Administrator Console
61
• LLRP by default does not authenticate the client or reader. Security extensions to the standard
allow client or reader authentication using digital certificates. The entities involved validate digital
certificates by confirming the certificates were issued from a trusted source. Therefore a custom
certificate is required to authenticate the client or reader. See the Validate Peer option in Configure
LLRP Settings on page 76.
• By default web browsers display a warning or prevent connection to the Administrator Console
when the console service is in HTTPS mode. See Network Services Settings on page 79. This can
be an inconvenience for certain environments, particularly when browsers are configured to reject
connection to servers that do not publish a trusted certificate.
FX Series readers do not allow automatic certificate request and updating. The reader certificate must be
issued externally and imported to the reader.
The Update Certificate section allows importing a custom certificate to the reader. You must use one of the
digital certificate generation mechanisms to create the certificate (see Creating a Custom Certificate). The
reader only supports certificates in PKCS#12 format (typically with a .pfx extension). This format uses a
signed certificate, with a private key (optionally encrypted) bundled into a single file. The certificate must
be hosted on a secure FTP server (running in Explicit SSL/TLS over FTP mode). The following options are
used to perform the update:
• FTPS URL: Full path to server, including ftps:// prefix, where the .pfx file is hosted.
• FTPS User ID: User login ID to secure FTP server.
• FTPS Password: Password for specified user.
• PFX Password: Password for encrypted key in the .pfx file, if the key is encrypted.
Creating a Custom Certificate
FX Series readers require that custom certificates are created externally and imported to the reader using
a secure FTP, as described previously. The certificate and key used by the reader must be in PKCS#12
format (a single .pfx file), while the certificate and keys used by clients interfacing to the LLRP service on
the reader must be in PEM format. If you obtain a certificate in a different format it must be converted to the
appropriate format using a tools such as OpenSSL (www.openssl.org).
Digital certificates are typically requested and issued from a certification authority hosted internally in an
enterprise environment or by a trusted third party certification authority. The process of requesting and
creating certificates varies between platforms. For example, a Windows Server environment typically uses
Microsoft Certification Server to process certificate requests and issue certificates. Unix-based systems
typically use OpenSSL. This guide can not document all options. The following example illustrates one
method of creating custom certificates.
NOTE: The FX7500 and FX9600 support only a single digital certificate. If a custom certificate is
installed, the issuer of the certificate is trusted by the reader, so any client attempting to connect to the
reader over secure LLRP mode is trusted if the certificate issued to the client is from the same issuer.
NOTE: The FX7500 and FX9600 support only supports certificates using the RSA public key algorithm.
When obtaining a certificate issued from the reader or clients, ensure that RSA is the selected key
algorithm.
NOTE: A manual reboot of the reader is required after updating the certificate for the services using
SSL/TLS.
To Next Page
Loading...
Need help?
General
Weight and Dimensions
