Cipher suites – Cobalt Co9992-4ENC-4K-HEVC Software-Defined Broadcast Encoder User Manual

120

As indicated in Figure 2, the process includes the following steps:

1.

A CSR is generated based on the device key (either by the device itself or by someone
with access to the key). The CSR has a number of configurable items that will be
transferred to the final certificate. The most important item is the Common Name, which
later can be used to block access. Other fields include Organization, locality, etc. These
items are not checked by Cobalt devices.

2.

The CSR file (which does not need to be kept confidential) is then given to the Certificate
Authority, which then “signs”, generating the desired certificate. The configurable items
in the CSR are copied into the certificate. At this step, the validity dates of the certificate
are also set. Normally, the start date/time is whatever the local time is at the CA, and a
duration (normally expressed in days) is specified.

3.

The signed certificate needs to be given back to the device, to be used when it
communicates with other devices.

Cipher Suites

RIST Main Profile defines two classes of cipher suites, with different key types:



Cipher suites that use RSA keys.



Cipher suites that use ECDSA keys.

Cobalt devices support both types of cipher suites. Since each type has a different key, each type
needs its own certificate. The whole process described in the previous sections applies to each
type of key. When a RIST Main Profile device connects to another RIST Main Profile device, it
will negotiate a common cipher suite that is supported on both sides. For maximum
compatibility with third-party devices, install both RSA and ECDSA keys and/or certificates in

Figure 2: Certificate Signing Process

CERTIFICATE

Public

KEY

Secret

DEVICE

KEY

Secret

CERTIFICATE AUTHORITY

CSR

Public

SIGN

Start Date/Time
End Date/Time