The following functions are available to secure the configuration of the router via the user interface:
Protected access via HTTPS connection
Authentication of a client using a certificate
Protected access via HTTPS connection
The user interface also allows a secure configuration using the HTTPS protocol. The HTTPS protocol allows an authentication of the server (i.e. the router) as well as an encryption of the data transmission.
Authentication via the device-individual certificate/key combination
The router will be authenticated via self-certified device-individual certificate/key combination by default. In case of a first access via the HTTPS protocol, the browser indicates that the router uses an invalid security certificate. The certificate is not trusted, because the CA (certification authority) certificate is unknown. You can ignore this warning and (depending on browser and operating system) add an exception for this server or establish the secure connection to this server nevertheless.
We recommend to download the CA certificate chain and import it into your browser, to approve INSYS MICROELECTRONICS as certification authority. Proceed for this as described in the documentation of your browser.
The CA certificate chain consists of the following two CA certificates:
Intermediate certificate, which has been used to issue the device-individual HTTPS server certificates
Root certificate, which has been used to issue above intermediate certificate
Note for older routers!
Use for routers with a serial number up to 24136330 and a MAC address up to 00:05:B6:12:E1:22 the previous CA certificate.
Note for new routers with a firmware version up to 8.0!
If your router has a serial number from 24136331 and a MAC address from 00:05:B6:12:E1:23, but is operated with a firmware version of 8.0 or lower, it will have two effects:
As the old firmware doesn't know the new CA, it will display a warning message in the classic UI that the configured HTTPS certificate is not issued by the configured CA certificate. This is just a warning and can be ignored, as the HTTPS connection still works.
If client authentication via certificates is configured and the device-individual certificate is used as server certificate, the client authentication via certificates is deactivated. If no fallback username/password is configured these devices won't be accessible via HTTPS any longer.
Both effects can be mitigated on a firmware version of 7.6 or higher by uploading the new certificate chain above (root certificate and intermediate certificate) onto the device and select the intermediate CA as CA certificate for HTTPS.
In general INSYS icom always recommends using an own PKI for the HTTPS server certificates and client authentication via certificates. In this case, none of the above effects will arise.
If INSYS MICROELECTRONICS is stored as certification authority in your browser and you access the router again via the HTTPS protocol, the browser indicates again that an invalid security certificate is used. The certificate is not trusted, because the Common Name of the certificate differs from your input in the address bar of the browser. The browser indicates that a different device answers under this URL. The Common Name of the certificate consists of the MAC address of the router, where the colons are replaced by underscores. You can ignore this warning and (depending on browser and operating system) add an exception for this server or establish the secure connection to this server nevertheless.
In order to avoid this browser warning as well, you must enter the Common Name of the router to be accessed into the address bar of your browser. The Common Name must be connected with the IP address of the router that the URL leads to the correct device. You can find out the general name (Common Name) by downloading and viewing the certificate from the router. The proceeding for this depends on your browser. The proceeding for setting up the link depends on your operating system.
Editing of /etc/hosts (Linux/Unix)
Editing of C:\WINDOWS\system32\drivers\etc\hosts (Windows XP/7/8)
Configuring your own DNS server
For further information, refer to the documentation of your operating system.
Authentication via an own certificate structure
Alternatively, it is also possible to use an own certificate structure and upload a self-generated certificate/key combination to the router to use this for the access via an HTTPS connection.
You need to upload your self-generated certificate/key combination in the certificate manager of the router first (menu Administration -> Certificates).
Then, this certificate/key combination must be selected when configuring the user interface access via HTTPS (menu Administration → Config access→ Web/REST interface).
Authentication of a client using a certificate
This function allows to access the user interface of the router via an HTTPS connection without having to enter access data. The client authentication via certificate (menu Administration → Config access→ Web/REST interface) must be activated for this. A CA certificate must be installed on the router (menu Administration → Certificates) and selected for client authentication for this. A client certificate with key that has been generated with this CA certificate must be installed in the browser of the client that shall access the router. A CRL can be stored and selected optionally to be able to revoke already issued certificates later. The user group allows to restrict the rights for an access that is authenticated via a client certificate.