31,703
edits
No edit summary |
No edit summary |
||
Line 433: | Line 433: | ||
| | | | ||
}} | }} | ||
==Certificates== | |||
The <b>Certificates</b> page is used for convenient TLS certificate and key generation and management. Generated files can be exported and used on other machines or locally on this device with functions that use TLS/SSL, such as [[{{{name}}} MQTT|MQTT]], [[{{{name}}} VPN#OpenVPN|OpenVPN]], [[{{{name}}} VPN#IPsec|IPsec]] and others. | |||
===Certificate Generation=== | |||
---- | |||
The <b>Certificate Generation</b> tab provides the possibility to generate TLS certificates required for secure authentication and communication encryption used by some of the devices services. | |||
There are five distinct generation methods (denoted by the selected 'File Type'). | |||
<ol> | |||
<li><b>Simple</b> - generates and signs a set of 2048 bit certificate and key files that include: | |||
<ul> | |||
<li>Certificate Authority (CA)</li> | |||
<li>Server certificate & key</li> | |||
<li>Client certificate & key</li> | |||
<li>DH Parameters</li> | |||
</ul>The CA file generated with this option automatically signs the certificates. In short, this option is used for convenience as it doesn't let the user set any additional parameters for the certificate files. Therefore, it should be used only when no other specific requirements are expected. | |||
</li> | |||
<li><b>CA</b> - generates a Certificate Authority (CA) file. A CA is a type of certificate file that certifies the ownership of a public key by the named subject of the certificate. In other words, it assures clients that they are connecting to a trusted server and vice versa.</li> | |||
<li><b>Server</b> - generates a server certificate and key. A server certificate validates a server's identity to connecting clients, while a key is responsible for encryption.</li> | |||
<li><b>Client</b> - generates a client certificate and key. A client certificate validates a client's identity to the server that it's connecting to, while a key is responsible for encryption.</li> | |||
<li><b>DH Parameters</b> - generates a Diffie-Hellman (DH) parameters file. DH parameters are used in symmetric encryption to protect and define how OpenSSL key exchange is performed.</li> | |||
</ol> | |||
====Generation Parameters==== | |||
---- | |||
Generating each type of file (excluding 'Simple') requires setting some parameters. This section provides an overview for parameters used in TLS certificate generation. | |||
---- | |||
<b>Core parameters</b> or simply parameters that apply to each file type are the size and common name of the generated file(s). | |||
[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_core_parameters_v1.png|border|class=tlt-border]] | |||
<table class="nd-mantable"> | |||
<tr> | |||
<th>Field</th> | |||
<th>Value</th> | |||
<th>Description</th> | |||
</tr> | |||
<tr> | |||
<td>Key Size</td> | |||
<td>integer; default: <b>2048</b></td> | |||
<td>Generated key size in bits. Larger keys provide more security but take longer to generate. A 2048 bit is the preferred option.</td> | |||
</tr> | |||
<tr> | |||
<td>Name (CN)</td> | |||
<td>string; default: <b>cert</b></td> | |||
<td>Common Name (CN), aka Fully Qualified Domain Name (FQDN) is a parameter that defines the name of the certificate. It should be chosen with care as it is not only used for easier management. For example, the Common Name should typically hostname of the server. It may also be used to differentiate clients in order to apply client-specific settings.</td> | |||
</tr> | |||
</table> | |||
---- | |||
<b>Subject information</b> is not mandatory but can be used as user-friendly way to identify the ownership of certificate files by including such information as the owner's location and company name. | |||
[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_subject_information_v1.png|border|class=tlt-border]] | |||
---- | |||
The <b>Sign the certificate</b> slider control whether the certificate will be signed automatically or manually after the generation is complete. | |||
[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_sign_the_certificate_v1.png|border|class=tlt-border]] | |||
<table class="nd-mantable"> | |||
<tr> | |||
<th>Field</th> | |||
<th>Value</th> | |||
<th>Description</th> | |||
</tr> | |||
<tr> | |||
<td>Days Valid</td> | |||
<td>integer; default: <b>3650</b></td> | |||
<td>Length of the signature's validity.</td> | |||
</tr> | |||
<tr> | |||
<td>CA File Name</td> | |||
