Certificate And Key Requirements - Siemens RUGGEDCOM ROS v4.3 User Manual

RUGGEDCOM ROS
User Guide
NOTE
SSH is not supported in Non-Controlled (NC) versions of RUGGEDCOM ROS.
NOTE
Network exposure to a ROS unit operating with the default keys, although always only temporary
by design, should be avoided. The best way to reduce or eliminate this exposure is to provision user-
created certificate and keys as quickly as possible, and preferably before the unit is placed in network
service.
• Default
A default certificate and SSL/SSH keys are built in to RUGGEDCOM ROS and are common across all RUGGEDCOM
ROS units sharing the same firmware image. In the event that valid SSL certificate or SSL/SSH key files are not
available on the device (as is usually only the case when upgrading from an old ROS version that does not
support user-configurable keys and therefore does was not shipped with unique, factory-generated keys), the
default certificate and keys are put into service *temporarily* so that SSH and SSL (https) sessions can be served
until generated or provisioned keys are available.
• Auto-Generated
If a default SSL certificate and SSL/SSH keys are in use, RUGGEDCOM ROS immediately begins to generate a
unique certificate and SSL/SSH keys for the device in the background. This process may take several minutes to
complete depending on the requested key length and how busy the device is at the time. If a custom certificate
and keys are loaded while auto-generated certificates and keys are being generated, the generator will abort
and the custom certificate and keys and will be used.
• User-Generated (Recommended)
Custom certificates and keys are the most secure option. They give the user complete control over certificate
and key management, allow for the provision of certificates signed by a public or local certificate authority,
enable strictly controlled access to private keys, and allow authoritative distribution of SSL certificates, any CA
certificates, and public SSH keys.
NOTE
The RSA key pair corresponding to the SSL certificate must be appended to the certificate in the
ssl.crt file.
Section 1.9.2

Certificate and Key Requirements

For SSL, controlled versions of RUGGEDCOM ROS require an X.509 certificate in standard PEM format and an RSA
or ECC key pair. The certificate may be self-signed or signed by a separate authority. The RSA key must be 1024,
2048 or 3072 bits in length; the ECC key must be 192, 224, 256, 384 or 521 bits in length.
Non-Controlled (NC) versions of RUGGEDCOM ROS require an X.509 certificate in standard PEM format and an RSA
key pair. The RSA key must be between 512 and 2048 bits in length.
The certificate and keys must be combined in a single ssl.crt file and uploaded to the device.
The following is an example of a combined SSL certificate and key:
-----BEGIN CERTIFICATE-----
MIIC9jCCAl+gAwIBAgIJAJh6rrehMt3iMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYD
VQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxMHQ29uY29yZDESMBAG
A1UEChMJUnVnZ2VkY29tMRkwFwYDVQQLExBDdXN0b21lciBTdXBwb3J0MSYwJAYD
VQQDEx1XUy1NSUxBTkdPVkFOLlJVR0dFRENPTS5MT0NBTDEkMCIGCSqGSIb3DQEJ
ARYVc3VwcG9ydEBydWdnZWRjb20uY29tMB4XDTEyMTAyMzIxMTA1M1oXDTE3MTAy
Certificate and Key Requirements
Chapter 1
Introduction
27