Manual
54 - DeviceMaster LT Security
DeviceMaster LT User Guide: 2000586 Rev. B
Client Authentication
• The private key used to sign the certificate must also be uploaded to the
DeviceMaster LT
.
Note: Possession of that private key will allow eavesdroppers to decrypt all
traffic to
and from the DeviceMaster LT.
• The corresponding public key can be used to verify
the ID certificate but not to
decrypt traffic.
• All DeviceMaster LT are shipped from the fa
ctory with identical self-signed ID
certif
icates and private keys. This means that somebody could (with a little
effort) extract the factory default private key from the DeviceMaster LT
firmware and use that private key to eavesdrop on traffic to/from any ot
her
D
eviceMaster LT that is being used with the default private key.
• The public/private key pairs and the ID certificates can be generated usin
g
openssl co
mmand-line tools.
• If the server authentication certificate in the
DeviceMaster LT is not signed by
an authority known to the client (as shipped, they ar
e not), then interactive
SSL
clients such as web browsers will generally warn the user.
• If the name in server authentication certificate does not matc
h the hostname
that was used to access the server, then interactive SSL clients such
as web
brow
sers will generally warn the user.
Client
A
uthentication
Client Authentication is the mechanism by which the DeviceMaster LT verifies the
identity of clients (that is, web browsers and so forth).
• Clients can generally be confi
gured to accept a particular unknown server
certificate so that the user is not subsequently warned.
• The DeviceMaster LT (generally an SSL server) can be configured by
up
loading a trusted authority certificate that will be used to verify the ID
certificates presented to the DeviceMaster LT by SSL clients. This allows yo
u
t
o restrict access to the DeviceMaster LT to a limited set of clients which ha
ve
been configured with corresponding ID certificates.
• DeviceMaster LT units will be shipped without an authority certificate and
will not require clients to present ID certificates. This allows any and all
SSL
c
lients to connect to the DeviceMaster LT.
Certificates and Keys To control access to the DeviceMaster L
T's SSL/TLS protected resources you
should create your own custom CA certificate and then configure authorized client
applications with identity certificates signed by the custom CA certificate.
This uploaded CA certificate that is used to validate a client's identity is
sometimes referred to as a trusted root certificate, a
trusted authority certificate, or
a trusted CA certificate. This CA certificate might be that of a trusted commercial
certificate authority or it may be a privately generated certificate that an
organization creates internally to provide a mechanism to control access to
resources that are protected by the SSL/TLS protocols.
The following is a list that contains additional information about certificates and
ke
ys:
• By default, the DeviceMaster LT is shipped without a CA (Certifica
te
Authority) and therefore al
lowing connections from any SSL/TLS client. If
desired, controlled access to SSL/TLS protected features can be
configured by
u
ploading a client authentication certificate to the DeviceMaster LT.
• Certificates can be obtained from commercial certificate authorities (VeriSign,
Th
awte, Entrust, and so forth.).
• Certificates can be created by use
rs for their own use by using openssl
command line tools or other applications.
• Certificates and keys to be uploaded to the
DeviceMaster LT must be in the
.DER binary file format, not in the .PEM ASCII file format. (The openssl tools
can create files in either format and can convert files back and forth between
the two formats.)