Manualshelf

User's Manual

ManualsBrands7signal ManualsElectronicsSapphire
31323334353637383940
37
1. From the top menu bar, select “View | Network topology
2. In the Network topology, select the network to which you want to add the
encryption key and right-click
3. Select “Edit”
4. Enter a contact person
5. Select a suitable encryption key for the network from the pull-down menu
6. Click “Save”
On certificate-based encryption
There are input fields for the “CA certificate” and “Client certificate”. It is recommended that
both certificates are added. If one certificate file contains all the information, it should be
used in both of the input fields. However, it is not mandatory to use certificate files if the
certificate or encryption system if the implementation is based on username/password.
The certificate container is expected to be accessible by the Carat GUI client in the local or
shared file system of the host machine. Accepted formats:
CA certificate PEM, DER, PKCS12 (aka PFX)
Private key PKCS12 (aka PFX)
As a corollary, a single PKCS12 formatted file that contains the CA certificate as well as the
private key, can be used in both of the cases.
If conversions are required to achieve these formats, please consult Your Certificate
Authority. In Linux and Unix environments OpenSSL is commonplace tool and can handle the
conversions required.
TIP: Microsoft environments have certificate files with file
extension CER. The file content format typically is DER. To turn
DER files into PEM, please use the following command:
openssl x509 informat DER in <yours>.cer outformat
PEM out <target>.pem
Windows environments have extension “PFX” to mark a typical certificate container file
type. This format is exactly PKCS12 format that typically has “p12” extension in Linux/Unix
world. 7signal Sapphire does not care about the extension but the internal format of the file.
Microsoft PKI Infrastructure
One commonplace certificate-based environment is implemented by Microsoft. Typically
any appliance shall have their own account (“machine-account”). It would very challenging
to make the linux-based Eye to serve Windows infrastructure with the proper certificate. An
applicable option is to create one user-account to be used by all Eye units.
When a user-account is in place, the authentication may be defined as follows: