Appendix E Certificate Requirements
Dominion User Station requests and verifies server certificates for its
TLS connections if the according options are set. In FIPS-mode
certificate verfication is always enabled. The following protocols
potentially verify the server's certificate:
•
RDMP: the KX status protocol, TLS via OpenSSL
RFB: the KX KVM redirection protocol, TLS via JSSE and NSS (in
•
FIPS-mode)
LDAPS: secure LDAP, TLS via OpenSSL
•
•
CC-SG: TLS via JSSE and NSS (FIPS mode)
Dominion User Station has certain requirements for a X.509 Version 3
Certificate, specifically with respect to the contained extensions and
their values.
Required Extensions
X.509 Version 3 Certificates allow you to embed additional information in
the form of extensions. For more detailed information see RFC 5280. The
following certificate extensions shall be present:
•
Authority Key Identifier (RFC 5280 4.2.1.1)
Subject Key Identifier (RFC 5280 4.2.1.2)
•
Basic Constraints (RFC 5280 4.2.1.9)
•
CA: false
Key Usage (RFC 5280 4.2.1.3): critical
•
Digital Signature
Key Encipherment
Key Agreement
Extended Key Usage (RFC 5280 4.2.1.12)
•
TLS Web Server Authentication
TLS Web Client Authentication
Hostname Verification
With version 2.0.0, Dominion User Station introduces hostname
verification when checking certificates. The following requirements must
be met to pass the verification:
The Common Name of the certificate must be a full qualified host
•
name (including domain)
It is also possible to use a descriptive name as Common Name
and add the fully qualified host name to the SAN (Subject
Alternative Names) section. This is supported on KX 3.5 or
newer.
208