Configuring a network for secure communication using digital
certificates involves accessing the appropriate stores; creating certificates
and certificate signing requests; signing certificates; importing
them into hosts User Key Stores; and importing
the root CA certificate (or intermediate certificate) into client User Trust Stores.
CAUTION: If the private key of your root CA and intermediate
certificates fall into the wrong hands, your entire network can be
in danger of a significant cyber attack. To ensure security, always
create the root CA and intermediate certificates, and use them to
sign other certificates inWorkbench running on a secure computer, which is located under lock
and key. Use this computer for only one purpose: to manage and sign
certificates. Never connect this computer to the Internet, and ever
access it over your company network. Carefully protect any thumb drive
that contains any certificate with its private key.
You may use a third-party CA (Certificate Authority), such as VeriSign
or Thawte to sign your certificates, or you may serve as your own
CA.
Note: If you use a Supervisor or an engineering PC to access a controller
remotely for the purpose of generating a server certificate and CSR,
the private key remains on the remote station. Ensure you do not export
the private key.
The preferred best practice is to set up certificates before distributing
each controller to its remote location. If controllers are already
in the field, travel to the remote location, take the controller off
the Internet and corporate LAN, then connect your engineering PC directly
to the controller using a cross-over cable.