TLS Certificates: Difference between revisions

From Teltonika Networks Wiki
(Created page with "Services like HTTPS, OpenVPN, MQTT sometimes use TLS certificates for authentication. If you're setting up a custom system, you can generate TLS certificates by yourself with...")
 
 
(7 intermediate revisions by 4 users not shown)
Line 1: Line 1:
Services like HTTPS, OpenVPN, MQTT sometimes use TLS certificates for authentication. If you're setting up a custom system, you can generate TLS certificates by yourself with the RUTxxx router or a Linux OS system. Detailed instruction on how to do that are provided in our '''[[How to generate TLS certificates (Windows)?|How to generate TLS certificates?]]''' guide.
<p style="color:red">The information in this page is updated in accordance with '''00.07.10.2''' firmware version.</p>
==Summary==


However, if you're using third party services, for example, a public OpenVPN server, all necessary TLS certificates are usually provided by that party.
Some services (such as OpenVPN, MQTT, etc.) on Teltonika Networks devices can be secured using <b>TLS</b> for encryption and authentication. This page discusses where one can obtain TLS certificates and key for this purpose.
 
==Certificate Generation==
 
If you are using a third party service that requires TLS, all necessary files should be provided by the provider of that service. However, if you are setting up your own solution you may find use in of the <b>TLS certificate generation methods</b> described below.
 
===Teltonika Networks device===
----
The easiest way to generate certificates and keys is by using the <b>Certificate Generation</b> page that is available in the device's WebUI:
 
<ul>
    <li>System → Administration → [[RUTX11_Administration#Certificates|Certificates]]</li>
</ul>
 
====Generation of Certificate Authority (CA) Certificate & Key====
----
The first step is to generate a Certificate Authority (CA) certificate, which will be used to sign both server and client certificates.
#Choose the file type as '''CA'''.
#On Teltonika routers, users can select from four '''Key Size''' options, ranging from '''512 bits to 4096 bits.'''
#Enter the '''Common Name'''. This usually represents the fully qualified domain name (FQDN) of the server (e.g., example.com), but it can be any name of your choice.
[[File:Tls certificates ca.png|border|class=tlt-border]]
#<li value="4">By enabling '''Subject Information''', you can provide details about the entity to which the certificate is issued (Optional):
::A. '''Country Code (CC)''': The two-letter country code (e.g., LT for Lithuania).
::B. '''State or Province Name (ST)''': The name of the state or province (e.g., California).
::C. '''Locality Name (L)''': The city or locality (e.g., San Francisco).
::D. '''Organization Name (O)''': The name of the organization or company (e.g., Teltonika).
::E. '''Organizational Unit Name (OU)''': The name of the department or unit within the organization (e.g., IT Department).
#
::''These fields help to clearly identify the organization or individual associated with the certificate.''
[[File:Tls certificates ca gen sub info.png|border|class=tlt-border]]
 
#<li value="5"> Select the "'''On'''" option next to "'''Sign the Certificate'''." If not enabled, the Root CA will not sign or generate the new CA.
#Enter the period of how long CA certificate will be valid
#"'''Delete Signing Request'''" can be enabled, as it is not required after generation.
#Click [[File:Tls certificates generate button.png|62px]] button
#
[[File:Tls certificates ca p3.png|border|class=tlt-border]]
#
 
====Generation of Server Certificate & Key====
----
A server certificate, signed by a trusted Certificate Authority (CA), is used to authenticate the server and facilitate secure, encrypted communications with clients. Generating a server certificate follows similar steps to those for creating a CA certificate.
 
#Select '''Server''' file type.
#Select '''Key Size'''
#Enter '''Common Name''' of the '''Server'''
#'''Subject Information''' of the server(Optional)
#Select the "'''On'''" option next to "'''Sign the Certificate'''".
#Define how long the certificate will be '''valid'''.
#The system should automatically detect the CA certificate and key files from "Certificates Manager" tab.
#"'''Delete Signing Request'''" (Optional)
#Click [[File:Tls certificates generate button.png|62px]] button
[[File:Tls certificates server.png|border|class=tlt-border]]
 
====Generation of Client Certificate & Key====
----
A client certificate, signed by a trusted Certificate Authority (CA), is used to authenticate the client and facilitate secure, encrypted communications with other clients and servers. Generating a client certificate follows similar steps to those for creating a CA certificate.
 
