System information
Crestron 2-Series Control Systems Reference Guide
Reference Guide – DOC. 6256A 2-Series Control Systems • 47
Crestron’s implementation of SSL is based on OpenSSL (www.openssl.org), version
0.9.6a. The encryption algorithms and the key lengths supported in the 2-Series
processor are as follows:
Supported Encryption Algorithms and Key Lengths for 2-Series Processors
NAME TYPE SESSION KEY
LENGTHS (BITS)
IN/OUT
DES Symmetric 56 DES
3DES Symmetric 168 3DES
RC2 Symmetric 128 RC2
RC4 Symmetric 128 RC4
DH Asymmetric 512 DH
RSA Asymmetric 512 RSA
SSL-enabled clients and servers confirm each other’s identities using digital
certificates. Digital certificates are issued by trusted third-party enterprises called
Certificate Authorities, or CAs. From the certificate, the sender can verify the
recipient's claimed identity and recover their public key. By validating digital
certificates, both parties can ensure that an imposter has not intercepted a
transmission and provided a false public key for which they have the correct private
key.
A CA-signed certificate provides several important capabilities for a Web server:
• Browsers will automatically recognize the certificate and allow a secure
connection to be made, without prompting the user. (If a browser
encounters a certificate whose authorizing CA is not in its list of trusted
CAs, the browser will prompt the user to accept or decline the connection.)
• When a CA issues a signed certificate, they are guaranteeing the identity of
the organization that is providing the Web pages to the browser.
Alternatively, self-signed certificates can be generated for secure Web servers, but
self-signed certificates do not provide the same functionality as CA-signed
certificates. Browsers will not automatically recognize a self-signed certificate; and a
self-signed certificate does not provide any guarantee concerning the identity of the
organization that is providing the server.
In addition, handshaking is much faster in the case of CA-signed certificates because
the process of creating private/public keys is CPU intensive. With self-signed
certificates, these keys are created at every instance of a handshake, whereas with
CA-signed certificates the keys are already loaded. A CA-signed certificate thus
provides many important capabilities for a secure server.
There are various Certificate Authorities, notable among them being Thawte and
Verisign. For a fee, a CA investigates the organization hosting the server and issues a
certificate vouching for the identity of the server. The procedure for
obtaining/enrolling for a CA-signed certificate varies with each CA and is described
on their websites (i.e. www.thawte.com
or www.verisign.com). However, all CAs
require a CSR, or Certificate Signing Request. The CSR can be copied and pasted to
the online enrollment form or sent via e-mail to the CA, along with any other
pertinent information the CA requires. The CA then issues the certificate, usually via
e-mail. The Crestron Viewport provides all the certificate management tools
necessary to generate a CSR and upload the certificate to the 2-Series processor.
The CA-signed certificate is an ASCII “base64” encoded text (*.CER) file, which
the 2-Series processor converts to a binary file called \\SYS\srv_cert.der. As a part of
the CSR process, a private key is also created as \\SYS\srv_key.der. It is extremely