Comtrol DeviceMaster LT User Manual page 55

DeviceMaster LT User Guide: 2000586 Rev. B
• Configuring Certificates and keys are configured by four uploaded files on the
bottom Key and Certificate Management portion of the Edit Security
Configuration web page:
- RSA Key Pair used by SSL and SSH servers
This is a private/public key pair that is used for two purposes:
• It is used by some cipher suites to encrypt the SSL/TLS handshaking
messages. Possession of the private portion of this key pair allows an
eavesdropper to both decrypt traffic on SSL/TLS connections that use
RSA encryption during handshaking.
• It is used to sign the Server RSA Certificate in order to verify that the
DeviceMaster LT is authorized to use the server RSA identity
certificate. Possession of the private portion of this key pair allows
somebody to pose as the DeviceMaster LT.
If the Server RSA Key is replaced, a corresponding RSA server certificate
must also be generated and uploaded as a matched set or clients are not
able to verify the identity certificate.
-
RSA Server Certificate used by SSL servers
• This is the RSA identity certificate that the DeviceMaster LT uses
during SSL/TLS handshaking to identify itself. It is used most
frequently by SSL server code in the DeviceMaster LT when clients
open connections to the DeviceMaster LT's secure web server or other
secure TCP ports. If a DeviceMaster LT serial port configuration is set
up to open (as a client), a TCP connection to another server device, the
DeviceMaster LT also uses this certificate to identify itself as an SSL
client if requested by the server.
• In order to function properly, this certificate must be signed using the
Server RSA Key. This means that the server RSA certificate and server
RSA key must be replaced as a pair.
-
DH Key pair used by SSL servers
This is a private/public key pair that is used by some cipher suites to
encrypt the SSL/TLS handshaking messages.
Possession of the private portion of the key pair allows an eavesdropper to
decrypt traffic on SSL/TLS connections that use DH encryption during
handshaking.
-
Client Authentication Certificate used by SSL servers
If configured with a CA certificate, the DeviceMaster LT requires all SSL/
TLS clients to present an RSA identity certificate that has been signed by
the configured CA certificate. As shipped, the DeviceMaster LT is not
configured with a CA certificate and all SSL/TLS clients are allowed.
Certificates and Keys
DeviceMaster LT Security - 55