Canon printer imageCLASS MF247dw User Manual

							Usingtheoperationpanel	 You can also enable or disable IEEE 802.1X authentication from  in the  screen. 
IEEE
802.1XSettings(P.482)
LINKS
Con4gurLng SettingsforKeyPairsandDigital CertL4cates(P.434)
Security
433       
						

							Con4gurLngSettingsforKeyPairsandDigital
CertL4cates
1469-089
In order to encrypt communication with a remote device, an encryption key must be sent and received over an unsecured network beforehand. This problem is solved by public-key cryptography. Public-key cryptography ensuressecure communication by protecting important and valuable information from attacks, such as  sniwng, spoo4ng,  and
tampering of data as it  5ows over a network.
KeyPair
 A key pair consists of a public key and a secret key, both of which are required for encrypting or decrypting data. Because data that has been encrypted with one of the key pair cannot be
returned to its original data form without the other, public-key cryptography ensures secure
communication of data over the network. A key pair is used for TLS encrypted communication or TLS of the IEEE 802.1X authentication. Up to  4ve key pairs (including the preinstalled pairs)
can be generated to the machine ( 
UsingCA-issuedKeyPairsandDigital
CertL4cates (P.443)). A key pair can be generated with the machine ( 
GeneratingKey
Pairs(P.436) ).
CACertL4cate
 Digital  certi4cates  including CA  certi4cates are similar to other forms of  identi4cation, such as
driver's licenses. A digital  certi4cate contains a digital signature, which enables the machine to
detect any  spoo4ng or tampering of data. It is extremely  diwcult for third parties to abuse
digital  certi4cates.  A digital certi4cate  that contains a public key of a  certi4cation authority (CA)
is referred to as a CA  certi4cate. CA certi4cates  are used for verifying the device the machine is
communicating with for features such as printing with Google Cloud Print or IEEE 802.1X
authentication. Up to 67 CA  certi4cates can be registered, including the 62  certi4cates that are
preinstalled in the machine ( 
UsingCA-issuedKeyPairsandDigital CertL4cates(P.443)).
	CKey and 
Certi4cate  Requirements
The  certi4cate  contained in a key pair generated with the machine conforms to X.509v3. If you install a key pair or a CA
certi4cate  from a computer, make sure that they meet the following requirements:
Format	Key pair: PKCS#12 *1
	 CA  certi4cate  X.509v1 or X.509v3, DER (encoded binary), PEMFile extension	Key pair: ".p12" or ".pfx"
	 CA  certi4cate  ".cer"Public key algorithm
(and key length)RSA (512 bits, 1024 bits, 2048 bits, or 4096 bits)Certi4cate  signature algorithmSHA1-RSA, SHA256-RSA, SHA384-RSA *2
, SHA512-RSA *2
, MD5-RSA, or MD2-RSACerti4cate  thumbprint algorithmSHA1*1 
Requirements for the  certi4cate contained in a key pair are pursuant to CA  certi4cates.
*2  SHA384-RSA and SHA512-RSA are available only when the RSA key length is 1024 bits or more.
Security
434          
						

								The machine does not support use of a  certi4cate revocation list (CRL).
Security
435 
						

							GeneratingKeyPairs
1469-08A
A key pair can be generated with the machine when it is required for encrypted communication via Transport Layer
Security (TLS). You can use TLS when accessing the machine via the Remote UI. Up to  4ve key pairs (including the
preinstalled pairs) can be generated to the machine. Self-signed  certi4cates are used with key pairs generated in
"Network Communication". With a "Key and  Certi4cate Signing Request (CSR)", you can apply for a CA-issued digital
certi4cate  for the key pair generated by the machine.
GenerateNetworkCommunicationKey(P.436)
GenerateKeyand CertL4cateSigningRequest(CSR)(P.438)
Generate Network Communication Key
1StarttheRemoteUIandlogoninSystemManagerMode.StartingRemote
UI(P.450)2Click[Settings/[email protected][SecuritySettings@[Keyand CertL4cate [email protected]
436          
						

							4Click[GenerateKey@.
Deletingaregisteredkeypair	 Click [Delete] on the right of the key pair you want to delete 
 click [OK].
	 A  key  pair  cannot  be  deleted  if  it  is  currently  used  for  some  purpose,  such  as  when  "[TLS]"  or  "[IEEE
802.1X]"  is  displayed  under  [Key  Usage].  In  this  case,  disable  the  function  or  replace  the  key  pair  before deleting it.
5Select[NetworkCommunication@andclick[[email protected]settingsforthekeyand certL4cate.
 [KeySettings@
[KeyName@
Security
437 
						