#Select '''Client''' file type.
#Select '''Key Size'''
#Enter '''Common Name''' of the Client
#'''Subject Information''' of the Client(Optional)
#Select the "'''On'''" option next to "'''Sign the Certificate'''".
#Define how long the certificate will be '''valid'''.
#The system should automatically detect the CA certificate and key files from the "Certificates Manager" tab.
#"'''Delete Signing Request'''" (Optional)
#"'''Private Key Decryption password'''" (Optional)
#Click [[File:Tls certificates generate button.png|62px]] button
[[File:Tls certificates client.png|border|class=tlt-border]]
 
====Generation of DH Parameters====
----
The '''DH parameters''' refers to the parameters used in the Diffie-Hellman key exchange. This cryptographic protocol allows two parties to generate a shared secret over an untrusted communication channel securely. In practical use, such as with VPNs, TLS/SSL, or routers, DH parameters are used to securely generate session keys for encrypting data. Generating a DH Parameters follows similar steps:
 
#Select '''DH Parameters''' file type.
#Select '''Key Size'''
#Enter '''Common Name'''
#Click [[File:Tls certificates generate button.png|62px]] button
[[File:Tls certificates dh.png|border|class=tlt-border]]
 
====Generation of "Let's Encrypt" Certificate & Key====
----
Let's Encrypt provides free SSL/TLS certificates that are widely used for securing web services, VPNs, and other network communications. In practical use, such as with websites, routers, or VPNs, the Let's Encrypt certificate and key enable HTTPS connections or secure tunnels. Generating a Let's Encrypt certificate and key follows similar steps:
 
#Select the "'''Let's Encrypt'''" file type.
#Enter the '''Domain''' name of the remote server associated with the public IP.
#Enable '''Automatic renewal''' if you'd like the certificates to be automatically renewed every 60 days (Optional).
#Click [[File:Tls certificates generate button.png|62px]] button
[[File:Tls certificates lets encrypt.png|border|class=tlt-border]]
 
====Generation of SCEP Certificate & Key====
SCEP (Simple Certificate Enrollment Protocol) automates the process of obtaining digital certificates from a certificate authority (CA). The client submits a certificate request to the SCEP server, which acts as an intermediary between the client and the CA. This protocol facilitates secure authentication and encryption, simplifying certificate management and renewal, especially in large-scale deployments.
 
#Select '''SCEP''' as the '''File type'''
#Select '''Key Size'''
#Enter the '''Common name'''
#Enter URL address of the SCEP server
#Enter the '''Challenge''' passkey (the unique value generated by the server for each session)
#Click '''Enroll''' to initiate certificate request
[[File:Tls certificates scep gen.png|border|class=tlt-border]]
 
===Windows & Linux systems===
----
You can also use third party software to generate the certificates on your computer. Guides are available for:
 
<ul>
    <li>[[How to generate TLS certificates (Windows)?|Windows]]</li>
    <li>[[How to generate TLS certificates (Ubuntu 18)?|Linux]]</li>
</ul>


[[Category:Security]]
[[Category:Security]]
==Certificates Manager==
All generated certificates and private keys can be found in the '''Certificates Manager''' tab. Here, users can import certificates and keys generated by third-party programs or export those generated on the router in the [[RUTX11_Administration#Certificates|Certificates]] tab. This section also provides information on expiration dates and key sizes.
[[File:Tls certificates certificates manager tab.png|border|class=tlt-border]]

Latest revision as of 12:52, 5 November 2024

Main Page > FAQ > Security > TLS Certificates

The information in this page is updated in accordance with 00.07.10.2 firmware version.

Summary

Some services (such as OpenVPN, MQTT, etc.) on Teltonika Networks devices can be secured using TLS for encryption and authentication. This page discusses where one can obtain TLS certificates and key for this purpose.

Certificate Generation

If you are using a third party service that requires TLS, all necessary files should be provided by the provider of that service. However, if you are setting up your own solution you may find use in of the TLS certificate generation methods described below.

Teltonika Networks device


The easiest way to generate certificates and keys is by using the Certificate Generation page that is available in the device's WebUI:

Generation of Certificate Authority (CA) Certificate & Key


The first step is to generate a Certificate Authority (CA) certificate, which will be used to sign both server and client certificates.

