348 V7122 GatewayUser GuideFigure 111 Example of a Base64-Encoded X.509 Certificate-----BEGIN CERTIFICATE-----MIIDkzCCAnugAwIBAgIEAgAAADANBgkqhkiG9w0BAQQFADA/MQswCQYDVQQGEwJGUjETMBEGA1UEChMKQ2VydGlwb3N0ZTEbMBkGA1UEAxMSQ2VydGlwb3N0ZSBTZXJ2ZXVyMB4XDTk4MDYyNDA4MDAwMFoXDTE4MDYyNDA4MDAwMFowPzELMAkGA1UEBhMCRlIxEzARBgNVBAoTCkNlcnRpcG9zdGUxGzAZBgNVBAMTEkNlcnRpcG9zdGUgU2VydmV1cjCCASEwDQYJKoZIhvcNAQEBBQADggEOADCCAQkCggEAPqd4MziR4spWldGRx8bQrhZkonWnNm`+Yhb7+4Q67ecf1janH7GcN/SXsfx7jJpreWULf7v7Cvpr4R7qIJcmdHIntmf7JPM5n6cDBv17uSW63er7NkVnMFHwK1QaGFLMybFkzaeGrvFm4k3lRefiXDmuOe+FhJgHYezYHf44LvPRPwhSrzi9+Aq3o8pWDguJuZDIUP1F1jMa+LPwvREXfFcUW+w==-----END CERTIFICATE-----6 Before continuing, set the parameter HTTPSOnly = 0 to ensure you have a method ofaccessing the device in case the new certificate doesn’t work. Restore the previoussetting after testing the configuration.7 In the Certificate screen (Figure 110) locate the server certificate loading section.8 Click Browse, navigate to the cert.txt file, and then click Send File.9 When the operation is completed, save the configuration (see Saving Configuration) andrestart the gateway; the Embedded Web Server uses the provided certificate.• The certificate replacement process can be repeated when necessary (forexample, the new certificate expires).• It is possible to use the IP address of the gateway (for example, 10.3.3.1)instead of a qualified DNS name in the Subject Name. This practice is notrecommended since the IP address is subject to changes and may notuniquely identify the device.• The server certificate can also be loaded using ini file using the parameter‘HTTPSCertFileName’.Client CertificatesBy default, Web servers using SSL provide one-way authentication. The client is certain thatthe information provided by the Web server is authentic. When an organizational PKI is used,two-way authentication may be desired: both client and server should be authenticated usingX.509 certificates. This is achieved by installing a client certificate on the managing PC, andloading the same certificate (in base64-encoded X.509 format) to the gateway Trusted RootCertificate Store. The Trusted Root Certificate file should contain both the certificate of theauthorized user and the certificate of the CA.Since X.509 certificates have an expiration date and time, the gateway must be configured touse NTP (See Simple Network Time Protocol Support) to obtain the current date and time.Without a correct date and time, client certificates cannot work.