Comtrol DeviceMaster LT User Manual page 62

Key and Certificate Management
62 - DeviceMaster LT Security
Key and Certificate
Management Options
RSA Key pair used by
SSL and SSH servers
RSA Server Certificate
used by SSL servers
DH Key pair used by SSL
servers
Client Authentication
Certificate used by SSL
servers
• All DeviceMaster LT units are shipped from the factory with identical
configurations. They all have the identical, self-signed, Comtrol Server RSA
Certificates, Server RSA Keys, Server DH Keys, and no Client Authentication
Certificates.
• For maximum data and access security, you should configure all DeviceMaster
LT units with custom certificates and keys.
Description
This is a private/public key pair that is used for two
purposes:
It is used by some cipher suites to encrypt the SSL/
TLS handshaking messages. Possession of the private
portion of this key pair allows an eavesdropper to both
decrypt traffic on SSL/TLS connections that use RSA
encryption during handshaking.
It is used to sign the Server RSA Certificate in order to
verify that the &dm; is authorized to use the server
RSA identity certificate. Possession of the private
portion of this key pair allows somebody to pose as the
&dm;.
If the Server RSA Key is to be replaced, a
corresponding RSA identity certificate must also be
generated and uploaded or clients are not able to
verify the identity certificate.
This is the RSA identity certificate that the
DeviceMaster uses during SSL/TLS handshaking to
identify itself. It is used most frequently by SSL server
code in the DeviceMaster when clients open
connections to the DeviceMaster's secure web server
or other secure TCP ports. If a DeviceMaster serial
port configuration is set up to open (as a client) a TCP
connection to another server device, the DeviceMaster
also uses this certificate to identify itself as an SSL
client if requested by the server.
In order to function properly, this certificate must be
signed using the Server RSA Key. This means that the
server RSA certificate and server RSA key must be
replaced as a pair.
This is a private/public key pair that is used by some
cipher suites to encrypt the SSL/TLS handshaking
messages.
Note: Possession of the private portion of the key pair
allows an eavesdropper to decrypt traffic on
SSL/TLS connections that use DH encryption
during handshaking.
If configured with a CA certificate, the DeviceMaster
requires all SSL/TLS clients to present an RSA
identity certificate that has been signed by the
configured CA certificate. As shipped, the
DeviceMaster is not configured with a CA certificate
and all SSL/TLS clients are allowed.
See Client Authentication
information
DeviceMaster LT User Guide: 2000586 Rev. B
on Page 54 for more detailed