User`s manual

ManualsBrandsD-Link ManualsComputer equipmentDWL-8220AP - AirPremier Wireless Switch Dualband Access Point

261

262

263

264

265

266

267

268

269

270

259

DWS-1008 User’s Manual

D-Link Systems, Inc.

Managing Keys and Certicates

PKCS #12 Personal

Information

Exchange

Syntax

Standard

Contains a certicate signed by a CA and a

public-private key pair provided by the CA

to go with the certicate.

Because the key pair comes from the CA,

you do not need to generate a key pair or

a certicate request on the switch. Instead,

use the copy tftp command to copy the le

onto The switch.

Use the crypto otp command to enter the

one-time password assigned to the le by

the CA. (This password secures the le

so that the keys and certicate cannot be

installed by an unauthorized party. You

must know the password in order to install

them.)

Use the crypto pkcs12 command to

unpack the le.

Creating Keys and Certicates

You must create a public-private key pair, and request, accept, or generate a digital certicate

to exchange with 802.1X users for network access. The digital certicates can be self-signed or

signed by a certicate authority (CA). If you use certicates signed by a CA, you must also

install a certicate from the CA to validate the digital signatures of the certicates installed on

the switch.

Each of the following types of access requires a separate key pair and certicate:

• EAP - 802.1X access for network users who can access SSIDs encrypted by WEP or

WPA, and for users connected to wired authentication ports

Management access to the CLI through Secure Shell (SSH) also requires a key pair, but

does not use a certicate.

Choosing the Appropriate Certicate Installation Method for Your Network

Depending on your network environment, you can use any of the following methods to install

certicates and their public-private key pairs. The methods differ in terms of simplicity and

security. The simplest method is also the least secure, while the most secure method is

slightly more complex to use.

• Self-signed certicate - The easiest method to use because a CA server is not

required. The switch generates and signs the certicate itself. This method is the

simplest but is also the least secure, because the certicate is not validated (signed)

by a CA.