|
Menu path: Configuration > Integration Overview > PKI Certificate Authorities.
A Public Key Infrastructure (PKI) is a set of software, data, and procedures for creating and managing certificates. Certificates are pieces of data that identifies a person, client computer, server computer or other entity. A key component of a PKI is the generation of public-private encryption key pairs. The pairs are mathematically related such that data encrypted using one of the pair can only be decrypted by the other. Public keys are embedded in certificates. Endpoints prove their identity by encrypting data with their private key, which is verified using the certificate's public key.
Certificate Authorities are the parties that sign certificates. Signing is process by which the data in an endpoint's certificate is combined with the Certificate Authority's (CA) public key. This allows a party receiving the endpoint's certificate to validate that the certificate was generated by a party that they trust. If EAP-TLS authentication is to be used in A3, CAs generated at this step must be copied into the RADIUS section of SSL Certificates so A3 will trust endpoint certificates generated by the CA. See Using CA Certificates as RADIUS Certificates for a discussion on how to accomplish this. Also see the Note below concerning trusted CAs.
Note
The CAs generated by A3's PKI are not publicly trusted CAs. They are intended for use only within an organization. Publicly trusted certificates can be generated using A3's SSL Certificates interface.
to create a new CA, or click on an existing one to view the contents.
Existing entries offer three operations:
- clone the CA entry and then enter
the New Certificate Authority dialog.
- the contents of the CA
certificate are copied to the clipboard for use in other contexts. See Using CA Certificates as RADIUS Certificates for a further discussion.
- open the dialog for the creation
of a new template based on the selected CA.Note
The pfpki service must be restarted after each CA is created. Use the button above the table.Once created CAs may not be deleted. The dialog for creating entries has the following fields:
| Field | Usage | Example |
|---|---|---|
| Common Name | The common name of the CA. | Example_Root_CA |
| The email address of the CA's administrator | admin@example.com | |
| Organization | The name of the organization. | Example Widgets Inc. |
| Country | The country of the CA. Choose from the drop-down list. | United States of America |
| State or Province | The major location of the CA within the Country. |
California |
| Locality | The locality of the CA within the State or Province. | Anytown |
| Street Address | The street address for the Organization. | 123 Main Street |
| Postal Code | The postal code for the Organization. | 91234 |
| Key Type | The type of key to be generated for the CA's keys. One of:
|
KEY_RSA |
| Key Size | The size of the keys to be generated. One of:
|
4096 |
| Digest | The type of cryptographic checksum to be generated. One of:
|
SHA256WithRSA |
| Key Usage | The permitted usage types for the certificate. One or more of:
If no values are specified, all uses are permitted. |
|
| Extended Key Usage | Additional usage types for the certificate. One or more of:
If no values are specified, all extended uses are permitted. |
|
| Days | The number of days for which the CA certificate will be valid. | 1000 |
Select the 
button to
generate the certificate. After a few seconds a new Certificates field will be
created and filled in with the encoded certificate. The CA entry is now complete and may not
be modified. Exit back to the Certificate Authorities list or select the to create a clone of the current entry.
A cloned entry may be used to make a new CA modified from the last CA.
to copy the
certificate's contents.
.
.Copyright © 2020 Extreme Networks. All rights reserved. Published December 2020.