IS200EACFG2ABB工控模块系统备件
o对象定义>证书>配置选项卡。创建根CA应用生成按钮后,将显示根CA证书配置屏幕。根CA需要填写的信息包括名称、密钥、使用者名称和有效性。EW200工业蜂窝网关155根CA证书配置项值设置描述名称1。字符串格式,任意文本2。必需设置输入根CA证书名称。它将是证书文件名Key Required设置此字段用于指定证书的密钥属性。设置公钥密码系统的密钥类型。当前仅支持RSA。Key Length设置加密算法中使用的密钥的大小(以位为单位)。Digest Algorithm用于在证书的签名算法标识符中设置标识符Subject Name Required设置此字段用于指定证书的信息。国家(C)是组织所在国家的两个字母ISO代码。州(ST)是组织所在的州。位置(L)是组织所在的位置。组织(O)是您组织的名称。组织单位(OU)是组织单位的名称。通用名称(CN)是您所在组织的名称。电子邮件是您组织的电子邮件。它必须是电子邮件地址格式。有效期必填设置此字段用于指定证书的有效期。EW200工业蜂窝网关156设置SCEP SCEP配置项值设置描述SCEP默认未选中选中启用框以激活SCEP功能。自动重新注册老化证书默认情况下未选中SCEP激活时,选中启用框以激活此功能。它将自动检查证书老化。如果证书已过期,它将激活SCEP功能以自动重新注册。保存单击保存保存设置撤消单击撤消取消设置EW200工业蜂窝网关157 3.4.2我的证书我的证书包括本地证书列表。本地证书列表显示根CA为网关生成的所有证书。它还存储生成的证书签名请求(CSR),这些请求将由其他外部CA签名。签名的证书可以作为网关的本地证书导入。自签名证书使用场景应用程序计时当企业网关拥有根CA和VPN隧道功能时,它可以通过自己签名生成自己的本地证书,或者导入由其他外部CA签名的任何本地证书。它还可以为其他CA和客户端导入受信任的证书。此外,由于它具有根CA,因此它还可以签署证书签名请求(CSR),为其他人形成相应的证书。这些证书可用于两个远程对等方,以确保在建立VPN隧道时其身份。场景描述网关1生成根CA和自己签名的本地证书(HQCRT)。它导入一个受信任的证书(BranchCRT)——网关2的BranchCSR证书,由网关1的根CA签名。网关2创建一个CSR(BranchCSR),让网关1的根CA将其签名为BranchCRT证书。它将证书作为本地证书导入网关2。
o Object Definition > Certificate > Configuration tab. Create Root CA When the Generate button is applied, the Root CA Certificate Configuration screen will appear. The required information to be filled for the root CA includes the name, key, subject name and validity. EW200 Industrial Cellular Gateway 155 Root CA Certificate Configuration Item Value setting Description Name 1. String format, any text 2. Required setting Enter a Root CA Certificate name. It will be a certificate file name Key Required setting This field is to specify the key attribute of certificate. Key Type to set public-key cryptosystems. Only RSA is currently supported. Key Length to set the size measured in bits of the key used in a cryptographic algorithm. Digest Algorithm to set identifier in the signature algorithm identifier of certificates Subject Name Required setting This field is to specify the information of certificate. Country(C) is the two-letter ISO code for the country where your organization is located. State(ST) is the state where your organization is located. Location(L) is the location where your organization is located. Organization(O) is the name of your organization. Organization Unit(OU) is the name of your organization unit. Common Name(CN) is the name of your organization. Email is the email of your organization. It has to be email address format. Validity Period Required setting This field is to specify the validity period of certificate. EW200 Industrial Cellular Gateway 156 Setup SCEP SCEP Configuration Item Value setting Description SCEP Unchecked by default Check the Enable box to activate SCEP function. Automatically re-enroll aging certificates Unchecked by default When SCEP is activated, check the Enable box to activate this function. It will automatically check for certificate aging. If certificate is aging, it will activate SCEP function to re-enroll automatically. Save Click Save to save the settings Undo Click Undo to cancel the settings EW200 Industrial Cellular Gateway 157 3.4.2 My Certificate My Certificate includes a Local Certificate List. Local Certificate List shows all generated certificates by the root CA for the gateway. It also stores the generated Certificate Signing Requests (CSR) which will be signed by other external CAs. The signed certificates can be imported as the local ones of the gateway. Self-signed Certificate Usage Scenario Scenario Application Timing When the enterprise gateway owns the root CA and VPN tunneling function, it can generate its own local certificates by being signed by itself or import any local certificates that are signed by other external CAs. It can also import trusted certificates for other CAs and Clients. In addition, since it has the root CA, it also can sign Certificate Signing Requests (CSR) to form corresponding certificates for others. These certificates can be used for two remote peers to make sure of their identity when establishing a VPN tunnel. Scenario Description Gateway 1 generates the root CA and a local certificate (HQCRT) signed by itself. It imports a trusted certificate (BranchCRT) –a BranchCSR certificate of Gateway 2 signed by root CA of Gateway 1. Gateway 2 creates a CSR (BranchCSR) to let the root CA of the Gateway 1 sign it to be the BranchCRT certificate. It imports the certificate into the Gateway 2 as a local certificate.
