54 - DeviceMaster LT Security
DeviceMaster LT User Guide
: 2000586
Rev. B
Client Authentication
•
The private key used to sign the certificate must also be uploaded to the
DeviceMaster LT.
Note:
Possession of that private key will allow eavesdroppers to decrypt all
traffic to and from the DeviceMaster LT.
•
The corresponding public key can be used to verify the ID certificate but not to
decrypt traffic.
•
All DeviceMaster LT are shipped from the factory with identical self-signed ID
certificates and private keys. This means that somebody could (with a little
effort) extract the factory default private key from the DeviceMaster LT
firmware and use that private key to eavesdrop on traffic to/from any other
DeviceMaster LT that is being used with the default private key.
•
The public/private key pairs and the ID certificates can be generated using
openssl
command-line tools.
•
If the server authentication certificate in the DeviceMaster LT is not signed by
an authority known to the client (as shipped, they are not), then interactive
SSL clients such as web browsers will generally warn the user.
•
If the name in server authentication certificate does not match the
hostname
that was used to access the server, then interactive SSL clients such as web
browsers will generally warn the user.
Client
Authentication
Client Authentication
is the mechanism by which the DeviceMaster LT verifies the
identity of clients (that is, web browsers and so forth).
•
Clients can generally be configured to accept a particular unknown server
certificate so that the user is not subsequently warned.
•
The DeviceMaster LT (generally an SSL server) can be configured by
uploading a trusted
authority
certificate that will be used to verify the ID
certificates presented to the DeviceMaster LT by SSL clients. This allows you
to restrict access to the DeviceMaster LT to a limited set of clients which have
been configured with corresponding ID certificates.
•
DeviceMaster LT units will be shipped without an authority certificate and
will not require clients to present ID certificates. This allows any and all SSL
clients to connect to the DeviceMaster LT.
Certificates and Keys
To control access to the DeviceMaster LT's SSL/TLS protected resources you
should create your own custom CA certificate and then configure authorized client
applications with identity certificates signed by the custom CA certificate.
This uploaded CA certificate that is used to validate a client's identity is
sometimes referred to as a
trusted root certificate
, a
trusted authority certificate
, or
a
trusted CA certificate
. This CA certificate might be that of a trusted commercial
certificate authority or it may be a privately generated certificate that an
organization creates internally to provide a mechanism to control access to
resources that are protected by the SSL/TLS protocols.
The following is a list that contains additional information about certificates and
keys:
•
By default, the DeviceMaster LT is shipped without a CA (Certificate
Authority) and therefore allowing connections from any SSL/TLS client. If
desired, controlled access to SSL/TLS protected features can be configured by
uploading a client authentication certificate to the DeviceMaster LT.
•
Certificates can be obtained from commercial certificate authorities (VeriSign,
Thawte, Entrust, and so forth.).
•
Certificates can be created by users for their own use by using
openssl
command line tools or other applications.
•
Certificates and keys to be uploaded to the DeviceMaster LT must be in the
.DER
binary file format, not in the
.PEM
ASCII file format. (The
openssl
tools
can create files in either format and can convert files back and forth between
the two formats.)