4 - 22 FX7500 RFID Reader Integrator Guide
Self-signed certificates have restrictions, such as by default clients do not trust them because they are not
issued by a trusted Certification Authority (CA). Custom trusted certificates may be beneficial in certain use
cases, for example:
•
LLRP by default does not authenticate the client or reader. Security extensions to the standard allow
client or reader authentication using digital certificates. The entities involved validate digital certificates
by confirming the certificates were issued from a trusted source. Therefore a custom certificate is
required to authenticate the client or reader. See the Validate Peer option in Configure LLRP Settings on
page 4-34.
•
By default web browsers display a warning or prevent connection to the Administrator Console when
the console service is in HTTPS mode. See Network Services Settings on page 4-37. This can be an
inconvenience for certain environments, particularly when browsers are configured to reject connection
to servers that do not publish a trusted certificate.
FX7500 reader does not allow automatic certificate request and updating. The reader certificate must be
issued externally and imported to the reader.
The Update Certificate section allows importing a custom certificate to the reader. You must use one of the
digital certificate generation mechanisms to create the certificate (see Creating a Custom Certificate). The
reader only supports certificates in PKCS#12 format (typically with a .pfx extension). This format uses a signed
certificate, with a private key (optionally encrypted) bundled into a single file. The certificate must be hosted on
a secure FTP server (running in Explicit SSL/TLS over FTP mode). The following options are used to perform
the update:
•
FTPS URL: Full path to server, including ftps:// prefix, where the .pfx file is hosted.
•
FTPS User ID: User login ID to secure FTP server.
•
FTPS Password: Password for specified user.
•
PFX Password: Password for encrypted key in the .pfx file, if the key is encrypted.
Creating a Custom Certificate
FX7500 reader requires that custom certificates are created externally and imported to the reader using a
secure FTP, as described previously. The certificate and key used by the reader must be in PKCS#12 format (a
single .pfx file), while the certificate and keys used by clients interfacing to the LLRP service on the reader
must be in PEM format. If you obtain a certificate in a different format it must be converted to the appropriate
format using a tools such as OpenSSL (www.openssl.org).
Digital certificates are typically requested and issued from a certification authority hosted internally in an
enterprise environment or by a trusted third party certification authority. The process of requesting and creating
certificates varies between platforms. For example, a Windows Server environment typically uses Microsoft
Certification Server to process certificate requests and issue certificates. Unix-based systems typically use
NOTE The FX7500 supports only a single digital certificate. If a custom certificate is installed, the issuer of the
certificate is trusted by the reader, so any client attempting to connect to the reader over secure LLRP
mode is trusted if the certificate issued to the client is from the same issuer.
NOTE The FX7500 only supports certificates using the RSA public key algorithm. When obtaining a certificate
issued from the reader or clients, ensure that RSA is the selected key algorithm.
NOTE A manual reboot of the reader is required after updating the certificate for the services using SSL/TLS.