Table of Contents
Advertisement
Network Menu
Certificate
Management
RSA Server
Certificate used by
SSL servers
DH Key pair used
by SSL servers
Client
Authentication
Certificate used by
SSL servers
Client
Authentication
108 - Network Menu
Key and
This is the RSA identity certificate that the DeviceMaster uses during
SSL/TLS handshaking to identify itself. It is used most frequently by
SSL server code in the DeviceMaster when clients open connections to
the DeviceMaster's secure web server or other secure TCP ports. If a
DeviceMaster serial port configuration is set up to open (as a client) a
TCP connection to another server device, the DeviceMaster also uses
this certificate to identify itself as an SSL client if requested by the
server.
In order to function properly, this certificate must be signed using the
Server RSA Key. This means that the server RSA certificate and server
RSA key must be replaced as a pair.
This is a private/public key pair that is used by some cipher suites to
encrypt the SSL/TLS handshaking messages.
Note: Possession of the private portion of the key pair allows an
eavesdropper to decrypt traffic on SSL/TLS connections that
use DH encryption during handshaking.
If configured with a CA certificate, the DeviceMaster requires all SSL/
TLS clients to present an RSA identity certificate that has been
signed by the configured CA certificate. As shipped, the DeviceMaster
is not configured with a CA certificate and all SSL/TLS clients are
allowed.
See
Client Authentication
Note: All DeviceMaster units are shipped from the factory with identical
configurations. They all have the identical, self-signed, Comtrol Server RSA
Certificates, Server RSA Keys, Server DH Keys, and no Client
Authentication Certificates.
For maximum data and access security, you should configure all
DeviceMaster units with custom certificates and keys.
If desired, controlled access to SSL/TLS protected features can be configured by
uploading a client authentication certificate to the DeviceMaster. By default, the
DeviceMaster is shipped without a CA (Certificate Authority) and therefore allows
connections from any SSL/TLS client.
If a CA certificate is uploaded, the DeviceMaster only allows SSL/TLS connections
from client applications that provide to the DeviceMaster an identity certificate
that has been signed by the CA certificate that was uploaded to the DeviceMaster.
This uploaded CA certificate that is used to validate a client's identity is
sometimes referred to as a trusted root certificate, a trusted authority certificate, or
a trusted CA certificate. This CA certificate might be that of a trusted commercial
certificate authority or it may be a privately generated certificate that an
organization creates internally to provide a mechanism to control access to
resources that are protected by the SSL/TLS protocols.
To control access to the DeviceMaster's SSL/TLS protected resources you should
create your own custom CA certificate and then configure authorized client
applications with identity certificates signed by the custom CA certificate.
Description
for more detailed information.
DeviceMaster PNIO | UP User Guide: 2000639 Rev. A
Advertisement
Table of Contents
Troubleshooting
