Managing Certificates

Certificates Overview

Certificates provide an added level of assurance and security for web users. They verify the subject of the certificate matches the hostname and is the entity that it claims to be (usually done through third party verification).

There are two types of certificates: 1) Certifying Authority (CA) certificates and 2) Signed certificates. Under signed certificates, they can be self-signed or not (using the CA certificate to verify it). Self-signed certificates are less secure because it is not signed by a Certificate Authority, thus weakening authentication.

A CA certificate is used in conjunction with a signed certificate and public-private key pair. The signed certificate is generated based on the CA certificate creating a chain of trust for the client or server in question. The CA certificate verifies the signed certificate using its public key. The most common example of this is HTTPS. You need both certificates for this to work properly.

There are three ways to obtain certificates:  1) pay to have your certificate signed by certifying authority such as DigiCert, 2) create your own CA and corresponding signed certificate files using a software tool, or 3) create a self-signed certificate which is less secure than the other two methods (if you choose to do this, we recommend using the Generate Certificate feature to automatically ensure the file is properly formatted).

If you do create your own CA and signed certificates, we recommend using a software tool like XCA. Do NOT use a Microsoft Windows-based tool unless the file is saved in the proper format (see below). You must create and upload the CA certificate to the device UI first before the corresponding signed certificate.  If you do not use the proper format for each certificate, the system does not upload the file.

CA certificate format:

  • file format: .crt
  • base-64 encoded text file
  • no binary or MS Windows formats (will NOT work)
  • content includes a public key

Signed certificate format (including Self-signed):

  • file format: .pem
  • base-64 encoded text file
  • no binary or MS Windows formats (will NOT work)
  • content includes a private key

Uploading a Certificate 

Import a Certificate

To import a new certificate:

  1. Go to Administration > X.509 Certificate. The Certificate window displays the details of the certificate that is currently used.
    NOTE: A certificate with a key size greater than 2048 bits causes a delay accessing the Web UI after the device starts. A certificate with a key size less than 2048 bits is not recommended since it is less secure and may become breakable in the near future.
  2. Click Upload to open Upload Certificate window.
  3. Click Browse to select a valid certificate to be uploaded.
  4. Click Upload. Wait until the file is uploaded.
  5. To save your changes, click Save and Restart.

 

Creating a Certificate
Generate a New Certificate

Because the router uses a self-signed website certificate, your browser shows a certificate error or warning. Ignore the warning and add an exception or add your rCell IP address to the trusted sites.

To generate a new certificate:

  1. Go to Administration > X.509 Certificate. The X.509 Certificate window displays the details of the certificate that is currently used.
  2. Click Create to open the Generate Certificate window.
  3. In the Common Name field, enter the name, hostname, or IP address, depending on what you use to connect to the router. The web browser uses this field to check for a valid certificate.
  4. In the Days field, enter the amount of days before the certificate will expire.
  5. In the Country field, enter the 2-letter code for the country name.
  6. In the State/Province field, enter the state or province for which the certificate is valid.
  7. In the Locality/City field, enter the locality or the city for which the certificate is valid.
  8. In the Organization field, enter the organization name for which the certificate is valid.
  9. In the Email Address field, enter the email address of the person responsible for the router. Typically this is the administrator. This field may be left blank.
  10. Click Generate. Wait until the certificate is generated. You may have to reboot to complete the operation.
  11. If you are finished making changes, click Save and Restart.

Uploading CA Certificate

This page allows user to upload an X.509 CA (Certifying Authority) Certificate.
To upload a CA certificate:

  1. Go to Administration > X.509 CA Certificates.
  2. Click Browse and choose the file for your CA certificate file.
  3. Click Open.
  4. Once your file is selected, click Upload.
  5. Your CA certificate file displays in the certificate list along with relevant details.
  6. You may delete or remove a certificate by clicking the trash can icon to the right under Options.Note: Both add and remove functions may take up to two minutes to update. Once updated, the changes are applied immediately. There is no need to restart the device after CA certificate is added or removed.