Configuring a network for secure communication using digital certificates involves accessing the appropriate stores; creating
certificates and certificate signing requests; signing certificates; importing them into hosts User Key Stores; and importing the root CA certificate (or intermediate certificate) into client User Trust Stores.
CAUTION: If the private key of your root CA and intermediate certificates fall into the wrong hands, your entire network can be in
danger of a significant cyber attack. To ensure security, always create the root CA and intermediate certificates, and use
them to sign other certificates in
Workbench running on a secure computer, which is located under lock and key. Use this computer for only one purpose: to manage and
sign certificates. Never connect this computer to the Internet, and ever access it over your company network. Carefully protect
any thumb drive that contains any certificate with its private key.
You may use a third-party CA (Certificate Authority), such as VeriSign or Thawte to sign your certificates, or you may serve
as your own CA.
NOTE: If you use a Supervisor or an engineering PC to access a controller remotely for the purpose of generating a server certificate
and CSR, the private key remains on the remote station. Ensure you do not export the private key.
The preferred best practice is to set up certificates before distributing each controller to its remote location. If controllers
are already in the field, travel to the remote location, take the controller off the Internet and corporate LAN, then connect
your engineering PC directly to the controller using a cross-over cable.