Appendix E Certificate Requirements - Raritan Dominion KX III User Manual

Appendix E Certificate Requirements

Dominion User Station requests and verifies server certificates for its
TLS connections if the according options are set. In FIPS-mode
certificate verfication is always enabled. The following protocols
potentially verify the server's certificate:
• RDMP: the KX status protocol, TLS via OpenSSL
RFB: the KX KVM redirection protocol, TLS via JSSE and NSS (in
•
FIPS-mode)
LDAPS: secure LDAP, TLS via OpenSSL
•
• CC-SG: TLS via JSSE and NSS (FIPS mode)
Dominion User Station has certain requirements for a X.509 Version 3
Certificate, specifically with respect to the contained extensions and
their values.
Required Extensions
X.509 Version 3 Certificates allow you to embed additional information in
the form of extensions. For more detailed information see RFC 5280. The
following certificate extensions shall be present:
• Authority Key Identifier (RFC 5280 4.2.1.1)
Subject Key Identifier (RFC 5280 4.2.1.2)
•
Basic Constraints (RFC 5280 4.2.1.9)
•
CA: false

Key Usage (RFC 5280 4.2.1.3): critical
•
Digital Signature

Key Encipherment

Key Agreement

Extended Key Usage (RFC 5280 4.2.1.12)
•
TLS Web Server Authentication

TLS Web Client Authentication

Hostname Verification
With version 2.0.0, Dominion User Station introduces hostname
verification when checking certificates. The following requirements must
be met to pass the verification:
The Common Name of the certificate must be a full qualified host
•
name (including domain)
It is also possible to use a descriptive name as Common Name

and add the fully qualified host name to the SAN (Subject
Alternative Names) section. This is supported on KX 3.5 or
newer.
208