Scannex ip.buffer User Manual
© UK 2007-2021 Scannex Electronics Ltd. All rights reserved worldwide.
Security Certificate Fingerprints
Local Fingerprint
Shows the SHA256 hash fingerprint of the ip.buffer's TLS/SSK PKI
certificate. You can use this to check that the PC clients
are actually connecting to this ip.buffer (and not being
intercepted).
Download
Links for download the TLS/SSL PKI X509 certificate, or the SSH
publickey
. These files may be needed for inclusion in the
allowed keys on your server.
Approved
Fingerprints
A list of SHA256 hash fingerprints for certificates that are
approved by this ip.buffer. You may enter just the
fingerprint on each line, or “name=fingerprint” (so you
can identify the fingerprints more easily).
[Blank]
Recent Fingerprints
The Recent Fingerprint list shows the fingerprints of any
certificates that were not listed in the Approved
(SSH server fingerprints will be prefixed with the IP address and
SSH version number.
“
IP Address
” is the IP address of the client or server.
“
Name
” is the IP address or name that was programmed into the
ip.buffer. When a client connects this field will show
“(blank)”. CA certificates will show “CA” or “CA+1”
“
Certificate CN
” is the Common Name that is entered into
the certificate on the server or client.
You can hover the mouse over the “
Approve
” link to show the
SHA1 fingerprint of the certificate.
Clicking “
Approve
” will add the fingerprint to the Approved
Fingerprints list.
“
Chains of trust
”: Usually the server will only send a single certificate. That
certificate may be signed by an approved person (e.g. Verisign etc), and a PC
is able to check against a database of known certificate authorities to verify
the certificate. The ip.buffer does not have a internal database of approved
certificate authorities and can only verify certificates that were actually sent
as part of the SSL/TLS handshake protocol. If multi-level certificates are
required you should be able to load the whole certificate chain into your
server.
40
The SSH server publickey is taken from the TLS/SSL PKI certificate's RSA key.
41
Certificates originating from Source will not be displayed. Neither are they validated, since some
devices have weakly protected private keys.
42
The SSH fingerprints are now SHA256 fingerprints, rather than the shorter and more usual MD5
fingerprints that are shown in most SSH client software on PCs. For compatibility, SHA1 fingerprints
are also supported.
Page 45
Scannex ip.buffer User Manual
© UK 2007-2021 Scannex Electronics Ltd. All rights reserved worldwide.
Security Certificate Fingerprints
Local Fingerprint
Shows the SHA256 hash fingerprint of the ip.buffer's TLS/SSK PKI
certificate. You can use this to check that the PC clients
are actually connecting to this ip.buffer (and not being
intercepted).
Download
Links for download the TLS/SSL PKI X509 certificate, or the SSH
publickey
. These files may be needed for inclusion in the
allowed keys on your server.
Approved
Fingerprints
A list of SHA256 hash fingerprints for certificates that are
approved by this ip.buffer. You may enter just the
fingerprint on each line, or “name=fingerprint” (so you
can identify the fingerprints more easily).
[Blank]
Recent Fingerprints
The Recent Fingerprint list shows the fingerprints of any
certificates that were not listed in the Approved
(SSH server fingerprints will be prefixed with the IP address and
SSH version number.
“
IP Address
” is the IP address of the client or server.
“
Name
” is the IP address or name that was programmed into the
ip.buffer. When a client connects this field will show
“(blank)”. CA certificates will show “CA” or “CA+1”
“
Certificate CN
” is the Common Name that is entered into
the certificate on the server or client.
You can hover the mouse over the “
Approve
” link to show the
SHA1 fingerprint of the certificate.
Clicking “
Approve
” will add the fingerprint to the Approved
Fingerprints list.
“
Chains of trust
”: Usually the server will only send a single certificate. That
certificate may be signed by an approved person (e.g. Verisign etc), and a PC
is able to check against a database of known certificate authorities to verify
the certificate. The ip.buffer does not have a internal database of approved
certificate authorities and can only verify certificates that were actually sent
as part of the SSL/TLS handshake protocol. If multi-level certificates are
required you should be able to load the whole certificate chain into your
server.
40
The SSH server publickey is taken from the TLS/SSL PKI certificate's RSA key.
41
Certificates originating from Source will not be displayed. Neither are they validated, since some
devices have weakly protected private keys.
42
The SSH fingerprints are now SHA256 fingerprints, rather than the shorter and more usual MD5
fingerprints that are shown in most SSH client software on PCs. For compatibility, SHA1 fingerprints
are also supported.
Page 45
