Reference7:Configuration/General/Certificates: Difference between revisions

From innovaphone wiki
Jump to navigation Jump to search
Line 55: Line 55:
|valign=top nowrap=true|'''Download:'''
|valign=top nowrap=true|'''Download:'''
| Download a single certificate by clicking the PEM or DER-link, respectively.
| Download a single certificate by clicking the PEM or DER-link, respectively.
|-
|valign=top nowrap=true|'''Download chain and private key:'''
| Download a the complete certificate chain together with the corresponding private key as a PEM-encoded text file. Remember that the private key must be kept secret. So this should only be done for backup or transfer purposes in a secure environment and over a HTTPS connection.
|-
|-
|valign=top nowrap=true|'''Create new:'''
|valign=top nowrap=true|'''Create new:'''

Revision as of 18:09, 11 September 2008

Trust list

This list contains the certificates to be accepted for TLS secured connections (e.g. HTTPS, SIPS). You can add either individual endpoint certificates or a CA certificate if you want to accept all certificates issued by that CA.

Remove: Remove the selected certificate.
Clear: Remove all certificates from the trust list.
Details: Click the name of a certificate to view its details.
Download: Download a single certificate by clicking the PEM- or DER-link, respectively.
Download all: Download the complete trustlist as a PEM-encoded text file. You can upload that file to another box.
Upload: Select a local certificate file from your computer and press the Upload button to add it to the trust list. You can upload either DER- or PEM-encoded certifiates. PEM-files may contain multiple certificates.

Rejected certificates

This list contains the certificate chains that were rejected before, while trying to establish a secure TLS connection. This happens for example if the certificate is expired or neither the certificate nor any of the issuing CAs is trusted. If one of that certificates should be tusted for future connections you can select and add it to the trust list, directly.

Trust: Add the selected certificates to the trust list and remove the corresponding chains from the rejected certificates.
Clear: Discard all rejected certificate chains.
Details: Click the name of a certificate to view its details.

Device certificate

The device certificate can be used by remote TLS endpoints to authenticate the identity of the device. In general this is not a single certificate but a chain containing the device certificate and the certificates of the intermediate CAs up to the root CA. A TLS connection can only be established if the remote endpoint trusts at least one of that certificates.

Trust: Add the selected certificates to the trust list.
Clear: This button is only displayed if a certificate was installed by the user, before. Click this button to discard the current device certificate and restore the standard certificate.
Renew: This button is only displayed if no certificate was installed by user, before. Click this button to renew the automatically generated standard certificate.
Details: Click the name of a certificate to view its details.
Download: Download a single certificate by clicking the PEM or DER-link, respectively.
Create new: Click this link to create a new self-singed certificate or certificate request (see below).
Upload: Select a local certificate file and press the "Upload" button. You can upload a single certificate corresponding to the private key of a previously created certificate request in both PEM or DER-format. Instead of that you can upload a complete certificate chain containing the corresponding private key as a PEM-encoded text file, too.

Creating a self-signed-certificate

Click the "Create new" link.

Type: Select "Self-signed certificate".
Key: Choose the bitstrength of the key pair. Available bit-strengthes are 1024, 2048 and 4096-bit. Optionally you can reuse the current key pair.
Common Name: The common name should match with the name of the device. For example, if you access the web interface of the device with https://ip6000-08-02-60, the common name should be "ip6000-08-02-60".
Other naming options: There are some other optional naming parameters (e.g. Organisational Unit, Country). You can use them to describe the role of the device within your installation, for example.

Signing request

A certificate signing request contains a public key and an identity. While the correponding private key is kept secret, the request is being sent to a CA. It will issue an appropriate certificate for the public key after it verified the identity.

Details: Click the name of the signing request to view its details.
Download: Download the signing request by clicking the PEM- or DER-link, respectively.
Remove: Discard the current signing request and the corresponding private key. As an implication certificates for that key cannot be installed, any more.

Creating a certificate signing request

Click the "Create new" link at the device certificate section.

Type: Select "Signing request".
Key: Choose the bitstrength of the key pair. Available bit-strengthes are 1024, 2048 and 4096-bit. Optionally you can reuse the current key pair.
Common Name: The common name should match with the name of the device. For example, if you access the web interface of the device with https://ip6000-08-02-60, the common name should be "ip6000-08-02-60".
Other naming options: There are some other optional naming parameters (e.g. Organisational Unit, Country). You can use them to describe the role of the device within your installation, for example. Keep in mind that the CA signing the request can modify these parameters according to their policies.

Uploading the response certificate from a CA

See section about device certificate upload.