255
DWS-1008 User’s Manual
D-Link Systems, Inc.
Managing Keys and Certificates
A digital certificate is a form of electronic identification for computers. The DWS-1008 switch
requires digital certificates to authenticate its communications to Web View, to WebAAA
clients, and to Extensible Authentication Protocol (EAP) clients for which the switch performs
all EAP processing. Certificates can be generated on the switch or obtained from a certificate
authority (CA). Keys contained within the certificates allow the switch, its servers, and its
wireless clients to exchange information secured by encryption.
Note:
Before installing a certificate, verify with the show timedate and show timezone
commands that the switch is set to the correct date, time, and time zone. Otherwise,
certificates might not be installed correctly.
Why Use Keys and Certificates?
Certain switch operations require the use of public-private key pairs and digital certificates. All
Web View users, and users for which the switch performs IEEE 802.1X EAP authentication
or WebAAA, require public-private key pairs and digital certificates to be installed on the
switch.
These keys and certificates are fundamental to securing wireless, wired authentication, and
administrative connections because they support Wi-Fi Protected Access (WPA) encryption
and dynamic Wired-Equivalency Privacy (WEP) encryption.
Wireless Security through TLS
In the case of wireless or wired authentication 802.1X users whose authentication is
performed by The switch, the first stage of any EAP transaction is Transport Layer Security
(TLS) authentication and encryption. Web View also require a session to The switch that is
authenticated and encrypted by TLS. Once a TLS session is authenticated, it is encrypted.
TLS allows the client to authenticate the switch (and optionally allows the switch to authenticate
the client) through the use of digital signatures. Digital signatures require a public-private key
pair. The signature is created with a private key and verified with a public key. TLS enables
secure key exchange.
PEAP-MS-CHAP-V2 Security
PEAP performs a TLS exchange for server authentication and allows a secondary
authentication to be performed inside the resulting secure channel for client authentication.
For example, the Microsoft Challenge Handshake Authentication Protocol version 2
(MS-CHAP-V2) performs mutual MS-CHAP-V2 authentication inside an encrypted TLS
channel established by PEAP.
Managing Keys and Certificates