Lantronix EDS1100 Guía de usuario descargar pdf (Pagina 99)

11: Security Settings

EDS1100/2100 User Guide 98

Whichever side is acting as server decides which cipher suite to use for a connection. It is usually

the strongest common denominator of the cipher suite lists supported by both sides.

SSL Certificates

The goal of a certificate is to authenticate its sender. It is analogous to a paper document that

contains personal identification information and is signed by an authority, for example a notary or

government agency.

The principles of Security Certificate required that in order to sign other certificates, the authority

uses a private key. The published authority certificate contains the matching public key that allows

another to verify the signature but not recreate it.

The authority’s certificate can be signed by itself, resulting in a self-signed or trusted-root

certificate, or by another (higher) authority, resulting in an intermediate authority certificate. You

can build up a chain of intermediate authority certificates, and the last certification will always be a

trusted-root certificate.

An authority that signs another certificates is also called a Certificate Authority (CA). The last in

line is then the root-CA. VeriSign is a famous example of such a root-CA. Its certificate is often

built into web browsers to allow verifying the identity of website servers, which need to have

certificates signed by VeriSign or another public CA. Since obtaining a certificate signed by a CA

that is managed by another company can be expensive, it is possible to have your own CA. Tools

exist to generate self-signed CA certificates or to sign other certificates.

A certificate request is a certificate that has not been signed and only contains the identifying

information. Signing it makes it a certificate. A certificate is also used to sign any message

transmitted to the peer to identify the originator and prevent tampering while transported.

When using HTTPS, SSL Tunneling in Accept mode, and/or EAP-TLS, the EDS1100/2100 needs

a personal certificate with a matching private key to identify itself and sign its messages. When

using SSL Tunneling in Connect mode and/or EAP-TLS, EAP-TTLS or PEAP, the EDS1100/2100

needs the authority certificate that can authenticate users with which it wishes to communicate.

SSL RSA or DSA

As mentioned above, the certificates contain a public key. Different key exchange methods require

different public keys and thus different styles of certificate. The EDS1100/2100 supports key

exchange methods that require a RSA-style certificate and key exchange methods that require a

DSA-style certificate. If only one of these certificates is stored in the EDS1100/2100, only those

key exchange methods that can work with that style certificate are enabled. RSA is sufficient in

most cases.

SSL Certificates and Private Keys

You can obtain a certificate by completing a certificate request and sending it to a certificate

authority that will create a certificate/key combo, usually for a fee. Or generate your own. A few

utilities exist to generate self-signed certificates or sign certificate requests. The EDS1100/2100

also has the ability to generate its own self-signed certificate/key combo.

You can use XML to export the certificate in PEM format, but you cannot export the key. Hence the

internal certificate generator can only be used for certificates that are to identify that particular

EDS1100/2100.

1 2 ... 94 95 96 97 98 99 100 101 102 103 104 ... 156 157

Comentarios a estos manuales

Sin comentarios

Lantronix EDS1100 Guía de usuario Pagina 99

Comentarios a estos manuales

Relacionado con productos y manuales para Servidores De Serie Lantronix EDS1100