Transitioning to certificate-based security

Certificate-based security methods carry a risk of inadvertently blocking all login access to the MCU. (If problems occur with the client certificate or the trust store, you will need to fall back to HTTP. If you cannot fall back — because HTTP is disabled or because HTTP to HTTPS redirection is set — then all access methods will be blocked.) We strongly recommend that you follow the procedure below when implementing certificate-based security:

• Enabling client certificates and certificate login (HTTPS connections)
• Enabling OCSP checking
• Requiring certificate-only login (all connections)

Enabling client certificates and certificate login (HTTPS connections)

To transition access handling for HTTPS connections from standard, password-based access to required client certificate validation and optionally to allow certificate-based login, do the following:

1. Ensure that an appropriate HTTPS trust store is installed on the MCU (Network > SSL certificates) and that the web browser(s) to be used to access the MCU are configured with a valid client certificate.

2. Go to Network > Services and enable both HTTP and HTTPS.
3. Go to Settings > Security and disable Redirect HTTP requests to HTTPS (uncheck the check box). This ensures that you can fall back to HTTP if problems occur.
4. Go to Network > SSL certificates.
   1. Scroll to the HTTPS trust store section.

   2. Set Client certificate security to Verify certificate (to have client certificate validation but no certificate login) or Certificate-based authentication allowed (to have client certificate validation and to allow certificate-based login).

   3. Click Apply changes.
5. Now test that you are able to log in to the MCU over an HTTPS connection.
   1. First verify that you can log in using the standard password login mechanism.
   2. If you specified Certificate-based authentication allowed in the previous step, also verify that certificate-based login is working as expected. This step is recommended, although strictly not essential as Certificate-based authentication allowed mode still allows password login if certificate login fails.

Note: Provided that this procedure is successful, you can now disable HTTP (Network > Services) or enable redirection from HTTP to HTTPS (Settings > Security) if either are required by your configuration.

Enabling OCSP checking

Caution: The MCU will only perform OCSP checking if client certificate security mode is enabled. To do this go to Network > SSL certificates and set the Client certificate security option. When you first enable OCSP checking, set Client certificate security to one of the 'lesser' modes (Verify certificate or Certificate-based authentication allowed). If you want to set it to Certificate-based authentication required, only do so after you have completed the procedure for Requiring certificate-only login (all connections) and you are certain that OCSP checking is working correctly.

To enable OCSP checking for the MCU, do the following:

1. Ensure that an appropriate HTTPS trust store has been installed on the MCU (Network > SSL certificates).

2. Go to Network > Services and enable both HTTP and HTTPS.
3. Go to Settings > Security and disableRedirect HTTP requests to HTTPS. This ensures that you can fall back to HTTP if problems occur.
4. Go to Network > SSL certificates.
   1. Scroll to the Online certificate status protocol (OCSP) section.

   2. Set Certificate to check to HTTPS client certificates.

   3. Enter the URL of the external OCSP server and set any options you require.
   4. Click Apply changes.
5. Now test that you are able to log in to the MCU over an HTTPS connection. Only proceed to the next step if you can successfully log in.

6. Do one of the following, as appropriate for your configuration:

   • Go to Network > Services and disable HTTP.
   • Go to Settings > Security and enable Redirect HTTP requests to HTTPS.

Requiring certificate-only login (all connections)

To transition from password-based authentication to required certificate-based authentication for all connection types, do the following:

1. Ensure that an appropriate HTTPS trust store is installed on the MCU (Network > SSL certificates) and that the web browser(s) to be used to access the MCU are configured with a valid client certificate.

2. Go to Network > Services and enable both HTTP and HTTPS.
3. Go to Settings > Security and disableRedirect HTTP requests to HTTPS (uncheck the check box). This ensures that you can fall back to HTTP if problems occur.

4. Go to Network > SSL certificates:

   1. Scroll to the HTTPS trust store section.

   2. Set Client certificate security to Certificate-based authentication allowed.

      Do NOT set Client certificate security to Certificate-based authentication required yet.

   3. Click Apply changes.
5. Now test that you are able to log in to the MCU over an HTTPS connection using a certificate. Only proceed to the next step if you can successfully log in with a certificate.
6. Assuming the previous step succeeded, go to the Client certificate security option again and this time set it to Certificate-based authentication required.

7. Click Apply changes and confirm at the prompt.

   It is now not possible to log in over HTTP. To log in over HTTPS requires a valid client certificate signed by a certificate authority, which matches the HTTPS trust store on the MCU.

8. Do one of the following, as appropriate for your configuration:

   • Go to Network > Services and disable HTTP.
   • Go to Settings > Security and enable Redirect HTTP requests to HTTPS.

Related topics

• Configuring SSL certificates
• Configuring security settings
• Configuring IP services