User`s manual

ManualsBrandsD-Link ManualsComputer equipmentDWL-8220AP - AirPremier Wireless Switch Dualband Access Point

261

262

263

264

265

266

267

268

269

270

260

DWS-1008 User’s Manual

D-Link Systems, Inc.

Managing Keys and Certicates

• PKCS #12 object le certicate - More secure than using self-signed certicates,

but slightly less secure than using a Certicate Signing Request (CSR), because

the private key is distributed in a le from the CA instead of generated by the switch

itself. The PKCS #12 object le is more complex to deal with than self-signed

certicates.

• Certicate Signing Request (CSR) - The most secure method, because the switch’s

public and private keys are created on the switch itself, while the certicate comes

from a trusted source (CA). This method requires generating the key pair, creating

a CSR and sending it to the CA, cutting and pasting the certicate signed by the CA

into the CLI, and then cutting and pasting the CA’s own certicate into the CLI.

Creating Public-Private Key Pairs

To use a self-signed certicate or Certicate Signing Request (CSR) certicate for switch

authentication, you must generate a public-private key pair.

To create a public-private key pair, use the following command:

crypto generate key {eap | ssh} {512 | 1024 | 2048}

Choose the key length based on your need for security or to conform with your organization’s

practices. For example, the following command generates an EAP key pair of 1024 bits:

DWS-1008# crypto generate key eap 1024

admin key pair generated

Note: After you generate or install a certicate (described in the following sections), do not

create the key pair again. If you do, the certicate might not work with the new key, in which

case you will need to regenerate or reinstall the certicate.

Generating Self-Signed Certicates

After creating a public-private key pair, you can generate a self-signed certicate. To generate

a self-signed certicate, use the following command:

crypto generate self-signed {eap}

When you type the command, the CLI prompts you to enter information to identify the

certicate. For example:

DWS-1008# crypto generate self-signed eap

Country Name: US

State Name: CA

Locality Name: San Jose campus

Organizational Name: D-Link

Organizational Unit: eng

Common Name: DWS-1008

Email Address: admin@example.com

Unstructured Name: DWS-1008 in wiring closet 120