External Certificate - ABB RTU500 series User Manual

RTU500 series Remote Terminal Unit
7.3.2
The certificate contains HTTPS protocol specific information like the public key and identity informa-
tion. The identity information are set as follows.
• The identity information like country, locality and organization name are predefined to the ABB
AG, Mannheim, Germany. These cannot be changed.
• The common name of the identity is set to the configured IP address of the CMU Ethernet in-
terface E1. The common name represents the host name (server name) the web client uses to
access the Web server. In case the configuration of the IP address changes a new certificate is
generated and stored in the internal flash (overwrites the existing one).
• In subject alternative name the IP address of the Ethernet interface E1 and the USB interface
are defined. This allows the secure HTTPS access via USB as well.
• The serial number of the certificate is set to 1 for the first created certificate and increased
every time a new certificate is generated due to a configuration change.
• The expiration date of the certificate is set the 1. January 2070.

External certificate

The RTU500 series supports the usage of external generated and signed public-key certificates for
the encryption and secure identification of the Web server. These certificates can be uploaded to
the RTU500 series via the Web server. When creating an end-entity certificate for the RTU500 series
Web server the following issues shall be considered:
• The generated end-entity server certificate shall be signed and issued by a trusted root or inter-
mediate certificate. This avoids any warning messages in the Web client when accessing the
RTU500 series Web server via HTTPS.
• For a correct end-entity Web server certificate the attribute "keyUsage" must contain the en-
cryption values "keyEncipherment" and "dataEncipherment", at least. And the attribute "ex-
tendedKeyUsage" must contain the server authentication value "serverAuth".
• The common name of the certificate identity must not be set to an IP address used in the RTU.
It is sufficient to set the attribute "IP Address" in the subject alternative name to an used IP ad-
dress. Depending on the policies in your organization setting the attribute "DNS Name" might
be necessary as well..
• To use the same certificate for several CMU's or RTU's a list of IP addresses and DNS names
can be defined in the subject alternative name.
• The generated certificate must contain the public/private key pair of the end-entity certificate
and the whole certificate chain, including root and intermediate certificates.
• For uploading the generated certificate must be stored in PKCS#12 format with the file ending
".p12".
The upload of an external generated certificate is done via the RTU500 series Web server. In the
Web server menu the link "Certificate Management" is the entry point for the certificate upload. This
link can be found under the menu item "Management" as shown in the figure below. Due to the
sensible information in the certificate upload the following notice has to be considered.
The web pages of this functionality require secure HTTPS access. It is not possible to open the
web pages with standard HTTP access.
A D V I C E
Secure Web server access
Certificate handling
ABB AG - 1KGT 150 924 V000 1 | 7-5