TLS Certificates: Difference between revisions

The information in this page is updated in accordance with 00.07.17.2 firmware version.

Summary

Some services (such as OpenVPN, MQTT, etc.) on Teltonika Networks devices can be secured using TLS for encryption and authentication. This page discusses where one can obtain TLS certificates and key for this purpose.

Certificate Generation

If using a third-party service that requires TLS, all necessary files should be supplied by that service provider. However, if setting up your own solution, the following TLS certificate generation methods may be useful.

Teltonika Networks device

The easiest way to generate certificates and keys is by using the Certificate Generation page that is available in the device's WebUI:

• System → Administration → Certificates

Generation of Certificate Authority (CA) Certificate & Key

The first step is to generate a Certificate Authority (CA) certificate, which will be used to sign both server and client certificates.

1. Click on the Certificate actions button.
2. Select the Create option

3. Choose the file type as CA.
4. On Teltonika routers, users can select from four Key Size options, ranging from 512 bits to 4096 bits.
5. Enter the Common Name. This usually represents the fully qualified domain name (FQDN) of the server (e.g., example.com), but it can be any name of your choice.

6. By enabling Subject Information, you can provide details about the entity to which the certificate is issued (Optional):

A. Country Code (CC): The two-letter country code (e.g., LT for Lithuania).

B. State or Province Name (ST): The name of the state or province (e.g., California).

C. Locality Name (L): The city or locality (e.g., San Francisco).

D. Organization Name (O): The name of the organization or company (e.g., Teltonika).

E. Organizational Unit Name (OU): The name of the department or unit within the organization (e.g., IT Department).

These fields help to clearly identify the organization or individual associated with the certificate.

7. Select the "On" option next to "Sign the Certificate." If not enabled, the Root CA will not sign or generate the new CA certificate.
8. Enter the period of how long CA certificate will be valid
9. "Delete Signing Request" can be enabled, as it is not required after generation.
10. Click the button

Generation of Server Certificate & Key

A server certificate, signed by a trusted Certificate Authority (CA), is used to authenticate the server and facilitate secure, encrypted communications with clients. Generating a server certificate follows similar steps to those for creating a CA certificate.

1. Click on the Certificate actions button.
2. Select the Create option

3. Select Server file type.
4. Select Key Size
5. Enter Common Name of the Server
6. Subject Information of the server(Optional)
7. Select the "On" option next to "Sign the Certificate".
8. Define how long the certificate will be valid.
9. The system should automatically detect the CA certificate and key files from "Certificates Manager" tab.
10. "Delete Signing Request" (Optional)
11. Click the button

Generation of Client Certificate & Key

A client certificate, signed by a trusted Certificate Authority (CA), is used to authenticate the client and facilitate secure, encrypted communications with other clients and servers. Generating a client certificate follows similar steps to those for creating a CA certificate.

1. Click on the Certificate actions button.
2. Select the Create option

3. Select Client file type.
4. Select Key Size
5. Enter Common Name of the Client
6. Subject Information of the Client(Optional)
7. Select the "On" option next to "Sign the Certificate".
8. Define how long the certificate will be valid.
9. The system should automatically detect the CA certificate and key files from the "Certificates Manager" tab.
10. "Delete Signing Request" (Optional)
11. "Private Key Decryption password" (Optional)
12. Click the button

Generation of DH Parameters

The DH parameters refers to the parameters used in the Diffie-Hellman key exchange. This cryptographic protocol allows two parties to generate a shared secret over an untrusted communication channel securely. In practical use, such as with VPNs, TLS/SSL, or routers, DH parameters are used to securely generate session keys for encrypting data. Generating a DH Parameters follows similar steps:

The first step is to generate a Certificate Authority (CA) certificate, which will be used to sign both server and client certificates.

