Chapter 9 Web Interface
128
SSL Certificate for the Web Interface
The principle of an encrypted WinRoute Web interface is based on the fact that all com-
munication between the client and server is encrypted to protect it from wiretapping
and misuse of the transmitted data. The SSL protocol uses an asymmetric encryption
first to facilitate exchange of the symmetric encryption key which will be later used to
encrypt the transmitted data.
The asymmetric cipher uses two keys: a public one for encrypting and a private one for
decrypting. As their names suggest, the public (encrypting) key is available to anyone
wishing to establish a connection with the server, whereas the private (decrypting) key
is available only to the server and must remain secret. The client, however, also needs
to be able to identify the server (to find out if it is truly the server and not an impostor).
For this purpose there is a certificate, which contains the public server key, the server
name, expiration date and other details. To ensure the authenticity of the certificate it
must be certified and signed by a third party, the certification authority.
Communication between the client and server then follows this scheme: the client gen-
erates a symetric enctryption key for and encrypts it with the public server key (obtained
from the server certificate). The server decrypts it with its private key (kept solely by the
server). Thus the symmetric key is known only to the server and client. This key is then
used for encryption and decipher any other traffic.
Generate or Import Certificate
During WinRoute installation, a testing certificate for the SSL-secured Web interface is
created automatically (it is stored in the sslcert subdirectory under the WinRoute’s
installation directory, in the server.crt file; the private key for the certificate is saved
as server.key). The certificate created is unique. However, it is issued against a non-
existing server name and it is not issued by a trustworthy certificate authority. This
certificate is intended to ensure functionality of the secured Web interface (usually for
testing purposes) until a new certificate is created or a certificate issued by a public
certificate authority is imported.
Click on the Change SSL certificate (in the dialog for advanced settings for the Web
interface) to view the dialog with the current server certificate. By selecting the Field
(certificate entry) option you can view information either about the certificate issuer or
about the subject represented by your server.
You can obtain your own certificate, which verifies your server’s identity, by two means.
You can create your own self-signed certificate. Click Generate Certificate in the dialog
where current server status is displayed. Insert required data about the server and your
company into the dialog entries. Only entries marked with an asterisk (
*
) are required.