Certificates
Key Usage property. Their primary purpose in this system is to verify the identity of a server so that communication can be trusted.
- A CA (Certificate Authority) certificate is a self-signed certificate that belongs to a CA. This could be a third party or a company serving as its own CA.
- A root CA certificate is a self-signed CA certificate whose private key is used to sign other certificates creating a trusted certificate tree. With its private key, a root CA certificate may be exported, stored on a USB thumb drive in a vault, and brought out only when certificates need to be signed. A root CA certificate’s private key requires the creation of a password on export and the provision of the same password when you use it to sign other certificates.
- An intermediate certificate is a CA certificate signed by a root CA certificate that is used to sign server certificates or other intermediate CA certificates. Using intermediate certificates isolates a group of server certificates.
- A server certificate represents the server-side of a secure connection.
While you may configure a platform and station (as server) with separate server certificates, for simplicity most systems usually use the same server certificate.
- A client certificate represents the client-side of a secure connection. It is used by client systems to make authenticated requests to a server.
- A code-signing certificate is a certificate used to sign program objects and modules. Systems integrators use this certificate to prevent the introduction of malicious code when they customize the framework.
Identity verification uses multiple certificates in a trusted certificate tree Setting up identity verification may involve a third-party CA (Certificate Authority) or you may decide to serve as your own CA.
Figure 5. Visualizing the certificate tree
In the illustration above:
- Below the ground is the root CA certificate.
- The major branches represent intermediate certificates.
- The leaves are server certificates.
How many certificates you need depends on your configuration. At a minimum you need a unique server certificate for each server (controller) and a single root CA certificate to sign your server certificates. If your company is large, you may need an intermediate certificate for each geographical division or location. An individual server may have multiple certificates: one each to secure its Fox, Http and niagarad (platformtls) connections. Although each platform and station usually share the same certificate, you may create a separate platform certificate and a different station certificate.
If your network is large and thousands of certificates need to be signed, it is best to use the Signing Service (also see Niagara Signing Service Guide) or provisioning jobs.