260
DWS-1008 User’s Manual
D-Link Systems, Inc.
Managing Keys and Certificates
•
PKCS #12 object file certificate
- More secure than using self-signed certificates,
but slightly less secure than using a Certificate Signing Request (CSR), because
the private key is distributed in a file from the CA instead of generated by the switch
itself. The PKCS #12 object file is more complex to deal with than self-signed
certificates. However, you can use RingMaster, Web View, or the CLI to distribute this
certificate. The other two methods can be performed only using the CLI.
•
Certificate Signing Request (CSR)
- The most secure method, because the switch’s
public and private keys are created on the switch itself, while the certificate comes
from a trusted source (CA). This method requires generating the key pair, creating
a CSR and sending it to the CA, cutting and pasting the certificate signed by the CA
into the CLI, and then cutting and pasting the CA’s own certificate into the CLI.
Creating Public-Private Key Pairs
To use a self-signed certificate or Certificate Signing Request (CSR) certificate for switch
authentication, you must generate a public-private key pair.
To create a public-private key pair, use the following command:
crypto generate key
{
admin
|
eap
|
ssh
|
webaaa
} {
512
|
1024
|
2048
}
Choose the key length based on your need for security or to conform with your organization’s
practices. For example, the following command generates an administrative key pair of 1024
bits:
DWS-1008#
crypto generate key admin 1024
admin key pair generated
Note:
After you generate or install a certificate (described in the following sections), do not
create the key pair again. If you do, the certificate might not work with the new key, in which
case you will need to regenerate or reinstall the certificate.
Generating Self-Signed Certificates
After creating a public-private key pair, you can generate a self-signed certificate. To generate
a self-signed certificate, use the following command:
crypto generate self-signed
{
admin
|
eap
|
webaaa
}