NetModule NB2800 - Page 196

To Next Page

To Previous Page

NB2800

User Manual for NRSW version 4.5.0.100

Parameter Certiﬁcate Conﬁguration

Country (C) The certiﬁcate owner’s country (usually a TLD abbreviation)

Common Name (CN) The certiﬁcate owner’s common name, mainly used to identify a host

E-Mail The certiﬁcate owner’s email address

Expiry period The number of days a certiﬁcate will be valid from now on

Key size The length of the private key in bits

DH primes The number of bits for custom Difﬁe-Hellman primes

Signature The signature algorithm when signing certiﬁcates

Passphrase The passphrase for accessing/opening a private key

Please be aware of the fact, that the local random number generator (RNG) provides pretty good

randomness for most applications. If stronger cryptography is mandatory, we suggest to create the

keys at an external RNG device or manage all certiﬁcates completely on a remote certiﬁcation server.

Nevertheless, using a local certiﬁcate authority can issue and manage all required certiﬁcates and also

run a certiﬁcate revokation list (CRL).

When importing keys, the certiﬁcate and key ﬁle can be uploaded individually encoded in PEM/DER

or PKCS7 format. All ﬁles (CA certiﬁcate, certiﬁcate and private key) can also be uploaded in one

stroke by using the container format PKCS12. RSA/DSS keys can be converted from OpenSSH or

Dropbear formats. It is possible to specify the passphrase for opening the private key. Please note

that the system will generally apply the system-wide certiﬁcate passphrase on a key when installing

the certiﬁcate. Thus, changing the general passphrase will result in all local keys getting equipped with

the new one.

SCEP Conﬁguration

If certiﬁcates are getting enrolled by using the Simple Certiﬁcate Enrollment Protocol (SCEP) the

following settings can be conﬁgured:

Parameter SCEP Conﬁguration

SCEP status Speciﬁes whether SCEP is enabled or not

URL The SCEP URL, usually in the form

http://<host>/<path>/pkiclient.exe

CA ﬁngerprint The ﬁngerprint of the certiﬁcate used to identify the remote authority.

If left empty, any CA will be trusted.

Fingerprint algorithm The ﬁngerprint algorithm for identifying the CA (MD5 or SHA1)

Poll interval The polling interval in seconds for a certiﬁcate request

Request timeout The max. polling time in seconds for a certiﬁcate request

ID type Can be IP, Email or DNS

Password The password for the scep server.

196

Other manuals for NetModule NB2800