  1. Choose the file type as CA.
  2. On Teltonika routers, users can select from four Key Size options, ranging from 512 bits to 4096 bits.
  3. Enter the Common Name. This usually represents the fully qualified domain name (FQDN) of the server (e.g., example.com), but it can be any name of your choice.

  1. By enabling Subject Information, you can provide details about the entity to which the certificate is issued (Optional):
A. Country Code (CC): The two-letter country code (e.g., LT for Lithuania).
B. State or Province Name (ST): The name of the state or province (e.g., California).
C. Locality Name (L): The city or locality (e.g., San Francisco).
D. Organization Name (O): The name of the organization or company (e.g., Teltonika).
E. Organizational Unit Name (OU): The name of the department or unit within the organization (e.g., IT Department).
These fields help to clearly identify the organization or individual associated with the certificate.

  1. Select the "On" option next to "Sign the Certificate." If not enabled, the Root CA will not sign or generate the new CA.
  2. Enter the period of how long CA certificate will be valid
  3. "Delete Signing Request" can be enabled, as it is not required after generation.
  4. Click button

Generation of Server Certificate & Key


A server certificate, signed by a trusted Certificate Authority (CA), is used to authenticate the server and facilitate secure, encrypted communications with clients. Generating a server certificate follows similar steps to those for creating a CA certificate.

  1. Select Server file type.
  2. Select Key Size
  3. Enter Common Name of the Server
  4. Subject Information of the server(Optional)
  5. Select the "On" option next to "Sign the Certificate".
  6. Define how long the certificate will be valid.
  7. The system should automatically detect the CA certificate and key files from "Certificates Manager" tab.
  8. "Delete Signing Request" (Optional)
  9. Click button

Generation of Client Certificate & Key


A client certificate, signed by a trusted Certificate Authority (CA), is used to authenticate the client and facilitate secure, encrypted communications with other clients and servers. Generating a client certificate follows similar steps to those for creating a CA certificate.

  1. Select Client file type.
  2. Select Key Size
  3. Enter Common Name of the Client
  4. Subject Information of the Client(Optional)
  5. Select the "On" option next to "Sign the Certificate".
  6. Define how long the certificate will be valid.
  7. The system should automatically detect the CA certificate and key files from the "Certificates Manager" tab.
  8. "Delete Signing Request" (Optional)
  9. "Private Key Decryption password" (Optional)
  10. Click button

Generation of DH Parameters


The DH parameters refers to the parameters used in the Diffie-Hellman key exchange. This cryptographic protocol allows two parties to generate a shared secret over an untrusted communication channel securely. In practical use, such as with VPNs, TLS/SSL, or routers, DH parameters are used to securely generate session keys for encrypting data. Generating a DH Parameters follows similar steps:

  1. Select DH Parameters file type.
  2. Select Key Size
  3. Enter Common Name
  4. Click button

Generation of "Let's Encrypt" Certificate & Key


Let's Encrypt provides free SSL/TLS certificates that are widely used for securing web services, VPNs, and other network communications. In practical use, such as with websites, routers, or VPNs, the Let's Encrypt certificate and key enable HTTPS connections or secure tunnels. Generating a Let's Encrypt certificate and key follows similar steps:

  1. Select the "Let's Encrypt" file type.
  2. Enter the Domain name of the remote server associated with the public IP.
  3. Enable Automatic renewal if you'd like the certificates to be automatically renewed every 60 days (Optional).
  4. Click button

Generation of SCEP Certificate & Key

SCEP (Simple Certificate Enrollment Protocol) automates the process of obtaining digital certificates from a certificate authority (CA). The client submits a certificate request to the SCEP server, which acts as an intermediary between the client and the CA. This protocol facilitates secure authentication and encryption, simplifying certificate management and renewal, especially in large-scale deployments.

  1. Select SCEP as the File type
  2. Select Key Size
  3. Enter the Common name
  4. Enter URL address of the SCEP server
  5. Enter the Challenge passkey (the unique value generated by the server for each session)
  6. Click Enroll to initiate certificate request

Windows & Linux systems


You can also use third party software to generate the certificates on your computer. Guides are available for:

Certificates Manager

All generated certificates and private keys can be found in the Certificates Manager tab. Here, users can import certificates and keys generated by third-party programs or export those generated on the router in the Certificates tab. This section also provides information on expiration dates and key sizes.