ADC Telecommunications, Inc. 139
SSL CERTIFICATES
This section explains how to create and install SSL certificates to secure communications with the LPS-20x.
OVERVIEW OF SSL CERTIFICATES
The only way to securely access a web server is to encrypt the data stream that is exchanged between the browser
and the web server. This ensures that if data is intercepted by a malicious third-party using a network analyzer on
the LAN or the Internet, it will be difficult or impossible for the data to be deciphered.
However, encryption does not solve another important security issue, namely how the identity of a web server can
be validated before a connection to it is established. The solution to this problem is provided by digital certificates.
A digital certificate is a collection of information about a web server digitally signed by a certificate authority. A
certificate authority is by definition an entity that can be trusted. It may be an entity in your organization responsible
for issuing certificates, a commercial certificate authority such as Thawte, Entrust or even yourself.
SSL is the standard for creating a secure encrypted connection between a web browser and a web server. SSL
relies on the exchange of digital certificates which provide the means for the web server and browser to authenticate
each other.
SSL AUTHENTICATION
The following sequence of steps illustrates how an SSL session is established.
1. A web browser attempts to open a web page via HTTPS.
2. The web server sends its digital certificate (as well as information needed to establish the SSL connection)
to the web browser. The certificate is signed using the private key of a certificate authority (CA). This is
usually a well known commercial entity.
3. The web browser attempts to validate the web server’s certificate. This happens as follows:
• The web browser checks that the server’s certificate has not expired. The certificate will contain the certif-
icate’s validity period which can be compared to the current date.
• The web browser may be configured to check that the certificate is not in a Certificate Revocation List
maintained by the entity that issued the certificate.
• The web browser checks its internal list of trusted CAs to find the one that signed the web server’s certifi-
cate. Using the public key of this CA (which is also stored in the web browser), the web browser validates
the authenticity of the web server’s digital signature. This is possible because the web server’s certificate
is signed using the CA’s private key.
• The web browser extracts the domain name of the web server from the certificate. (When the certificate
was registered, this domain name was associated with the IP address of the LPS-20x’s Internet port.) It
then compares this against the domain name of the web server.
4. The web browser and the web server agree on a symmetric key to encrypt the SSL connection.
5. The SSL connection is started.
The host name in the currently installed SSL certificate is automatically assigned as the domain name of the
LPS-20x. The factory default SSL certificate that is installed on the LPS-20x has the host name wireless.adc.com.
You do not have to add this name to your DNS server for it to be resolved. The LPS-20x intercepts all DNS requests
it receives on the wireless or LAN ports. It resolves any request that matches the certificate host name by returning
the IP address assigned to the wireless port. All other DNS requests are forwarded to the appropriate DNS servers
as configured on the Network > DNS page. To summarize, this means that by default, any DNS request by a client
station on the wireless or LAN ports that matches wireless.adc.com will return the IP address of the LPS-20x’s
wireless port.