5.5.5 Certificates


Some 2N access control units network services use the Transaction Layer Security (TLS) protocol for communication with other LAN devices to prevent third parties from monitoring and/or modifying the communication contents. Unilateral or bilateral authentication based on certificates and private keys is needed for establishing connections via TLS.

The following 2N access control units services use the TLS protocol:

    1. Web server (HTTPS)
    2. E-mail (SMTP)
    3. 802.1x (EAP-TLS)
    4. SIPs

Sets of CA certificates can be uploaded to the 2N devices which are used for identity verification of the device that the intercom is communicating with, and also of User certificates and private keys for communication encryption

Each certificate-requiring service can be assigned one of the three certificate sets available; refer to the Web ServerE-Mail and Streaming subsections. The certificates can be shared by the services.

2N access control units:

  • accept the DER (ASN1) and PEM certificate formats.
  • support the AES, DES and 3DES encryption.
  • support the following algorithms:
    • RSA up to 2048bit user certificate keys; internally up to 4096bit keys (during connection – temporary and equivalence certificates)
    • Elliptic Curves

Caution

  • The CA certificates must use the X.509 v3 format.

Upon the first power up, the 2N device automatically generates the Self Signed certificate and private key for the Web server and E-mail services without forcing you to load a certificate and private key of your own.

Note

  • If you use the Self Signed certificate for encryption of the device web server – browser communication, the communication is secure, but the browser will warn you that it is unable to verify the device certificate validity.

The current overview of CA and User certificate uploads is shown in the following two folders:

Press  to upload a certificate saved on your PC. Complete the certificate ID in the dialogue box to select, edit or delete the certificate. Make sure that the ID is not longer than 40 characters and contains small and capital letters, digits and the '_' and '-' characters. The ID is not mandatory. Select the certificate (or private key) file in the dialogue box and push Load. Click to remove the certificate from the device. Press   to show the certificate information.

Caution

  • The device changes the Self signed certificate into a new one after firmware update or restart. Check and compare the certificate displayed on the device with the web certificate for a match.


Caution

  • For certificates based on elliptic curves use the secp256r1 (aka prime256v1 aka NIST P-256) and secp384r1 (aka NIST P-384) curves only.