Table of Contents
Advertisement
ICDM-RX/TCP Installation and Configuration Guide
Server Authentication
•
Each party (client and server) can present an ID certificate to the other.
•
Each ID certificate is signed by another authority certificate or key.
•
Each party can then verify the validity of the other's ID certificate by verifying that it was signed by a trusted
authority. This verification requires that each party have access to the certificate/key that was used to sign
the other party's ID certificate.
6.3.6.1. Server Authentication
Server Authentication is the mechanism by which the ICDM-RX/TCP proves its identity.
•
The ICDM-RX/TCP (generally an SSL server) can be configured by uploading an ID certificate that is to be
presented to clients when they connect to the ICDM-RX/TCP.
•
The private key used to sign the certificate must also be uploaded to the ICDM-RX/TCP.
Note: Possession of that private key will allow eavesdroppers to decrypt all traffic to and from the ICDM-
RX/TCP.
•
The corresponding public key can be used to verify the ID certificate but not to decrypt traffic.
•
All ICDM-RX/TCP are shipped from the factory with identical self-signed ID certificates and private keys.
This means that somebody could (with a little effort) extract the factory default private key from the ICDM-
RX/TCP firmware and use that private key to eavesdrop on traffic to/from any other ICDM-RX/TCP that is
being used with the default private key.
•
The public/private key pairs and the ID certificates can be generated using openssl command-line tools.
•
If the server authentication certificate in the ICDM-RX/TCP is not signed by an authority known to the client
(as shipped, they are not), then interactive SSL clients such as web browsers will generally warn the user.
•
If the name in server authentication certificate does not match the hostname that was used to access the
server, then interactive SSL clients such as web browsers will generally warn the user.
6.3.6.2. Client Authentication
Client Authentication is the mechanism by which the ICDM-RX/TCP verifies the identity of clients (that is, web
browsers and so forth).
•
Clients can generally be configured to accept a particular unknown server certificate so that the user is not
subsequently warned.
•
The ICDM-RX/TCP (generally an SSL server) can be configured by uploading a trusted authority certificate
that will be used to verify the ID certificates presented to the ICDM-RX/TCP by SSL clients. This allows you
to restrict access to the ICDM-RX/TCP to a limited set of clients which have been configured with
corresponding ID certificates.
•
ICDM-RX/TCP units will be shipped without an authority certificate and will not require clients to present ID
certificates. This allows any and all SSL clients to connect to the ICDM-RX/TCP.
6.3.6.3. Certificates and Keys
To control access to the ICDM-RX/TCP's SSL/TLS protected resources you should create your own custom CA
certificate and then configure authorized client applications with identity certificates signed by the custom CA
certificate.
This uploaded CA certificate that is used to validate a client's identity is sometimes referred to as a trusted root
certificate, a trusted authority certificate, or a trusted CA certificate. This CA certificate might be that of a trusted
commercial certificate authority or it may be a privately generated certificate that an organization creates
internally to provide a mechanism to control access to resources that are protected by the SSL/TLS protocols.
The following is a list that contains additional information about certificates and keys:
•
By default, the ICDM-RX/TCP is shipped without a CA (Certificate Authority) and therefore allowing
connections from any SSL/TLS client. If desired, controlled access to SSL/TLS protected features can be
configured by uploading a client authentication certificate to the ICDM-RX/TCP.
58
Advertisement
Table of Contents
Troubleshooting
