Re: Machine certificates
A machine certificate encrypts all web interface traffic from the MFP to a client computer. It's main use is for protecting the information entered into the web interface.
A site certificate is the public key for a local certificate authority and is used by the MFP for verification of resources it needs to access. A good example is LDAP over a TLS connection, where the MFP needs to communicate back to an LDAP server or domain controller and also trust the server(s) it's communicating with since they are part of the local network as opposed to the overall internet.
That's the thousand foot view, for those of you who have their eyes glaze over, here's the short version:
Machine cert: makes the MFP trustable to other devices
Site cert: makes the MFP trust other devices
I usually recommend against TLS on web interfaces, even though there is a value to doing it because not every device is going to be able to meet modern cryptography standards (TLS 1.2 or higher, no hash strength below 128 bits, etc). With desk printers and MFP's sitting around longer, you can have perfectly good devices that may offer too weak of an encryption method for a TLS cert.
Instead, I recommend a separate network segment for printers with access to port 80 limited only to specific systems. That way the only way to access the web interface is through one of those systems. For customers with more or less a 'flat' network, then I'd go a different route depending on their risk profile, generally it would be entering passwords from the device display as opposed to the web interface.
Sent from my BlackBerry using Tapatalk
A machine certificate encrypts all web interface traffic from the MFP to a client computer. It's main use is for protecting the information entered into the web interface.
A site certificate is the public key for a local certificate authority and is used by the MFP for verification of resources it needs to access. A good example is LDAP over a TLS connection, where the MFP needs to communicate back to an LDAP server or domain controller and also trust the server(s) it's communicating with since they are part of the local network as opposed to the overall internet.
That's the thousand foot view, for those of you who have their eyes glaze over, here's the short version:
Machine cert: makes the MFP trustable to other devices
Site cert: makes the MFP trust other devices
I usually recommend against TLS on web interfaces, even though there is a value to doing it because not every device is going to be able to meet modern cryptography standards (TLS 1.2 or higher, no hash strength below 128 bits, etc). With desk printers and MFP's sitting around longer, you can have perfectly good devices that may offer too weak of an encryption method for a TLS cert.
Instead, I recommend a separate network segment for printers with access to port 80 limited only to specific systems. That way the only way to access the web interface is through one of those systems. For customers with more or less a 'flat' network, then I'd go a different route depending on their risk profile, generally it would be entering passwords from the device display as opposed to the web interface.
Sent from my BlackBerry using Tapatalk
.
Comment