Filter
Top Products
16 Security in Detail
XPort Pro™ User Guide 138
Security Certificate Principles
To sign other certificates, the authority uses a private key. The published authority
certificate contains the matching public key that allows another to verify the signature
but not recreate it.
The authority’s certificate can be signed by itself, resulting in a self-signed or trusted-
root certificate, or by another (higher) authority, resulting in an intermediate authority
certificate. You can build up a chain of intermediate authority certificates, and the last
certification will always be a trusted-root certificate.
An authority that signs other’s certificates is also called a Certificate Authority (CA).
The last in line is then the root-CA. VeriSign is a famous example of such a root-CA.
Its certificate is often built into web browsers to allow verifying the identity of website
servers, which need to have certificates signed by VeriSign or another public CA.
Since obtaining a certificate signed by a CA that is managed by another company
can be expensive, it is possible to become one’s own CA. Tools exist to generate
self-signed CA certificates or to sign other certificates.
A certificate before it is signed is known as a certificate request, which only contains
the identifying information. Signing it makes it a certificate. One’s certificate is also
used to sign any message transmitted to the peer to identify the originator and
prevent tampering while transported.
In short:
When using HTTPS, SSL Tunneling in Accept mode, and/or EAP-TLS, the XPort
Pro needs a personal certificate with matching private key to identify itself and
sign its messages.
When using SSL Tunneling in Connect mode and/or EAP-TLS, EAP-TTLS or
PEAP, the XPort Pro needs the authority certificate(s) that can authenticate
those it wishes to communicate with.
RSA or DSA
As mentioned above, the certificates contain a public key. Different key exchange
methods require different public keys and thus different styles of certificate. The
XPort Pro supports key exchange methods that require a RSA-style certificate and
key exchange methods that require a DSA-style certificate.
If only one of these certificates is stored in the XPort Pro, only those key exchange
methods that can work with that style certificate are enabled. RSA is sufficient in
most cases.
Obtaining a Certificate and Private Key
You can obtain a certificate by completing a certificate request and sending it to a
certificate authority that will create a certificate/key combo, usually for a fee. Or
generate your own. A few utilities exist to generate self-signed certificates or sign
certificate requests. The XPort Pro also has the ability to generate its own self-signed
certificate/key combo.
You can use XML to export the certificate in PEM format, but you cannot export the
key. Hence the internal certificate generator can only be used for certificates that are
to identify that particular XPort Pro.