Configuring the trust level on the devices

The certificate-based encryption of the management protocol for communication between the Scout Server and the eLux client requires the verification of the relevant certificates (Chain of trust). By default, encryption is carried out via a self-signed certificate automatically generated by the Scout Server.

If you use a certificate issued by a CA (CA certificate), make sure you transfer the corresponding root certificates to the devices. If the root certificate does not exist on a device and certificate check is enabled, the device can no longer be reached by the Scout Server.
To make it easier, you can perform both steps, enabling the certificate check and transferring certificates in one move.

In addition, the Scout Server must be configured accordingly and provide the certificate locally.

  1. To enable the certificate check, configure the trust level for the relevant devices with the option TlsVerifyOption.

    To do so, use the Advanced file entries feature of the Scout Console:

    File /setup/terminal.ini
    Section Security
    Entry TlsVerifyOption
    Value
    0 Certificate is not verified
    1 Certificate is verified
    3 Certificate is verified with additional verification that the Scout Server name matches the Subject Common Name (CN) or Subject Alternative Name (SAN) in the certificate.

    For further information, see Advanced file entriesin the Scout guide.

  2. If you use a CA certificate, make sure you transfer all corresponding root/intermediate certificates of your CA to the devices to /setup/cacerts/scoutsrv. This is where the system searches for the required certificates once the certificate check is enabled (Chain of trust).

    For further information, see Files configured for transfer in the Scout guide.

  3. If you use a CA certificate, in the next step, configure the Scout Server. For further information, see Configuring Scout Server for communication via CA certificates.

  4. Restart the devices.

    After the terminal.ini file has been updated on the device, one more device restart might be required to enable the new setting.

Once you have enabled trust level 1 or 3 for a device, it can only communicate with its Scout Server by using valid certificates. With trust level 3, the device name is verified in addition.