To support communication with the RTU module, note the self-signed and CA certificate limitations, as follows:

Self-Signed Certificates:

• KeyUsage (marked as critical):

  • DigitalSignature

  • KeyEncipherment (No usage for TLS suite based on ephemeral keys such as TLS_ECDHE_xxxx; usage for TLS_RSA_xxxx)

  • KeyCertSign: when the subject public key is used for verifying signatures on public key certificates (Value TRUE)

  • nonRepudiation

  • dataEncipherment

• Subject Alt Name: In the SAN field the following values can be specified: IPAddress V4/V6, URI

• Basic Constraints:

  • cA field: whether the certified public key may be used to verify certificate signatures (Value TRUE) and pathLenConstraint=0

• Subject Key Identifier:

  • means of identifying certificates that contain a particular public 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits).

• Extended Key Usage extension:

  • id-kp-serverAuth if TLS Web server authentication

  • id-kp-clientAuth if TLS Web client authentication

CA Certificates:

• KeyUsage (marked as critical):

  • DigitalSignature

  • KeyEncipherment (No usage for TLS suite based on ephemeral keys such as TLS_ECDHE_xxxx; usage for TLS_RSA_xxxx)

  • KeyCertSign: when the subject public key is used for verifying signatures on public key certificates (value FALSE)

  • nonRepudiation

  • dataEncipherment

• Subject Alt Name: In the SAN field the following values can be specified: IPAddress V4/V6, URI

• Basic Constraints:

  • cA field: whether the certified public key may be used to verify certificate signatures (value FALSE)

• Extended Key Usage extension:

  • id-kp-serverAuth if TLS Web server authentication

  • id-kp-clientAuth if TLS Web client authentication

• CRL Distribution points

• Authority Key Identifier:

  • Identification of the public key corresponding to the private key used to sign a certificate.