Security
Previous / Next | Search | Help / Security
Contents
1.
General information
2.
Server
3.
Certificate (Root CA)
4.
Monitoring of certificates

1.General information

Information on the current certificates can be viewed via https://HS_IP/hscert .
This URL is also used to generate certificates from the HS/FS and/or to upload certificates onto the HS/FS. To retrieve this page, no user details are required; the individual functions demand this however. (See certificate management)

Behaviour during initial start of the HS/FS with firmware 4.7 or higher is described here.

2.Server

The interfaces listed in the table are available for all the ports of secure and unencrypted communication specified in the following:
interfaceCall
Lists/hslist
Visu / Menu / Query/hs
QuadClient / AppsFrom app/Program
Certificate management/hscert
Communication object gateway/cogw
HSUpload area/opt

1st IP port (HTTPS)

Primary IP port for secure (encrypted) communication.
Default value: 443.

Permit communication via TLS v1.0

Yes: Communication via TLS v1.0, which is insecure, is possible for this port.
Default setting: No.
Note
Note that this option has to be activated when using Gira Clients 9 and 19 in conjunction with the Windows XP operating system.

Create certificate

Select here which type of certificate the device should use:
SettingComments
Device creates certificate (with IP address as CN)The device creates a certificate. When generating the certificate the IP address of the HS/FS is used as Common Name (CN). Generation can be triggered again under /hscert.
Device creates certificate (with configured CN)The device creates a certificate. When generating the certificate, the text entered in the Common Name (CN) field is used as Common Name (CN). Generation can be triggered again under /hscert.
Load certification onto the deviceThe option for uploading a certificate has been released. The certificate to be uploaded must be present as .pem-file and may not be password-protected. Until a certificate has been uploaded, the device uses a certificate that was created according to the setting "Device creates certificate (with IP address as CN)".

Common Name (CN)

This text is used if a certificate should be generated by the HS/FS for this port with the option Device creates certificate (with configured CN).

2nd IP port (HTTPS)

Like 1st IP port (HTTPS). However, the use of this port is optional.
Standard setting (value): deactivates (8443).

Permit communication via TLS v1.0

See 1st IP port (HTTPS)

Create certificate

See 1st IP port (HTTPS)

Common Name (CN)

See 1st IP port (HTTPS)

IP port (HTTP, unencrypted)

If this option is activated, a port can be defined for the unencrypted communication via HTTP.
Standard setting (value): deactivates (80)

If this option is used, project and firmware transfers are carried out unencrypted and the HS/FS end points (e.g. lists, archive, debug page, etc.) can be reached via HTTP and the port entered here.

3.Certificate (Root CA)

Validity (in days)

The validity period of the Root certificate can be defined here.
Minimum value: 90 days.
Default value: 3650 days (~ 10 years).

4.Monitoring of certificates

Time (hh:mm)

Defines the time when the validity of the certificate is checked while in operation.
Default value: 00:01.

Generation (days before expiry)

If a certificate created by the HS/FS is only valid for the number of days specified here, a new certificate is created by the HS/FS.
The earliest possible point in time for an automatic regeneration is 90 days before expiry.
Default value: 1.

A Status object displays the difference (in days) between the current date and the next validity expiry of a certificate.
Warning
If a certificate that has not been generated with the HS/FS is loaded via the web interface (https://HS_IP/hscert) onto the HS/FS, this setting has no effect!