<td>filename; default: <b>none</b></td> | |||
<td>Selects which CA file will be used to sign the generated certificate.</td> | |||
</tr> | |||
<tr> | |||
<td>CA key</td> | |||
<td>filename; default: <b>none</b></td> | |||
<td>Selects which CA key file will be used to sign the generated certificate.</td> | |||
</tr> | |||
<tr> | |||
<td>Delete Signing Request</td> | |||
<td>off | on; default: <b>off</b></td> | |||
<td>Generation creates additional 'signing request' files (which appear under the [[#Certificate_Manager|Certificate Manager]] tab) that are later used to sign the generated certificates. When this option is set to 'on', the device deletes the signing request files after the signing process is complete.</td> | |||
</tr> | |||
</table> | |||
---- | |||
A <b>Private Key Decryption Password</b> is a parameter used to decrypt private keys protected by a password. | |||
[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_private_key_decryption_password_v1.png|border|class=tlt-border]] | |||
===Certificate Signing=== | |||
---- | |||
The <b>Certificate Signing</b> section is used to validate (sign) unsigned certificates. | |||
[[File:Networking_rutos_manual_administartion_certificates_certificates_generation_certificate_signing_v1.png|border|class=tlt-border]] | |||
<table class="nd-mantable"> | |||
<tr> | |||
<th>Field</th> | |||
<th>Value</th> | |||
<th>Description</th> | |||
</tr> | |||
<tr> | |||
<td>Signed Certificate Name</td> | |||
<td>string; default: <b>cert</b></td> | |||
<td>Name of the signed certificate.</td> | |||
</tr> | |||
<tr> | |||
<td>Type of Certificate to Sign</td> | |||
<td>Certificate Authority | Client Certificate | Server Certificate; default: <b>Certificate Authority</b></td> | |||
<td>Specifies what type of file will be signed.</td> | |||
</tr> | |||
<tr> | |||
<td>Certificate Request File</td> | |||
<td>file; default: <b>none</b></td> | |||
<td>Specifies the signing request file linked to the certificate.</td> | |||
</tr> | |||
<tr> | |||
<td>Days Valid</td> | |||
<td>integer; default: <b>3650</b></td> | |||
<td>Length of the signature's validity.</td> | |||
</tr> | |||
<tr> | |||
<td>Certificate Authority File</td> | |||
<td>filename; default: <b>none</b></td> | |||
<td>Selects which CA file will be used to sign the generated certificate.</td> | |||
</tr> | |||
<tr> | |||
<td>Certificate Authority Key</td> | |||
<td>filename; default: <b>none</b></td> | |||
<td>Selects which CA key file will be used to sign the generated certificate.</td> | |||
</tr> | |||
<tr> | |||
<td>Delete Signing Request</td> | |||
<td>off | on; default: <b>off</b></td> | |||
<td>Generation creates additional 'signing request' files (which appear under the [[#Certificate_Manager|Certificate Manager]] tab) that are later used to sign the generated certificates. When this option is set to 'on', the device deletes the signing request files after the signing process is complete.</td> | |||
</tr> | |||
<tr> | |||
<td>Sign</td> | |||
<td>- (interactive button)</td> | |||
<td>Signs the certificate on click.</td> | |||
</tr> | |||
</table> | |||
===Certificate Manager=== | |||
---- | |||
The <b>Certificate Manager</b> page displays information on all certificate and key files stored on the device and provides the possibility export these files for use on another machine or import files generated elsewhere. | |||
====Certificate Import==== | |||
---- | |||
The <b>Certificate Import</b> section provides the possibility to import certificates and files generated on another machine. To upload such a file simply click 'Browse', locate the file on your computer and click 'Import' | |||
[[File:Networking_rutos_manual_administartion_certificates_certificates_manager_certificate_import_v1.png|border|class=tlt-border]] | |||
====Certificates, Keys & Requests==== | |||
---- | |||
The <b>Certificates</b>, <b>Keys</b> and </b>Requests</b> section display files generated on or imported to the device along with the most important information related to them. | |||
By default, the lists are empty. A set certificates generated using 'Simple' file type would look something like this: | |||
[[File:Networking_rutos_manual_administartion_certificates_certificates_manager_certificate_list_v1.png|border|class=tlt-border]] | |||
The 'Export' buttons are used to download the files from the device onto your local machine. The 'X' buttons located to the right of each entry are used to delete related files. | |||
==Root CA== | ==Root CA== |