NBB-800
User Manual for NRSW version 4.5.0.100
Parameter
Certificate Configuration
Country (C)
The certificate owner’s country (usually a TLD abbreviation)
Common Name (CN)
The certificate owner’s common name, mainly used to identify a host
The certificate owner’s email address
Expiry period
The number of days a certificate will be valid from now on
Key size
The length of the private key in bits
DH primes
The number of bits for custom Diffie-Hellman primes
Signature
The signature algorithm when signing certificates
Passphrase
The passphrase for accessing/opening a private key
Please be aware of the fact, that the local random number generator (RNG) provides pretty good
randomness for most applications. If stronger cryptography is mandatory, we suggest to create the
keys at an external RNG device or manage all certificates completely on a remote certification server.
Nevertheless, using a local certificate authority can issue and manage all required certificates and also
run a certificate revokation list (CRL).
When importing keys, the certificate and key file can be uploaded individually encoded in PEM/DER
or PKCS7 format. All files (CA certificate, certificate and private key) can also be uploaded in one
stroke by using the container format PKCS12. RSA/DSS keys can be converted from OpenSSH or
Dropbear formats. It is possible to specify the passphrase for opening the private key. Please note
that the system will generally apply the system-wide certificate passphrase on a key when installing
the certificate. Thus, changing the general passphrase will result in all local keys getting equipped with
the new one.
SCEP Configuration
If certificates are getting enrolled by using the Simple Certificate Enrollment Protocol (SCEP) the
following settings can be configured:
Parameter
SCEP Configuration
SCEP status
Specifies whether SCEP is enabled or not
URL
The
SCEP
URL,
usually
in
the
form
http://<host>/<path>/pkiclient.exe
CA fingerprint
The fingerprint of the certificate used to identify the remote authority.
If left empty, any CA will be trusted.
Fingerprint algorithm
The fingerprint algorithm for identifying the CA (MD5 or SHA1)
Poll interval
The polling interval in seconds for a certificate request
Request timeout
The max. polling time in seconds for a certificate request
ID type
Can be IP, Email or DNS
Password
The password for the scep server.
182