Configuring Settings for Key Pairs and Digital Certificates

In order to encrypt communication with a remote device, an encryption key must be sent and received over an unsecured network beforehand. This problem is solved by public-key cryptography. Public-key cryptography ensures secure communication by protecting important and valuable information from attacks, such as sniffing, spoofing, and tampering of data as it flows over a network.
Key Pair
A key pair consists of a public key and a secret key, both of which are required for encrypting or decrypting data. Because data that has been encrypted with one of the key pair cannot be returned to its original data form without the other, public-key cryptography ensures secure communication of data over the network. Key pairs are used for TLS encrypted communication, TLS of the IEEE802.1X authentication, and IPSec communication. Up to eight key pairs can be registered (Using CA-issued Key Pairs and Digital Certificates). For TLS encrypted communication, the machine can generate a key pair by itself (Using Generated Key Pairs).
CA Certificate
Digital certificates including CA certificates are similar to other forms of identification, such as driver's licenses. A digital certificate contains a digital signature, which enables the machine to detect any spoofing or tampering of data. It is extremely difficult for third parties to abuse digital certificates. A digital certificate that contains a public key of a certification authority (CA) is referred to as a CA certificate. A digital certificate that contains a public key of a certification authority (CA) is referred to as a CA certificate. CA certificates are used for verifying the device the machine is communicating with for features such as IEEE 802.1X authentication. Up to eight CA certificates can be registered, including the two certificates that are preinstalled in the machine (Using CA-issued Key Pairs and Digital Certificates).
 

Key and Certificate Requirements

The certificate contained in a key pair generated with the machine conforms to X.509v3. If you install a key pair or a CA certificate from a computer, make sure that they meet the following requirements:
Key Pair
Type
PKCS#12 *1
File extension
Key pair: ".p12" or ".pfx"
Public-key algorithm
(and key length)
RSA (512 bits *2, 1024 bits, 2048 bits, or
4096 bits)
Certificate signature algorithm
SHA1-RSA, SHA256-RSA, SHA384-RSA *3,
SHA512-RSA *3, MD5-RSA, MD2-RSA
Certificate thumbprint algorithm
SHA1
*1 The format of the certificate contained in a key pair is pursuant to CA certificates.
*2 Not supported when the operating system of the device the machine communicates with is Windows 8/Server 2012. Encrypted communication may also be unavailable with other Windows versions depending on the program update status.
*3 SHA384-RSA and SHA512-RSA are available only when the RSA key length is 1024 bits or more.
CA Certificate
Format
X.509v1 DER (encoded binary)
X.509v3 DER (encoded binary)
File extension
".cer"
Public-key algorithm
(and key length)
RSA (512 bits *1, 1024 bits, 2048 bits, or
4096 bits)
DSA (1024 bits, 2048 bits, or 3072 bits)
Certificate signature algorithm
SHA1-RSA, SHA256-RSA, SHA384-RSA *2,
SHA512-RSA *2, SHA1-DSA, MD5-RSA, MD2-RSA
Certificate thumbprint algorithm
SHA1
*1 Not supported when the operating system of the device the machine communicates with is Windows 8/Server 2012. Encrypted communication may also be unavailable with other Windows versions depending on the program update status.
*2 SHA384-RSA and SHA512-RSA are available only when the RSA key length is 1024 bits or more.
The machine does not support use of a certificate revocation list (CRL).
0J3J-051