256
DWS-1008 User’s Manual
D-Link Systems, Inc.
Managing Keys and Certificates
1.
To form the encrypted TLS channel, the switch must have a digital certificate and must
send that certificate to the wireless client.
2.
Inside the switch’s digital certificate is the switch’s public key, which the wireless client
uses to encrypt a pre-master secret key.
3.
The wireless client then sends the key back to the switch so that both the switch and the
client can derive a key from this pre-master secret for secure authentication and wireless
session encryption.
Clients authenticated by PEAP need a certificate in the switch only when the switch performs
PEAP locally, not when EAP processing takes place on a RADIUS server.
About Keys and Certificates
Public-private key pairs and digital signatures and certificates allow keys to be generated
dynamically so that data can be securely encrypted and delivered. You generate the key pairs
and certificates on the switch or install them on the switch after enrolling with a certificate
authority (CA). The switch can generate key pairs, self-signed certificates, and Certificate
Signing Requests (CSRs), and can install key pairs, server certificates, and certificates
generated by a CA.
Note: The switch uses separate server certificates for Admin, EAP (802.1X), and Web AAA
authentication. Where applicable, the manuals refer to these server certificates as Admin,
EAP (or 802.1X), or Web AAA certificates respectively.
When the switch needs to communicate with Web View or an 802.1X or WebAAA client, MSS
requests a private key from the switch’s certificate and key store:
• If no private key is available in the switch’s certificate and key store, the switch does
not respond to the request from MSS. If the switch does have a private key in its key
store, MSS requests a corresponding certificate.
• If the switch has a self-signed certificate in its certificate and key store, the switch
responds to the request from MSS. If the certificate is not self-signed, the switch
looks for a CA’s certificate with which to validate the server certificate.
• If the switch has no corresponding CA certificate, the switch does not respond to
the request from MSS. If the switch does have a corresponding CA certificate, and
the server certificate is validated (date still valid, signature approved), the switch
responds.
If the switch does not respond to the request from MSS, authentication fails and access is
denied.
For EAP (802.1X) users, the public-private key pairs and digital certificates can be stored on
a RADIUS server. In this case, the switch operates as a pass-through authenticator.
Summary of Contents for DWS-1008
Page 1: ......