AN46: HTTPS in Poseidon2 and Damocles2


Czech version

 


English version

 


 
Poseidon2 and Damocles2 devices support, since FW version 2.0.15, secure https communication with the user (WEB) as well as using XML. This Application Note explains how to use HTTPS and manage certificates.

How HTTPS works

HTTPS (Hypertext Transfer Protocol Secure) is a secure (encrypted) version of the HTTP communication protocol that is used to display WWW pages. Regular users encounter it when paying over the Internet, using electronic banking services, or in other situations where privacy is important.

HTTPS is, in essence, the standard HTTP protocol, with the communication and authentication wrapped inside SSL (Secure Sockets Layer) or TLS (Transport Layer Security – newer version of SSL) protocol.
The communication is based on certificates. There are several types of certificates that differ by the encryption method, key length, etc. From the user point of view, there are client certificates and intermediate certificates.

  • Client certificates are issued by the so-called Certification Authorities (CA), who in turn issue their own intermediate certificates that prove their identity.
  • Intermediate certificate is installed by the user to their web browser. During the communication, it is used to verify the authenticity of the other party's client certificate. If the connection is to be trusted, the intermediate certificate of the Certification Authority which has issued the other party's client certificate must be installed at the client side. In addition, the certificate must be installed as trusted.

In other words, trusted Certification Authorities are those that have their certificates installed in the „Trusted Certification Authorities“ section. Some certificates of trusted Certification Authorities are already preinstalled in Windows (Thawte, Symantec/VeriSign, GeoTrust, DigiCert and others).

The client certificate consists of a public key and a private key.

First, both parties, that is the client (user) and the server (website / Poseidon2) exchange their public keys in order to confirm their identity. For that to happen, the client party needs to have installed the root certificate of the Certification Aurhority that has issued the public key. 
From the obtained data, the client party prepares a basis for the encryption key and sends it to the server. The server decrypts the message with its private key and both parties calculate the resulting shared encryption key.  As soon the encryption key is mutually confirmed, the secure connection is established.

Installing certificates to Poseidon2 units

Step 1

Open the WWW configuration interface of the Poseidon unit and switch to the Security tab:

Step 2

Upload the public key (SSLCertificateFile) and the private key (SSLCertificateKeyFile) to the Poseidon2 unit.
After uploading, press Apply Changes.

Step 3

Make sure that the State of the key (SSLCertificateKeyFile) is Valid.


Step 4

Reload the Poseidon2 web interface over HTTPS:

This takes care of HTTPS authentication and secure communication now works.

 

Generating certificates

If you don't have certificates from a Certification Authority, you can generate them yourself.

The best tool to generate self-signed certificates is OpenSSL, an open-source implementation of the SSL and TLS protocols. It is available for download at https://www.openssl.org/.
After download and installation, the program is controlled via the command line – see below.

Public and private keys are generated with this command:

openssl req -new -x509 -days 3650 -nodes -newkey rsa:2048 -keyout C:\cert\server-key.key -out C:\cert\server-cert.crt

The days parameter determines the certificate validity period. The path to store the certificate is also determined (keyout for the private key, out for the public one).

 

After entering the command, the output looks like this:

C:\OpenSSL-Win32\bin>openssl req -new -x509 -days 3650 -nodes -newkey rsa:2048 -keyout C:\cert\server-key.key -out C:\cert\server-cert.crt
Generating a 2048 bit RSA private key
..........................+++
.......................................+++
writing new private key to 'C:\cert\server-key.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CZ
State or Province Name (full name) [Some-State]:Czech Republic
Locality Name (eg, city) []:Prague
Organization Name (eg, company) [Internet Widgits Pty Ltd]:HW group
Organizational Unit Name (eg, section) []:Support
Common Name (e.g. server FQDN or YOUR name) []:poseidon-test.hwg.cz
Email Address []:support@hwg.cz
C:\OpenSSL-Win32\bin>

 

The program asks for additional information – organization name, address, e-mail, and also a Common Name. This is the most important field: it needs to contain the name of the server for which the certificate is issued, such as www.HW-group.com.

Now we have created a self-signed certificate. If we use it, for example, for a WWW server, the browser will complain that the certificate is not trusted because there is no intermediate certificate of a Certification Authority in the user's PC. However, browsers allow you to view such pages anyway.

Displaying a WWW page with a self-signed certificate

The browser prompts:

Click to confirm access to an untrusted page:

How to avoid the warning in the future

In order not to display the warning about untrusted certificate in the future, it is necessary either to install the intermediate certificate of the Certification Authority on the PC or to add the device's certificate to the PC as a trusted root certification authority. Internet Explorer is used to do that.

First, mark the site as trusted. Open the device web page over HTTPS, confirm opening the page. Then, in the browser's Internet Options menu, go to the Security tab, switch to Trusted Sites, and click Sites to add the website to the list of trusted sites.

Now click the warning about a certificate problem in the address bar, display the certificate and install it:

 

The certificate needs to be stored in a specific folder. In our case, among trusted root certification authorities:

 

After the installation is finished, the key fingerprint is displayed.

In this way, you can easily use HTTPS to communicate with Poseidon2 devices.

 

Keywords

Poseidon2, https, certificate, certification authority

 

Links