ctrlX OS Cybersecurity - Certificate Management

This video explains the Certificate Management integrated in the ctrlX OS (operating system) used with ctrlX CORE products. We cover some basic background on certificates and then do a live demonstration of setting up a remote certificate authority to issue certificates to the ctrlX CORE. We then show you how to use a certificate to establish a trusted HTTPS connection between the ctrlX CORE and our Web browser as a client. ctrlX OS is Cyber Resilience Act ready and certified per IEC 62443-4-2, which specifies security features and functions for individual IACS products (components). Link: https://apps.boschrexroth.com/microsites/ctrlx-automation/en/news-stories/story/ready-for-the-cyber-resilience-act/ Video Topics: 00:09 Introduction 00:45 Cryptography review - science of securing messages offering services - Confidentiality / Authenticity / Integrity / Non-repudiation of origin and delivery / Access control 02:14 Symmetric encryption - fast - Ceaser Cipher - AES (Advanced Encryption Standard) 04:37 Asymmetric Encryption - private key and public key via Certificate - needs more computation power - RSA (Rivest–Shamir–Adleman) - For encryption, digital signatures, key exchange - Diffie-Hellman (DH) - Specifically for key exchange (to establish a shared secret). - ECC (Elliptic Curve Cryptography) - Similar security to RSA with shorter keys, used for signatures (ECDSA) and key exchange (ECDH). 06:40 Certificates overview – digital ID card - Certificate Authority (CA) - common root of trust - provide identity verified public keys 09:05 ctrlX OS Web UI – Certificates - connection is not private because Certificate Authority in browser invalid - Settings – Security – Certificates & Keys - Certificate store: Node-RED, Data Layer, Web server, SSH, Network security, … 11:35 Establishing trusted HTTPS connection - between ctrlX CORE web server and our browser as a client - Certificate store: Web server - configure a remote certificate authority (CA) - Manage PKIs (Public Key Infrastructure) - SCEP Simple Certificate Enrolment Protocol server address and port - SCEP options for key renewal - PKCS (Public Key Cryptography Standards) 15: 39 Create new web server certificate - webserver_custom_cert.pem - ctrlX CORE stores certificates & keys on TPM2.0 chip (Trusted Platform Module) - Certificate enrollment via PKI, the SCEP server in this example - Create new key to match SCEP server - webserver_custom_key.pem - ctrlX devices require the device’s IP address under “Subject alternative name” - SSH connection to SCEP server - Useful features for a secure connection to the browser client. - Certificate renewal - Revocation list 21:18 Restart ctrlX CORE to serve new web server certificate 21:41 Install certificate authority into web browser client Google Chrome - Settings – Privacy and security – Security – Manage certificates - custom local certificate installation, import 22:49 Verify connection - Display custom web server certificate served by ctrlX CORE - Full HTTPS, TLS encrypted communication between ctrlX CORE and Google Chrome 23:26 Conclusion - Applications installed on the ctrlX Operating System - can integrate into the certificate store system - utilize the TPM 2.0 chip on the ctrlX CORE hardware - additional information and documentation at - Bosch Rexroth SDK GitHub - ctrlX Automation Community - R911411572 ctrlX OS on ctrlX DRIVEplus CORE X - Secure Configuration Manual Visit and join the ctrlX AUTOMATION to access https://community.boschrexroth.com/ctrlx-automation-fievtt9z - Getting Started videos - e-Learning portal with free training - Store – download ctrlX APPs - How-to – technical notes - Forum – information exchange on many topics - Device Portal – securely connect and monitor your ctrlX CORE - Docs – access the latest online documentation - Configurator – online tool to select all components and software for a ctrlX system - EPLAN Generator – get PDF and edz files of ctrlX hardware - GitHub – get access to software development kits (SDKs) and open source code - Download ctrlX software Product documentation, go to https://bit.ly/39Kgx64 and search for “en ctrlX” Full playlist at: https://www.youtube.com/playlist?list=PLYFUPeujnKJVpft2-dvQzf9ZDTUA-exk-