Certificates are commonly used to identify server or device to which we are trying to connect. Certificate helps us to authenticate the device to which we are connecting to and to confirm that it is really the desired device. Certificate assigns public key to either domain name or IP address. If certificate is issued for different IP address or domain name, than the destination really has, modern web browser will usually inform us that the web page can be forged.
Usually the certificate is issued by some trusted issuer or Certification Authority (also shortened to CA). It is possible to find many CAs on the web, most of them offer trusted certificates that are issued on the domain name. Many of these CAs will be assigned to trusted root CAs in your browser configuration. It is possible to create your own CA, it is however needed to import certificate of such CA in to the web browser.
Nowadays digital certificates for web application are used according to the ITU X.509 standard.
Important fact about certificates is that they are issued on limited time (for security reasons), after this time it is needed to renew validity of the certificate (often a year for server and client applications with reserve of a few days). After the expiration of a certificate web browsers will point out that the certificate is invalid because of authentication fo server will not pass.
Options of 2N® IP Intercom
2N® IP Intercom device support uploading user certificates into its memory for different purposes. Uploaded certificates can be assigned to web interface to authenticate the 2N® IP Intercom device in network through web interface.
The procedure for creating a CA certificate using OpenSSL
Certificate of certification authority and server certificate with all keys can be created with a few commands using OpenSSL program. For certificate created by web trustworthy certification authority this section can be skipped. This how-to is a bit straightforward so for simplicity reasons for more complex, elegant and secure solution of Certification Authority manual on following link can be used : https://jamielinux.com/docs/openssl-certificate-authority/introduction.html
In the first step creation of CA is made. Following command will create certificate ca.pem which will be Self-Signed (x509 parameter) and key file specified in openssl configuration file.
During command processing you will be prompted for password creation and verification. This Password will be used to protect your private key so the key file cannot be used to issue assign unauthorised certificates with your private key.
After the password creation and verification you will be prompted to fill in important data about your CA:
This process should create two files first is file ca.pem containing certificate for our CA, and the second file privkey.pem which contains private key of our CA. This key is needed to sign and issue new certificates. Whoever whit possession of your private key can create new certificates signed by this CA.
In next step rsa private key for new certificate will be created. Following command will use openssl genrsa application and moreover will create HELIOS-KEY.pem file containing new key with length of 2048 bits. Name of the file is not important and can be changed accordingly.
Output of command should look similar to following:
Program should create new key file with name HELIOS-KEY.pem.
In next step we will create new certificate request. Request is created by command openssl req and in this case it will use HELIOS-KEY.pem and the request will be signed with sha-256 method. Output file will be named HELIOS.req, again the name of certificate request file can be changed.
The ouptut of the openssl req command should be similar to dialog for creation of CA. These data will specify the certificate and owner of the certificate. Very important item is Common Name which must contain IP address or Domain Name under which 2N® IP Intercom device can be accessed. Output should look similarly to following:
Now file named HELIOS.req should be created.
In final step it is needed to create new certificate from the previously made request, which will be added to 2N® IP Intercom. This can ve done with command openssl x509, where request HELIOS.req will be specified, that we will use CA ca.pem with private key privkey.pem and that password PASSWORD for this CA (created with creation of ca.pem in first step) will be used. Moreover the expiration time will be set on 365 days and name of the certificate will be HELIOS-CERT.pem. Name of the certificate file can be changed.
Output of this command should look similarly to following.
Note that CN=10.27.20.10 should be your Common Name set with issuing certificate request. Now you cen insert HELIOS-KEY.pem and HELIOS-CERT.pem into your 2N® IP Intercom device.
Loading certificate into browser
This is step needed for certificates created by your own CA, in case of trustworthy CA from web you can pass this section.
In Mozilla Firefox, go to Options> Advanced> Certificates and just import certificate authority with import button (in this case file ca.pem created by above procedure).
In Google Chrome, go to Settings> Advanced Settings> HTTPS / SSL> Manage Certificates> tab Trusted Root Certification Authorities, and here it is possible to import certificate authority with import button (in this case file ca.pem created by above procedure).
In Internet Explorer web browser go through the "gear" menu > Internet Options > Content tab > Certificates, here it is possible to import certificate authority (in the case file ca.pem creation using the procedure above). .pem file is not enlisted between displayed therefore it is necessary to select the Show All Files.
Loading certificate into 2N® IP Intercom
Certificate either created by created Certification Authority (CA), or certificate created by trustworthy web CA can be uploaded through System / Certificates in User Certificates section with appropriate button, as highlighted in next picture.
In popup window upload file with server certificate, with private key and password protecting private key, as highlighted in following picture.
In next step it is needed to assign this certificate for web interface. Assignment can be done in Services / Web Server in Advanced Settings section in HTTPS User Certificate item. On following picture certificate  is assigned, because certificate was uploaded into the first position.
In final step it is needed to restart 2N® IP Intercom. With new start of the 2N® IP Intercom device new certificate and key will be used for HTTPS communication. Restart can be done in section System / Maintenance with Restart Device button.
More product information: