Certificates Automatically Generated By Mss; Creating Keys And Certificates - D-Link DWS-1008 - AirPremier MobileLAN Switch Product Manual

Certificates Automatically Generated by MSS

The first time you boot a switch with MSS Version 4.2 or later, MSS automatically generates keys and
self-signed certificates, in cases where certificates are not already configured or installed. MSS can
automatically generate all the following types of certificates and their keys:
• Admin (required for administrative access to the switch by Web View)
• EAP (required for 802.1X user access through the switch)
• Web (required for WebAAA user access through the switch)
The keys are 512 bytes long.
MSS automatically generates self-signed certificates only in cases where no certificate is already
configured. MSS does not replace self-signed certificates or CA-signed certificates that are already
configured on the switch. You can replace an automatically generated certificate by creating another
self-signed one or by installing a CA-signed one. To use a longer key, configure the key before creating
the new certificate (or certificate request, if you plan to install a CA-signed certificate).
If generated by MSS Version 4.2.3 or later, the automatically generated certificates are valid for three
years, beginning one week before the time and date on the switch when the certificate is generated.

Creating Keys and Certificates

Public-private key pairs and digital certificates are required for management access with Web View, or
for network access by 802.1X or WebAAA users. The digital certificates can be self-signed or signed
by a certificate authority (CA). If you use certificates signed by a CA, you must also install a certificate
from the CA to validate the digital signatures of the certificates installed on the switch.
Generally, CA-generated certificates are valid for one year beginning with the system time and date that
are in effect when you generate the certificate request.
Self-signed certificates generated when running MSS Version 4.2.3 or later are valid for three years,
beginning one week before the time and date on the switch when the certificate is generated.
Each of the following types of access requires a separate key pair and certificate:
• Admin—Administrative access through Web View
• EAP—802.1X access for network users who can access SSIDs encrypted by WEP or
WPA, and for users connected to wired authentication ports
• WebAAA—Web access for network users who can use a web page to log onto an
unencrypted SSID
Management access to the CLI through Secure Shell (SSH) also requires a key pair, but does not use
a certificate.
DWS-1008 security also requires a key pair and certificate. However, the certificate is generated
automatically when you enable DWS-1008 security.
D-Link DWS-1008 User Manual 0