Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols for server authentication and secure encryption of data over the internet.

Both standards have been out for a while and both offer the same level of security. The two standards do not compete. SSL v. 3 is the currently-accepted SSL version. (Version 1 was actually never released. Version 2 had vulnerabilities and is no longer supported by browsers.) TLS v. 1 is based on SSL v. 3, although the two are incompatible. TLS v. 1.11 and 1.12 provide additional minor feature enhancements.

SSL originated with Netscape Corporation in the 1990s. TLS is developed and promoted by the Internet Engineering Task Force (IETF), a voluntary organization that cooperates closely with the World Wide Web consortium (W3C) and the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC).

The number of bits in the key depends on the ciphers used. SSL and TLS allow you to choose the key size. SSL Toolset supports a maximum 4096-bit key.

Any technology is as secure as the guidelines followed. For data transport, SSL Toolset provides the same type of security that is provided by the credit card and banking industries.

You can create your own corporate Certificate Authority (CA) certificate and use its private key to sign a certificate for each location. Then, use the location certificate’s private key to sign the certificate for each JACE, and distribute the signed certificate with each JACE or, if the JACEs are already in the field, import the certificate to each JACE’s Trust Store. When a JACE comes on line, the handshake validates the entire certificate chain of trust.

Yes. When you boot each JACE, the auto-generated default certificate (with its public and private keys) can be used to encrypt communication while you import each platform’s company-signed certificate into its Key Store, and the CA (root) certificate (public key only) to its Trust Store. To provide this minimal security, enable SSL using the default (tridium) certificate. To minimize the risk of a man-in-the-middle attack, make an off line, direct connection to each JACE.

No. NiagaraAX certificates, public and private keys conform to established standards. You can use any software tool to create them. The tools provided by NiagaraAX are designed to be intuitive and easy to use.

Yes, the same certificate for all three is usually adequate. But, you may have your own reasons for wanting separate security for each service. For example, if you have a lot of people using a station, and the station connection is compromised, a separate certificate for the Niagarad connection would stop the breach immediately.

Not much. Communication security slows processing in two ways: 1) when generating a complex key on a JACE and 2) during the initial handshake to establish communication. Once communication is established, data are encrypted using a single key, which speeds processing. Actual throughput depends on what you are doing.

You can generate a key in Workbench on a PC, export it from the PC, and import it into the JACE, but be aware that the transmission may be over a connection that is not secure.

Yes. When you upgrade a Supervisor station, Workbench or JACE, the wizard automatically copies the security folder forward assuming that you enabled the option to copy settings from your previous Niagara installation. This folder contains the SSL Key and Trust Stores and the Allowed Host exemptions.