Signed certificates

A certificate is an electronic document, signed by a recognized CA (Certificate Authority), which proves to a network client that the presenting server owns a valid public key.

Among the many properties in a certificate, a certificate’s Subject identifies the entity to which the certificate belongs, that is, its owner. This is usually an IP address or a Station Display Name. Its Issued By property identifies the root certificate of the CA that signed the certificate after verifying the validity of the owner and the certificate’s key. Without a CA-signed certificate, a client cannot authenticate the server and no communication should take place.

Some connections occur over a local area network. Others include a browser and the Internet. For communication to be secure, certificate authentication and encryption is required at each connection step: device or service through Niagara to another device on the LAN or through a network firewall to a browser and on to the Internet.

In a LAN, each platform/station can function as a server and as a client. Workbench is always a client. As a server, each platform/station presents its own signed certificate to the client. As a client, Workbench and each platform/station authenticate a received server certificate by comparing it with the root CA certificate in the client’s trust store that signed the server certificate.

If a secure network connection cannot be made between server and client, you may temporarily accept the server’s self-signed certificate.

In a broader connection that includes the Internet, a remote device, such as a camera is a server that sends live and recorded video to a client station. The browser in an Internet connection requires that the camera have a signed server certificate that is recognized by a root CA certificate in its (the browser’s) trust store.

If the camera cannot make a secure browser connection, you may have to temporarily connect using http://. If you switch from an https:// to an http:// connection, empty the browser’s cache before attempting the http:// connection.

The best practice is to use only server certificates signed by a root CA certificate in the clients’ (station and browser) trust stores. This chapter explains how to install a server certificate in a station. You install a signed server certificate in a camera using its configuration web page.

Self-signed certificates

When you connect to a Supervisor and controller platform/station for the first time using Workbench, the platform/station, functioning as a server, presents its default self-signed tridium certificate to Workbench.

You can tell that this server certificate is self-signed rather than CA-signed because its Issued By property and Subject property are the same. In other words, it signed itself. The system can use this certificate to encrypt data transmitted between client and server but it cannot use this certificate to authenticate the server. You manually authenticate the server by accepting this self-signed certificate.

For communication between entities to be secure without human intervention, each platform/station must present to a client its own signed server certificate, and each client needs a copy of the root CA certificate used to sign the server certificate so that the client can compare the signatures and verify the server’s identity. Each browser you use (which functions as a client) also requires the root CA certificate used to sign the server certificate(s) sent to it.

After the identity of the server is verified, encrypted communication using the certificate keys begins.

Connections that require security

Many connections within a system require security, including: