Certificate Fingerprints


If HiView does not have an HTTPS certificate fingerprint on record for a device, then HiView displays the "Confirm HTTPS Certificate" dialog. The dialog contains the fingerprint of the HTTPS certificate. HiView also displays the Confirm Applet Signature Certificate dialog when a fingerprint for an applet signing certificate is not on record. To help prevent a man-in-the-middle attack, verify that the dialog contains the correct fingerprint.

If you do not know the fingerprint of the HTTPS certificate, then you can use HiView to get the fingerprint. To get the fingerprint of the HTTPS certificate, perform the following steps:
  • In a controlled environment, connect the isolated device, for which you wish to get the fingerprint, directly to your PC.
  • Open the GUI of the device.
  • When the fingerprint of the certificate is not recorded in the ssl_known_hosts file, HiView displays the "Confirm HTTPS Certificate" dialog.
  • Copy the fingerprint to a secure location.


If you do not know the fingerprint of the applet signing certificate, then you can use HiView to get the fingerprint. To get the fingerprint of the applet signing certificate, perform the following steps:
  • In a controlled environment, connect the device, for which you wish to get the fingerprint, directly to your PC.
  • Open the GUI of the device.
  • In the "Confirm HTTPS Certificate" dialog, click either the Accept or the Accept Permanently button. The Confirm Applet Signature Certificate dialog opens.
  • Copy the fingerprint to a secure location.


If HiView does not display the "Confirm HTTPS Certificate" dialog, then HiView accepted the fingerprint permanently in a previous session. To display the Confirm HTTPS Certificate dialog again, perform the following steps:
  • Close the GUI of the device.
  • Open the <Installation directory>/ssl_known_hosts text file.
  • Comment out the line that contains the IP address and fingerprint of the device.
  • In HiView, reopen the GUI of the device. The "Confirm HTTPS Certificate" dialog opens.


If HiView does not display the "Confirm Applet Signature Certificate" dialog, then HiView accepted the fingerprint permanently in a previous session. To display the Confirm Applet Signature Certificate dialog again, perform the following steps:
  • Close the GUI of the device.
  • Open the <Installation directory>/known_applet_signatures text file.
  • Comment out the fingerprint lines.
  • In HiView, reopen the GUI of the device.When HiView did not record the fingerprint of the HTTPS certificate in a previous session the "Confirm HTTPS Certificate" dialog opens.
  • In the "Confirm HTTPS Certificate" dialog, click either the Accept or the Accept Permanently button. The Confirm Applet Signature Certificate dialog opens.



Note:
HiView displays the "Confirm Applet Signature Certificate" dialog for certificates issued around the release date of HiView 4.2, and later.




After the network administrator gets the fingerprint of the certificate, the network administrator uses a secure channel to send the fingerprint to the remote client. The remote client compares the fingerprint received from the network administrator to the fingerprint in the dialog. To help you verify the fingerprint, HiView lets you copy and paste the fingerprint in the "Fingerprint to verify" field.

The buttons in the dialog let you perform the following actions:
  • Accept
    HiView accepts the certificate, but does not record the fingerprint for future reference. HiView opens the dialog for confirmation each time you access the device.
  • Accept Permanently
    HiView records the fingerprint for future reference.
  • Cancel
    The dialog closes without making a connection to the device. The fingerprint is not recorded for future reference.


Hirschmann Automation and Control GmbH
www.hivision.de
www.beldensolutions.com