Skip to end of metadata
Go to start of metadata

Certificates

Certificates are commonly used to identify Server or Device to which we are trying to connect. Certificate helps us to authenticate the device to which we are connecting to and to confirm that it is really the desired device. Certificate assigns public key to either domain name or IP adress. If certeificate is issud for different IP address or domain name, than the destination really has, modern web browser will usually inform us that the web page can be forged.

Usually the certificate is issued by some trusted issuer or Certification Authority (also shortened to CA). It is possible to find many CAs on the web, most of them offer trusted certificates that are issued on the domain name. Many of these CAs will be asigned to trusted root CAs in your browser configuration. It is possible to create your own CA, it is however needed to import certificate of such CA in to the web browser.

Nowadays digital certificates for web application are used according to the ITU X.509 standard.

Important fact about certificates is that they are issued on limited time (for security reasons), after this time it is needed to renew validity of the certificate (often a year for server and client applications with reserve of a few days). After the expiration of a certificate web browsers will point out that the certificate is invalid because of authentication fo server will not pass.

Options of 2N® IP Intercom

2N® IP Intercom device support uploading user certificates into its memory for different purposes. Uploaded certificates can be assigned to web interface to authenticate the 2N® IP Intercom device in network through web interface.

The procedure for creating a CA certificate using OpenSSL

Certificate of certification authority and server certificate wih all keys can be created with a few commands using OpenSSL program. For certificate created by web trustworthy certification authority this section can be skipped. This how-to is a bit straightforwardso for simplicity reasons for more complex, elegant and secure solution of Certification Authority manual on following link can be used :   https://jamielinux.com/docs/openssl-certificate-authority/introduction.html

In the first step creation of CA is made. Following command woll create certificate ca.pem which will be Seld-Signed (x509 parameter) and key file specified in openssl configuration file.

During command processing you will be prompted for password creation and verification. This Password will be used to protect your private key so the key file cannot be used to issue asign unauthorized certificates with your private key.

After the password creation and verification you will be prompted to fill in important data about your CA:

This process should create two files first is file ca.pem containing certificate for our CA, and the secont file privkey.pem which contains private key of our CA. This key is needed to sign and issue new certificates. Whoever whit possession of your private key can create new certificates signed by this CA.

In next step rsa private key for new certificate will be created. Following command wil use openssl genrsa application and moreover will create HELIOS-KEY.pem file containing new key with length of 2048 bits. Name of the file is not important and can be changed accordingly.

Output of command should look similiar to following:

Program should create new key file with name HELIOS-KEY.pem.

In nexte step we will create new certificate request. Request is created by command openssl req and in this case it will use HELIOS-KEY.pem and the request will be signed with sha-256 method. Output file will be named HELIOS.req, again the name of certificate request file can be changed.

The ouptut of the openssl req command should be similiar to dialog for creation of CA. These data will specify the certificate and owner of the certificate. Very important item is Common Name which must contain IP address or Domain Name under which 2N® IP Intercom device can be accessed. Output shoul look similarly to following:

Now file named HELIOS.req should be created.

Note

Icon

Common Name is very important item, without this correct parameter authentication won't be made correctly and web browser will inform you that this web page is unthrustworthy.

In final step it is needed to create new certificate from the previosly made request, which will be added to 2N® IP Intercom. This can ve done with command openssl x509, where request HELIOS.req will be specified, that we will use CA ca.pem with private key privkey.pem and that password PASSWORD for this CA (created with creation of ca.pem in first step) will be used. Moreover the expiration time will be set on 365 days and name of the certificate will be HELIOS-CERT.pem. Name of the certificate file can be changed.

Output of this command should look similarly to following.

Note that CN=10.27.20.10 should be your Common Name set with issuing certificate request. Now you cen insert HELIOS-KEY.pem and HELIOS-CERT.pem into your 2N® IP Intercom device.

Loading certificate into browser

This is step neede for certificates created by your own CA, in case of trusworthy CA from web you can pass this section.

Mozilla Firefox

In Mozilla Firefox, go to Options> Advanced> Certificates and just import certificate authority with import button (in this case file ca.pem created aboce procedure).

 Google Chrome

In Google Chrome, go to Settings> Advanced Settings> HTTPS / SSL> Manage Certificates> tab Trusted Root Certification Authorities, and here it is possible to import certificate authority with import button (in this case file ca.pem created aboce procedure).

Internet Explorer

In Internet Explorer web browser go through the "gear" menu >  Internet Options > Content tab > Certificates, here it is possible to import certificate authority (in the case file ca.pem creation using the procedure above). .pem file is not enlisted between displayed  therefore it is necessary to select the Show All Files.

Loading certificate into 2N® IP Intercom

Certificate either created by created Certification Authority (CA), or certificate created by trustworthy web CA can be uploaded throught System / Certificates in User Certificates section with appropriate button, as highlighted in next picture.

In  popup window upload file with server certificate, with private key and password protecting private key, as highlighted in following picture.

Note

Icon

It is possible that some web Certification Authorities will give you just one file containing both certificate and private key. This file must be then uploaded in both User Certificate and Private Key boxes.

In next step it is needed to assign this certificate for web interaface. Assignement can be done in Services / Web Server in Advanced Settings section in HTTPS User Certificate item. In following picture certificate [1] is assigned because certificate was uploaded into the first position.

In final step it is needed to restart 2N® IP Intercom. With new start of the 2N® IP Intercom device new certificate and key will be used for HTTPS communication. Restart can be done in section System / Maintanance with Restart Device button.