Table of Contents
Advertisement
F
A
ILE
UTHENTICATION
Planning for File Authentication
42
P200/P400 R
EFERENCE
Hierarchical Relationships Between Certificates
All digital certificates are hierarchically related to one another. Under the rules of
the certificate hierarchy managed by the Verifone CA, a lower-level certificate
must always be authenticated under the authority of a higher-level certificate. This
rule ensures the overall security of VeriShield Retain.
To manage hierarchical relationships between certificates, certificate data is
stored in PINpad memory in a special structure called a certificate tree. New
certificates are authenticated based on data stored in the current certificate tree.
This means that a new certificate can only be authenticated under a higher-level
certificate already resident in the PINpad's certificate tree. This requirement can
be met in two ways:
•
The higher-level certificate may have already been downloaded to the PINpad
in a previous or separate operation.
•
The higher-level certificate can be downloaded together with the new
certificate as part of the same data transfer operation.
A higher-level production certificates is downloaded into each PINpad at
manufacture. When you take a new device out of its shipping packaging,
certificate data is already stored in the PINpad's certificate tree.
Typically, a sponsor requests an additional set of digital certificates from the
Verifone CA to establish sponsor and signer privileges. This additional set of
certificates is then downloaded to the PINpad when the device is being prepared
for deployment. When this procedure is complete, the device is called a
deployment device.
Adding New Certificates
When you add a new certificate file to a PINpad, the system detects it by filename
extension (*.crt). The device then attempts to authenticate the certificate under
the authority of the resident higher-level certificate stored in the PINpad's
certificate tree or one being downloaded with the new certificate.
In a batch download containing multiple certificates, each lower-level certificate
must be authenticated under an already-authenticated, higher-level certificate.
Whether or not the data a new certificate contains is added to the PINpad's
certificate tree depends on its successfully authentication. The following points
explain how certificates are processed:
•
If a new certificate is successfully authenticated, the information it contains is
automatically stored in the PINpad's certificate tree. The corresponding
certificate file (*.crt) is not retained.
•
If the relationship between the new certificate and an existing higher-level
certificate cannot be verified, the authentication procedure for the new
certificate fails. In this case, the certificate information is not added to the
G
UIDE
Hide quick links:
Advertisement
Table of Contents
