Comtrol DeviceMaster EtherNet/IP-Modbus EIP-MOD User Manual page 66

Key and Certificate Management Page
RSA Key pair used by
SSL and SSH servers
RSA Server Certificate
used by SSL servers
DH Key pair used by
SSL servers
Use the following steps to update security keys and certificates in the DeviceMaster EIP-MOD.
1. Click the Network | Keys/Cert menu.
2. Click Browse to locate the key or certificate file, highlight the file, and click Open.
3. Click Upload when you return to the Key and Certificate Management page.
The key or certificate notation changes from factory or none to User when the DeviceMaster EIP-MOD is
secure.
Note: You do not need to click Save, but changes will not take effect until the DeviceMaster EIP-MOD is
rebooted.
66 - Chapter 6. Network Menus
Key and Certificate Management Page
This is a private/public key pair that is used for two purposes:
• It is used by some cipher suites to encrypt the SSL/TLS handshaking
messages. Possession of the private portion of this key pair allows an
eavesdropper to both decrypt traffic on SSL/TLS connections that use RSA
encryption during handshaking.
• It is used to sign the Server RSA Certificate in order to verify that the
DeviceMaster EIP-MOD is authorized to use the server RSA identity
certificate.
Note: Possession of the private portion of this key pair allows somebody to pose
as the DeviceMaster EIP-MOD.
If the Server RSA Key is to be replaced, a corresponding RSA identity
certificate must also be generated and uploaded or clients are not able to
verify the identity certificate.
This is the RSA identity certificate that the DeviceMaster EIP-MOD uses
during SSL/TLS handshaking to identify itself. It is used most frequently by
SSL server code in the DeviceMaster EIP-MOD when clients open connections
to the DeviceMaster EIP-MOD's secure web server or other secure TCP ports.
If a DeviceMaster EIP-MOD serial port configuration is set up to open (as a
client) a TCP connection to another server device, the DeviceMaster EIP-MOD
also uses this certificate to identify itself as an SSL client if requested by the
server.
In order to function properly, this certificate must be signed using the Server
RSA Key. This means that the server RSA certificate and server RSA key
must be replaced as a pair.
This is a private/public key pair that is used by some cipher suites to encrypt
the SSL/TLS handshaking messages.
Note: Possession of the private portion of the key pair allows an eavesdropper
to decrypt traffic on SSL/TLS connections that use DH encryption
during handshaking.
DeviceMaster EIP-MOD User Guide: 2000664 Rev. A