SSL Certificates

The KX III uses the Secure Socket Layer (SSL) protocol for any encrypted network traffic between itself and a connected client.

When establishing a connection, the KX III has to identify itself to a client using a cryptographic certificate.

It is possible to generate a Certificate Signing Request (CSR) and install a certificate signed by the Certificate Authority (CA) on the KX III.

The CA verifies the identity of the originator of the CSR.

The CA then returns a certificate containing its signature to the originator. The certificate, bearing the signature of the well-known CA, is used to vouch for the identity of the presenter of the certificate.

Important: Make sure your KX III date/time is set correctly.

When a self-signed certificate is created, the KX III date and time are used to calculate the validity period. If the KX III date and time are not accurate, the certificate's valid from - to date range may be incorrect, causing certificate validation to fail. See Configuring Date/Time Settings.

Note: The CSR must be generated on the KX III.

Note: When upgrading firmware, the active certificate and CSR are not replaced.

• To create and install a SSL certificate:

1. Select Security > Certificate.
2. Complete the following fields:
   1. Common name - The network name of the KX III once it is installed on your network (usually the fully qualified domain name). The common name is identical to the name used to access the KX III with a web browser, but without the prefix “http://”. In case the name given here and the actual network name differ, the browser displays a security warning when the KX III is accessed using HTTPS.
   2. Organizational unit - This field is used for specifying to which department within an organization the KX III belongs.
   3. Organization - The name of the organization to which the KX III belongs.
   4. Locality/City - The city where the organization is located.
   5. State/Province - The state or province where the organization is located.
   6. Country (ISO code) - The country where the organization is located. This is the two-letter ISO code, e.g. DE for Germany, or US for the U.S.
   7. Challenge Password - Some certification authorities require a challenge password to authorize later changes on the certificate (e.g. revocation of the certificate). Applicable when generating a CSR for CA Certification.
   8. Confirm Challenge Password - Confirmation of the Challenge Password. Applicable when generating a CSR for CA Certification.
   9. Email - The email address of a contact person that is responsible for the KX III and its security.
   10. Key length - The length of the generated key in bits. 2048 is the default.
3. To generate, do one of the following:
   • To generate self-signed certificate, do the following:
   1. Select the Create a Self-Signed Certificate checkbox if you need to generate a self-signed certificate. When you select this option, the KX III generates the certificate based on your entries, and acts as the signing certificate authority. The CSR does not need to be exported and used to generate a signed certificate.
   2. Specify the number of days for the validity range. Ensure the KX III date and time are correct, otherwise an invalid date may be used to create the certificate's valid from and to range.
   3. Click Create.
   4. A confirmation dialog is displayed. Click OK to close it.

   

   1. Reboot the KX III to activate the self-signed certificate.
   • To generate a CSR to send to the CA for certification:
   1. Click Create.
   2. A message containing all of the information you entered appears.

   

   1. The CSR and the file containing the private key used when generating it can be downloaded by clicking Download CSR.
   2. Send the saved CSR to a CA for certification. You will get the new certificate from the CA.

      Note: The CSR and the private key file are a matched set and should be treated accordingly. If the signed certificate is not matched with the private key used to generate the original CSR, the certificate will not be useful. This applies to uploading and downloading the CSR and private key files.

      • Once you get the certificate from the CA, upload it to the KX III by clicking Upload.
      • Reboot the KX III to activate the certificate.

After completing these steps the KX III has its own certificate that is used for identifying the card to its clients.

Important: If you destroy the CSR on the KX III there is no way to get it back! In case you deleted it by mistake, you have to repeat the three steps as described above. To avoid this, use the download function so you will have a copy of the CSR and its private key.