Configuring a network for secure communication using digital certificates involves accessing the appropriate stores; creating
certificates and certificate signing requests; signing certificates; importing them into hosts User Key Stores; and importing the root CA certificate (or intermediate certificate) into client User Trust Stores.
CAUTION: If the private key of your root CA and intermediate certificates fall into the wrong hands, your entire network can be in
danger of a significant cyber attack. To ensure security, always create the root CA and intermediate certificates, and use
them to sign other certificates in
Workbench running on a secure computer, which is located under lock and key. Use this computer for only one purpose: to manage and
sign certificates. Never connect this computer to the Internet, and ever access it over your company network. Carefully protect
any thumb drive that contains any certificate with its private key.
You may use a third-party CA (Certificate Authority), such as VeriSign or Thawte to sign your certificates, or you may serve
as your own CA.
Unless absolutely necessary, do not use a Supervisor or engineering PC to access a controller remotely for the purpose of
generating a server certificate and CSR. The preferred best practice is to set up certificates before distributing each controller
to its remote location. If controllers are already in the field, travel to the remote location, take the controller off the
Internet and corporate LAN, then connect your engineering PC directly to the controller using a cross-over cable.