Choosing The Appropriate Certificate Installation Method For Your Network - Nortel 2360 Configuration Manual

452 Managing keys and certificates
Choosing the appropriate certificate installation method for your
network
Depending on your network environment, you can use any of the following methods to install certificates and
their public-private key pairs. The methods differ in terms of simplicity and security. The simplest method is
also the least secure, while the most secure method is slightly more complex to use.
• Self-signed certificate—The easiest method to use because a CA server is not required. The WSS
generates and signs the certificate itself. This method is the simplest but is also the least secure, because
the certificate is not validated (signed) by a CA.
• PKCS #12 object file certificate—More secure than using self-signed certificates, but slightly less
secure than using a Certificate Signing Request (CSR), because the private key is distributed in a file from
the CA instead of generated by the WSS itself. The PKCS #12 object file is more complex to deal with
than self-signed certificates. However, you can use WLAN Management Software, Web View, or the CLI
to distribute this certificate. The other two methods can be performed only using the CLI.
• Certificate Signing Request (CSR)—The most secure method, because the WSS's public and private
keys are created on the WSS itself, while the certificate comes from a trusted source (CA). This method
requires generating the key pair, creating a CSR and sending it to the CA, cutting and pasting the
certificate signed by the CA into the CLI, and then cutting and pasting the CA's own certificate into the
CLI.
Table 2 lists the steps required for each method and refers you to appropriate instructions. (For complete
examples, see "Key and certificate configuration scenarios" (page
Table 2: Procedures for creating and validating certificates
Certificate
Installation Steps Required
Method
Self-signed 1. Generate a public-private key pair on the WSS.
certificate
2. Generate a self-signed certificate on the WSS.
PKCS #12 1. Copy a PKCS #12 object file (public-private
object file key pair, server certificate, and CA certificate)
certificate from a CA onto the WSS.
2. Enter the one-time password to unlock the file.
3. Unpack the file into the switch's certificate and
key store.
NN47250-500 (320657-F Version 02.01)
459).)
Instructions
• "Creating public-private key
pairs" (page 454)
• "Generating self-signed
certificates" (page 455)
"Installing a key pair and certificate
from a PKCS #12 object file"
(page 456)