1. Click on the Certificate actions button.
2. Select the Create option

3. Select DH Parameters file type.
4. Select Key Size
5. Enter Common Name
6. Click the button

Generation of "Let's Encrypt" Certificate & Key

Let's Encrypt provides free SSL/TLS certificates that are widely used for securing web services, VPNs, and other network communications. In practical use, such as with websites, routers, or VPNs, the Let's Encrypt certificate and key enable HTTPS connections or secure tunnels. Generating a Let's Encrypt certificate and key follows similar steps:

1. Click on the Certificate actions button.
2. Select the Create option

3. Select the "Let's Encrypt" file type.
4. Enter the Domain name that is linked to the device's e public IP address.
5. Enable Automatic renewal if you'd like the certificates to be automatically renewed every 60 days (Optional).
6. Click the button

Generation of SCEP Certificate & Key

SCEP (Simple Certificate Enrollment Protocol) automates the process of obtaining digital certificates from a certificate authority (CA). The client submits a certificate request to the SCEP server, which acts as an intermediary between the client and the CA. This protocol facilitates secure authentication and encryption, simplifying certificate management and renewal, especially in large-scale deployments.

1. Click on the Certificate actions button.
2. Select the Create option

3. Select SCEP as the File type
4. Select Key Size
5. Enter the Common name
6. Enter URL address of the SCEP server
7. Enter the Challenge passkey (the unique value generated by the server for each session)
8. Click the button

Windows & Linux systems

You can also use third party software to generate the certificates on your computer. Guides are available for:

• Windows
• Linux

Signing Certificates

If the "Sign the certificate" option is not enabled while creating the certificate, the router generates only the private key and the certificate signing request. This request is not a valid certificate until it is signed later, either by the router using its own certificate authority or by an external source. The router can also import certificate requests from external devices and sign them before they are used for secure communication.

To sign certificates:

1. Click on the Certificate actions button.
2. Select the Sign option

3. Enter the name for the new certificate.
4. Select the type of the certificate that you want to sign.
5. Select the uploaded or on-router generated Certificate request file.
6. Define the timeframe for how long this certificate will be valid.
7. Select the CA file that will sign the new certificate.
8. Select the CA key corresponding to the selected CA file.
9. Enable the Delete signing request option if the request is no longer needed after signing the certificate.
10. Enter all Hostnames, Domains, and Subdomains you want to secure with this certificate. Each will be included as a Subject Alternative Name (SAN) in your certificate (Optional).
11. Enter all IP addresses you want to secure with this certificate. Each will be included as a Subject Alternative Name (SAN) in your certificate (Optional).
12. Click the button

Importing Certificates

The router creates a private key and a certificate signing request which is not a valid certificate until signed by a certificate authority. The router has a built-in feature that allows it to sign these requests using its own certificate authority. This way the certificate becomes valid and can be used for secure communication.

To import certificates & keys:

1. Click on the Certificate actions button.
2. Select the Import option

3. Click Browse to upload a certificate or key.

Configuring Root CA

The router initially has a built-in Root CA, which acts as the top-level trusted certificate authority. This Root CA is used to sign intermediate CA certificates, which then sign other certificates utilized by the router or connected devices. This hierarchical structure creates a chain of trust, enabling the router to securely verify certificates within the system. Uploading or configuring your own Root CA on the router allows customization of this trust anchor, providing flexibility for integrating with private or custom certificate infrastructures.

1. Click on the Certificate actions button.
2. Select the Configure Root CA option

3. Enable Root CA file from the device option, if Root CA file has already been imported.
4. Click Browse to upload and apply a new certificate.

Moving keys to TPM2

Some of our routers and gateways include a feature that allows cryptographic keys to be stored securely in the Trusted Platform Module 2.0 (TPM 2.0). This ensures the keys remain protected within the TPM hardware, preventing any direct extraction or access. All cryptographic operations using these keys take place inside the TPM, binding them to the device and offering stronger protection against theft, tampering, or unauthorized use. This greatly enhances the overall security of the router or gateway.

List of the devices that supports this feature: https://teltonika-networks.com/products?page=2&features=2038

Note: This functionality is available only on specific RUTX model variants that include eSIM hardware. Other models support this feature regardless of eSIM presence. For exact details, please refer to the Ordering section of the selected RUTX series product page to confirm the supported hardware versions.

To move Key to TPM 2:

1. Click on the Certificate actions button.
2. Select the Move key to TPM2 option

3. Select the key that you want to move to TPM2
4. Click on Move selected button.