|
Menu path: Configuration > Integration Overview > PKI Certificate Authorities.
A Public Key Infrastructure (PKI) is a set of software, data, and procedures for creating and managing certificates. Certificates are pieces of data that identifies a person, client computer, server computer or other entity. A key component of a PKI is the generation of public-private encryption key pairs. The pairs are mathematically related such that data encrypted using one of the pair can only be decrypted by the other. Public keys are embedded in certificates. Endpoints prove their identity by encrypting data with their private key, which is verified using the certificate's public key.
Certificate Authorities are the parties that sign certificates. Signing is process by which the data in an endpoint's certificate is combined with the Certificate Authority's (CA) public key. This allows a party receiving the endpoint's certificate to validate that the certificate was generated by a party that they trust. If EAP-TLS authentication is to be used in A3, CAs generated at this step must be copied into the RADIUS section of SSL Certificates so A3 will trust endpoint certificates generated by the CA. See Using CA Certificates as RADIUS Certificates for a discussion on how to accomplish this. Also see the Note below concerning trusted CAs.
Note
The CAs generated by A3's PKI are not publicly trusted CAs. They are intended for use only within an organization. Publicly trusted certificates can be generated using A3's SSL Certificates interface.
to create a new CA, or select an
existing one to view the contents. Existing entries offer three operations:
- clone the CA
entry and then enter the New Certificate Authority dialog.
- the
contents of the CA certificate are copied to the clipboard for use in other contexts.
See Using CA Certificates as RADIUS Certificates for a further discussion.
- open the
dialog for the creation of a new template based on the selected CA.Note
The pfpki service must be restarted after each CA is created. Use the button above the table.CAs can not be deleted after they are created. The dialog for creating entries has the following fields:
| Field | Usage | Example |
|---|---|---|
| Common Name | The common name of the CA. | Example_Root_CA |
| The email address of the CA's administrator | admin@example.com | |
| Organization | The name of the organization. | Example Widgets Inc. |
| Country | The country of the CA. Choose from the drop-down list. | United States of America |
| State or Province | The major location of the CA within the Country. |
California |
| Locality | The locality of the CA within the State or Province. | Anytown |
| Street Address | The street address for the Organization. | 123 Main Street |
| Postal Code | The postal code for the Organization. | 91234 |
| Key Type | The type of key to be generated for the CA's keys. One of:
|
KEY_RSA |
| Key Size | The size of the keys to be generated. One of:
|
4096 |
| Digest | The type of cryptographic checksum to be generated. One of:
|
SHA256WithRSA |
| Key Usage | The permitted usage types for the certificate. One or more of:
If no values are specified, all uses are permitted. |
|
| Extended Key Usage | Additional usage types for the certificate. One or more of:
If no values are specified, all extended uses are permitted. |
|
| Days | The number of days for which the CA certificate will be valid. | 1000 |
Select the 
button to generate the certificate. After a few seconds a new
Certificates field
will be created and filled in with the encoded certificate. The CA entry is now complete and
can not be modified. Exit back to the Certificate Authorities list or select the to create a clone of
the current entry. A cloned entry can be used to make a new CA modified from the last
CA.
to copy the
certificate's contents.
.
.Copyright © 2023 Extreme Networks. All rights reserved. Published March 28, 2023.