Managing Keys and Certificates 387

Choosing the Appropriate Certificate Installation Method for Your Network

Depending on your network environment, you can use any of the following methods to install certificates and their public-private key pairs. The methods differ in terms of simplicity and security. The simplest method is also the least secure, while the most secure method is slightly more complex to use.

Self-signedcertificate—The easiest method to use because a CA server is not required. The WSS switch generates and signs the certificate itself. This method is the simplest but is also the least secure, because the certificate is not validated (signed) by a CA.

PKCS #12 object file certificate—More secure than using self-signed certificates, but slightly less secure than using a Certificate Signing Request (CSR), because the private key is distributed in a file from the CA instead of generated by the WSS switch itself. The PKCS #12 object file is more complex to deal with than self-signed certificates. However, you can use WLAN Management Software , Web View, or the CLI to distribute this certificate. The other two methods can be performed only using the CLI.

Certificate Signing Request (CSR)—The most secure method, because the WSS switch’s public and private keys are created on the WSS switch itself, while the certificate comes from a trusted source (CA). This method requires generating the key pair, creating a CSR and sending it to the CA, cutting and pasting the certificate signed by the CA into the CLI, and then cutting and pasting the CA’s own certificate into the CLI.

Table 27 lists the steps required for each method and refers you to appropriate instructions. (For complete examples, see “Key and Certificate Configuration Scenarios” on page 393.)

Table 27: Procedures for Creating and Validating Certificates

Certificate

Installation Steps RequiredInstructions

Method

Self-signed1. Generate a public-private key pair on the WSS

certificate switch.

2.Generate a self-signed certificate on the WSS switch.

“Creating Public-Private Key Pairs” on page 388

“Generating Self-Signed Certificates” on page 389

PKCS #12

1.

Copy a PKCS #12 object file (public-private

“Installing a Key Pair and

object file

 

key pair, server certificate, and CA certificate)

Certificate from a PKCS #12 Object

certificate

 

from a CA onto the WSS switch.

File” on page 390

 

2.

Enter the one-time password to unlock the file.

 

 

3.

Unpack the file into the switch’s certificate and

 

 

 

key store.

 

 

 

 

 

Certificate

1.

Generate a public-private key pair on the WSS

“Creating Public-Private Key

Signing Request

 

switch.

Pairs” on page 388

(CSR) certificate

2.

Generate a CSR on the switch as a PKCS #10

“Creating a CSR and Installing

 

 

object file.

a Certificate from a PKCS #7

 

3.

Give the CSR to a CA and receive a signed

Object File” on page 391

 

 

certificate (a PEM-encoded PKCS #7 object

“Installing a CA’s Own

 

 

file).

Certificate” on page 392

 

4.

Paste the PEM-encoded file into the CLI to

 

 

 

store the certificate on the WSS switch.

 

 

5.

Obtain and install the CA’s own certificate.

 

 

 

 

 

Nortel WLAN Security Switch 2300 Series Configuration Guide

Page 386 Page 388
Page 387
Image 387
Nortel Networks 2300 manual Procedures for Creating and Validating Certificates
Page 386 Page 388
Top Page Image Contents