Certificate Example

If the example previously shown is split up in its individual parts, the following authorities and certificates must be established for proper communication within the subnets and the complete network:

The network has three certificate authorities: MasterServer, Asia and Europe.

  • The master server must have the following certificates to connect to all its children:
    CertAuth : MasterServer
    CertTrusted: MasterServer, Asia, Europe
  • The console in the following example can only connect to the master server with its certificates:
    CertAuth : MasterServer
    CertTrusted: MasterServer
    If the console also needs to connect to other devices via remote control or direct access it will also need to trust the other authorities, otherwise these devices cannot be accessed via the previously mentioned functionalities. It therefore requires the following certificates:
    CertAuth : MasterServer
    CertTrusted: MasterServer, Asia, Europe
  • All devices located in subnet Asia must have the following certificates to be able to communicate with each other:
     CertAuth: Asia
    CertTrusted : Asia
  • All devices located in subnet Europe must have the following certificates to be able to communicate with each other:
     CertAuth: Europe
    CertTrusted : Europe
  • The main Asia relay must have the following certificates to communicate with all its children and its direct parent, the master server:
    CertAuth : Asia
    CertTrusted : Asia, MasterServer
    If it should also be able to communicate with the european main relay (and thus all its children) the trusted entry should contain the following entries:
    CertTrusted : Asia, MasterServer, Europe.
    This means that the Asia relay can contact any device in the subnet Europe, but not vice versa, that is, the devices in this subnet cannot contact the Asian relay.
  • The main relay Europe must have the following certificates to communicate with all its children and its direct parent, the master server:
    CertAuth : Europe
    CertTrusted : Europe, MasterServerexample.png

To completely isolate a subnet, for example the European subnet France, another authority must be created for the main French server: France .

The French relay and all its children has the following certificate configuration, then they will not be able to contact any other device outside their subnet:

CertAuth : France

CertTrusted : France

For the preceding example the main European relay will now need another trusted authority to be able to contact this subnet, otherwise no communication is possible between the subnet France and the rest of the network:

CertTrusted : Europe, France

The way the connections are shown now in the preceding graphic, the French network can be contacted by one device only, the European relay, not even the master server can contact this subnet. For the master server to be able to the French subnet must also be added to its list of trusted authorities:

CertTrusted : MasterServer, Asia, Europe, France

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*