Client authentication, Certificates and keys, Client authentication certificates and keys – Comtrol Hub DeviceMaster User Manual

DeviceMaster Installation and Configuration Guide: 2000594 Rev. A

DeviceMaster Security - 79

Client Authentication

Client
Authentication

Client Authentication is the mechanism by which the DeviceMaster verifies the
identity of clients (that is, web browsers and so forth).

•

Clients can generally be configured to accept a particular unknown server
certificate so that the user is not subsequently warned.

•

The DeviceMaster (generally an SSL server) can be configured by uploading a
trusted authority certificate that will be used to verify the ID certificates
presented to the DeviceMaster by SSL clients. This allows you to restrict
access to the DeviceMaster to a limited set of clients which have been
configured with corresponding ID certificates.

•

DeviceMaster units will be shipped without an authority certificate and will
not require clients to present ID certificates. This allows any and all SSL
clients to connect to the DeviceMaster.

Certificates and Keys

To control access to the DeviceMaster's SSL/TLS protected resources you should
create your own custom CA certificate and then configure authorized client
applications with identity certificates signed by the custom CA certificate.

This uploaded CA certificate that is used to validate a client's identity is
sometimes referred to as a trusted root certificate, a trusted authority certificate, or
a trusted CA certificate. This CA certificate might be that of a trusted commercial
certificate authority or it may be a privately generated certificate that an
organization creates internally to provide a mechanism to control access to
resources that are protected by the SSL/TLS protocols.

The following is a list that contains additional information about certificates and
keys:

•

By default, the DeviceMaster is shipped without a CA (Certificate Authority)
and therefore allowing connections from any SSL/TLS client. If desired,
controlled access to SSL/TLS protected features can be configured by
uploading a client authentication certificate to the DeviceMaster.

•

Certificates can be obtained from commercial certificate authorities (VeriSign,
Thawte, Entrust, and so forth.).

•

Certificates can be created by users for their own use by using openssl
command line tools or other applications.

•

Certificates and keys to be uploaded to the DeviceMaster must be in the .DER
binary file format, not in the .PEM ASCII file format. (The openssl tools can
create files in either format and can convert files back and forth between the
two formats.)

•

Configuring Certificates and keys are configured by four uploaded files on the
bottom Key and Certificate Management portion of the Edit Security
Configuration web page:

-

RSA Key Pair used by SSL and SSH servers

This is a private/public key pair that is used for two purposes:

• It is used by some cipher suites to encrypt the SSL/TLS handshaking

messages. Possession of the private portion of this key pair allows an
eavesdropper to both decrypt traffic on SSL/TLS connections that use
RSA encryption during handshaking.

• It is used to sign the Server RSA Certificate in order to verify that the

DeviceMaster is authorized to use the server RSA identity certificate.
Possession of the private portion of this key pair allows somebody to
pose as the DeviceMaster.

If the Server RSA Key is replaced, a corresponding RSA server certificate
must also be generated and uploaded as a matched set or clients are not
able to verify the identity certificate.