1. Installing a certificate
In order to encrypt data traffic, the device needs a certificate and a private key first. There are several ways available for you to install these.
- Create a new certificate and have it signed by a certification authority by sending a certificate signing request (CSR)
- Upload an existing private key and certificate
- Create a new certificate and sign it yourself
You can choose one of the options above that fits your requirements and possibilities. Certificates signed by certification authorities generally have the advantage that clients can automatically verify the authenticity of the host (device) at the time of access. This is normally the case with official certification authorities.
If a user accesses the web interface via HTTPS and the certificate is either self-signed or signed by a certification authority not trusted by the user, this will cause a warning to appear in the user’s web browser first.
1.1. Creating a new certificate and having it signed
To create a new certificate, select the option New certificate. In the dialogue box that follows, you now enter device and operator information, which is then stored on the certificate and can be used by both the certification authority and clients later on to verify the certificate.
Once you have confirmed the dialogue box with Save, you can download the certificate signing request (CSR) file from the web access page. You must provide this file to your certification authority. You will then receive a signed certificate from your certification authority and, where necessary, a certificate chain (often consisting of intermediate and/or root certificates). You will usually receive these in the form of .pem- oder .crt files or directly in PEM-encoded text form.
You can now transfer the signed certificate to the device via the Upload certificate dialogue. If you have received a certificate chain, you can upload it via this dialogue too.
1.2. Creating a new certificate and signing it yourself
To create a new certificate, select the option New certificate. In the dialogue box that follows, you now enter device and operator information, which is then stored on the certificate and can be used clients later on to verify the certificate.
In the last section Signing, you now select Create self-signed certificate. After that you can specify the maximum validity period of the certificate.
Once this validity period has expired, you must generate a new certificate. This should be done in good time before expiration so that there are no problems accessing your device.
1.3. Uploading existing certificate
If you have an existing certificate along with a private key, and wish to use this to protect HTTPS traffic, you can transfer these files to your device via the Upload certificate dialogue.
2. Configuring access types
Once you have installed a certificate, you can now configure the access types according to your requirements.
If you wish to protect access to your device via HTTPS, you are recommended to select the option Forced HTTPS. The device will only respond via HTTPS, but will redirect all incoming HTTP requests to HTTPS. This means that users who inadvertently access the web interface via HTTP, either directly or via bookmarks, will automatically be redirected to HTTPS.
If it is very important for not a single request to go over the net in plain language, you can select the option HTTPS only. This setting will cause users accessing via HTTP to receive an error message.
You can also have a simultaneous configuration of HTTP and HTTPS. However, this setting is only recommended in exceptional cases, for migration purposes or for testing.
3. Displaying current configuration/certificates
On the access type configuration page, you can see the types of access currently active as well as information regarding the current certificate.