Authenticity And Encryption - Basler BE1-11g Instruction Manual

9424200994 Rev U 347

Authenticity and Encryption

The BE1-11g supports authentication and encryption of communications with BESTCOMSPlus. This is
done using the Transport Layer Security protocol, version 1.2 (TLS 1.2). To enable this mode, an X.509
certificate and private key must be uploaded to the BE1-11g.
In TLS 1.2, a certificate is used to verify the authenticity of the server (BE1-11g). The supported certificate
formats are Standard PEM, DER/Binary, and PFX (PKCS#12). The BE1-11g supports RSA encryption up
to 8192 bit keys. The recommended key length is 2048 as longer keys will slow the initial connection.
DER and PEM formats commonly have the private key stored in a separate file. If this is the case, you will
be asked for an additional file containing the key. If a password is required for the key, you will also need
to enter it into the form. It is recommended that certificates be uploaded over a trusted connection or
through the USB port.
Generate a Certificate
BESTCOMSPlus is used to generate a self-signed X.509 certificate for use in identifying a connected
device. In order for the certificate to work, the common name must match the domain name or the IP
address of the device. Alternate names can be used if multiple domain names match the device. The
valid dates specify how long the certificate may be used. A new certificate should be issued after one
expires.
To generate a certificate, click on the Tools drop-down menu in BESTCOMSPlus and select Generate
Certificate. Fill in all applicable fields. A password is optional. Click Save to generate a .pfx file which is
the certificate and the private key required to upload to the BE1-11g.
Self-signed certificates can be less secure than using a Certificate Authority to sign the certificate for the
device. It will allow encryption from end to end. Use caution when choosing this method. Distribution of
the generated file compromises security.
BE1-11g Security