TLS Certificate

Dominion KX IV–101 uses TLS 1.3 for any encrypted network traffic between itself and a connected client. When establishing a connection, Dominion KX IV–101 has to identify itself to a client using a cryptographic certificate. The Dominion KX IV–101 contains a default certificate that you should replace with your own.

Dominion KX IV–101 can generate a Certificate Signing Request (CSR) or a self-signed certificate using SHA-2.

The CA verifies the identity of the originator of the CSR. The CA then returns a certificate containing its signature to the originator. The certificate, bearing the signature of the well-known CA, is used to vouch for the identity of the presenter of the certificate.

Important: Make sure your Dominion KX IV–101 date/time is set correctly.

When a self-signed certificate is created, the Dominion KX IV–101 date and time are used to calculate the validity period. If the Dominion KX IV–101 date and time are not accurate, the certificate's valid date range may be incorrect, causing certificate validation to fail. See Date and Time.

Note: The CSR must be generated on the Dominion KX IV–101.

Note: When upgrading firmware, the active certificate and CSR are not replaced.

• To view and download the active certificate and key:

1. Click Security > TLS Certificate. The active certificate details display.

   

2. Click Download Key and Download Certificate to get the active certificate files.

• To create and install a new SSL certificate:

1. Click Security > TLS Certificate. Scroll down to the New TLS Certificate section.
2. Complete the Subject fields:
   • Country (ISO code) - The country where the organization is located. This is the two-letter ISO code, e.g. DE for Germany, or US for the U.S.
   • State/Province - The state or province where the organization is located.
   • Locality/City - The city where the organization is located.
   • Organization - The name of the organization to which the Dominion KX IV–101 belongs.
   • Organizational unit - This field is used for specifying to which department within an organization the Dominion KX IV–101 belongs.
   • Common name - The network name of the Dominion KX IV–101 once it is installed on your network (usually the fully qualified domain name). The common name is identical to the name used to access the Dominion KX IV–101 with a web browser, but without the prefix “http://”. In case the name given here and the actual network name differ, the browser displays a security warning when the Dominion KX IV–101 is accessed using HTTPS.
   • Email address - The email address of a contact person that is responsible for the Dominion KX IV–101 and its security.
3. Add up to 10 Subject Alternative Names (SAN) by clicking the Add Name button, then enter the hostname or IP in the field. SANs are the hostnames or IP addresses the certificate will be valid for.
4. To generate, do one of the following:
   • To generate self-signed certificate, do the following:
   1. In the Key Creation Parameters, select the Self-Sign checkbox . When you select this option, the Dominion KX IV–101 generates the certificate based on your entries, and acts as the signing certificate authority. The CSR does not need to be exported and used to generate a signed certificate.
   2. Set the Validity in Days, which controls how many days until this certificate expires. Ensure the Dominion KX IV–101 date and time are correct. If the date and time are not correct, the certificate's valid date range may not be calculated correctly.
   3. Click Create New TLS Key.
   4. When the page refreshes, new buttons appear in the New TLS Certificate section, to allow you to install, download or delete the newly generated self-signed certificate and key.
   5. To start using the new certificate, click Install Key and Certificate.
   6. The page may refresh as the certificate loads.
   • To generate a CSR to send to the CA for certification:
   1. In the Key Creation Parameters, enter a password in the Challenge and Confirm Challenge fields.
   2. Click Create New TLS Key.
   3. When the page refreshes, new buttons appear in the New TLS Certificate section, to allow you to download the CSR, download the key, or delete the CSR.
   4. Click the Download the Certificate Signing Request button to download the CSR. Click the Download Key button to download the file containing the private key.
   5. Send the CSR to a CA for certification. You will get the new certificate from the CA.

      Note: The CSR and the private key file are a matched set and should be treated accordingly. If the signed certificate is not matched with the private key used to generate the original CSR, the certificate will not be useful. This applies to uploading and downloading the CSR and private key files.

      • Once you get the certificate from the CA, return to this page to upload it to the Dominion KX IV–101. After uploading, click Install to start using the new certificate. The page may refresh as the certificate loads.

        

• To upload a key and certificate:

1. To activate the upload fields, click Security > TLS Certificate, then scroll down to the New TLS Certificate section.
2. Select the Upload Key and Certificate checkbox. The Browse and upload controls appear.