10: Security Settings
EDS-MD® Medical Device Server User Guide
70
Digital Certificates
The goal of a certificate is to authenticate its sender. It is analogous to a paper document that
contains personal identification information and is signed by an authority, for example a notary or
government agency. With digital certificates, a cryptographic key is used to create a unique digital
signature.
Trusted Authorities
A private key is used by a trusted certificate authority (CA) to create a unique digital signature.
Along with this private key is a certificate of authority, containing a matching public key that can be
used to verify the authority's signature but not re-create it.
A chain of signed certificates, anchored by a root CA, can be used to establish a sender's
authenticity. Each link in the chain is certified by a signed certificate from the previous link, with
the exception of the root CA. This way, trust is transferred along the chain, from the root CA
through any number of intermediate authorities, ultimately to the agent that needs to prove its
authenticity.
Obtaining Certificates
Signed certificates are typically obtained from well-known CAs, such as VeriSign, Inc. This is
done by submitting a certificate request for a CA, typically for a fee. The CA will sign the certificate
request, producing a certificate/key combo: the certificate contains the identity of the owner and
the public key, and the private key is available separately for use by the owner.
As an alternative to acquiring a signed certificate from a CA, you can act as your own CA and
create self-signed certificates. This is often done for testing scenarios, and sometimes for closed
environments where the expense of a CA-signed root certificate is not necessary.
Self-Signed Certificates
A few utilities exist to generate self-signed certificates or sign certificate requests. The EDS-MD
device servers also have the ability to generate its own self-signed certificate/key combo. You can
use XML to export the certificate in PEM format, but you cannot export the key. Hence, the internal
certificate generator can only be used for certificates that are to identify that particular EDS-MD
module.
Certificate Formats
Certificates and private keys can be stored in several file formats. Best known are PKCS12, DER
and PEM. Certificate and key can be in the same file or in separate files. Additionally, the key can
be either be encrypted with a password or left in the clear. However, EDS-MD device servers
currently only accepts separate PEM files, with the key unencrypted.
Several utilities exist to convert between the formats.