1 An entity or organization that wants a digital certificate requests one through a CSR.2 To request a digital certificate through a CSR, a key pair is generated and the CSR is signed using the secret private key. The CSRcontains information identifying the applicant and the applicant's public key. This public key is used to verify the signature of the CSRand the Distinguished Name (DN).3 This CSR is sent to a Certificate Authority (CA). The CA verifies the certificate and signs it using the CA's own private key.4 The CA then issues the certificate by binding a public key to a particular distinguished name (DN). This certificate becomes theentity's trusted root certificate.Advantages of X.509v3 certificatesPublic key authentication is preferred over password-based authentication, although both may be used in conjunction, for various reasons.Public-key authentication provides the following advantages over normal password-based authentication:• Public-key authentication avoids the human problems of low-entropy password selection and provides more resistance to brute-forceattacks than password-based authentication.• It facilitates trusted, provable identities—when using certificates signed by trusted CAs.• It also provides integrity and confidentiality in addition to authentication.X.509v3 support in Dell Networking OSDell Networking OS supports X.509v3 standards.Many organizations or entities need to let their customers know that the connection to their devices and network is secure. Theseorganizations pay an internationally trusted Certificate Authorities (CAs) such as VeriSign, DigiCert, and so on, to sign a certificate for theirdomain.To implement a X.509v3 infrastructure, Dell Networking OS recommends you to act as your own CA. Common use cases for acting as yourown CA include issuing certificates to clients to allow them to authenticate to a server. For example, Apache, OpenVPN, and so on.Acting as a certificate authority (CA) means dealing with cryptographic pairs of private keys and public certificates. The first cryptographicpair you create is the root pair. This root pair consists of the root key (ca.key.pem) and root certificate—ca.cert.pem. This pair forms theidentity of your CA.Typically, a root CA does not sign server or client certificates directly. The root CA is only ever used to create one or more intermediate CAs.These intermediate CAs are trusted by the root CA to sign certificates on their behalf. This is the best practice. It allows the root key to bekept offline and used to a minimal extent, as any compromise of the root key is disastrous.For more generic information on setting up your own Certificate Authority (CA), see https://jamielinux.com/docs/openssl-certificate-authority/index.html#The following figure illustrates a sample network topology in which a simple X.509v3 infrastructure is implemented:X.509v3 1139