							Enter up to 24 alphanumeric characters for naming the key pair. Set a name that will be easy for you to4nd  later in a list.
[SignatureAlgorithm@
Select the signature algorithm from the drop-down list.
[KeyAlgorithm@
RSA is used for generating a key pair. Select the key length from the drop-down list. The larger the
number for the key length, the slower the communication. However, the security is tighter.   
	 [512-bit] cannot be selected for the key length, if [SHA384] or [SHA512] is selected for [Signature
Algorithm].
  >CertL4cate Settings@
[ValidityStartDate(YYYY/MM/DD)@ Enter the validity start date of the  certi4cate in the range between 01/01/2000 and 12/31/2099, in the
order of: year, month, day.
[ValidityEndDate(YYYY/MM/DD)@
Enter the validity end date of the  certi4cate in the range between 01/01/2000 and 12/31/2099, in the
order of: year, month, day. A date earlier than [Validity Start Date (YYYY/MM/DD)] cannot be set.
[Country/Region@
Click the [Select Country/Region] radio button and select the country/region from the drop-down list. You can also click the [Enter Internet Country Code] radio button and enter a country code, such as "US"
for the United States.
[State@/[City@
Enter up to 24 alphanumeric characters for the location as necessary.
[Organization@/[OrganizationUnit@
Enter up to 24 alphanumeric characters for the organization name as necessary.
[CommonName@
Enter up to 48 alphanumeric characters for the common name of the  certi4cate as necessary. "Common
Name" is often abbreviated as "CN."
7Click[OK@.
	 Keys for network communication may take approximately 10 to 15 minutes to generate.
	 After a key pair is generated, it is automatically registered to the machine.
Generate Key and  Certi4cate Signing Request (CSR)
1StarttheRemoteUIandlogoninSystemManagerMode.
StartingRemoteUI(P.450)
2Click[Settings/[email protected]
438    
						

							3Click[SecuritySettings@[KeyandCertL4cate [email protected][GenerateKey@.
Deletingaregisteredkeypair
	 Click [Delete] on the right of the key pair you want to delete 
 click [OK].
	 A  key  pair  cannot  be  deleted  if  it  is  currently  used  for  some  purpose,  such  as  when  "[TLS]"  or  "[IEEE
802.1X]"  is  displayed  under  [Key  Usage].  In  this  case,  disable  the  function  or  replace  the  key  pair  before deleting it.
5Select[Keyand CertL4cateSigningRequest(CSR)@andclick[[email protected]
439 
						

							6SpecifysettingsforthekeyandcertL4cate.
 [KeySettings@
[KeyName@
Enter up to 24 alphanumeric characters for naming the key pair. Set a name that will be easy for you to
4nd  later in a list.
[SignatureAlgorithm@
Select the signature algorithm from the drop-down list.
[KeyAlgorithm@
RSA is used for generating a key pair. Select the key length from the drop-down list. The larger the
number for the key length, the slower the communication. However, the security is tighter.
   
	 [512-bit] cannot be selected for the key length, if [SHA384] or [SHA512] is selected for [Signature
Algorithm].
  >CertL4cate SigningRequest(CSR)Settings@
[Country/Region@ Click the [Select Country/Region] radio button and select the country/region from the drop-down list. You can also click the [Enter Internet Country Code] radio button and enter a country code, such as "US"
for the United States.
[State@/[City@
Enter up to 24 alphanumeric characters for the location as necessary.
[Organization@/[OrganizationUnit@
Enter up to 24 alphanumeric characters for the organization name as necessary.
[CommonName@
Security
440 
						

							Enter up to 48 alphanumeric characters for the common name of the certi4cate as necessary. "Common
Name" is often abbreviated as "CN."7Click[OK@.
	 Key and  Certi4cate  Signing Request (CSR) may take approximately 10 to 15 minutes to generate.
8Click[StoreinFile@.
	A dialog box for storing the  4le appears. Choose where to store the  4le and click [Save].
The Key and 
Certi4cate Signing Request (CSR)  4le is stored on the computer.
9Attachthestored 4leandsubmittheapplicationtothe certL4catLonauthority.
 
	C Registering the CA-issued Digital 
Certi4cate
You cannot use the key pair generated by the  Certi4cate Signing Request (CSR) until the  certi4cate is registered. Once
the  certi4cation  authority has issued the digital  certi4cate, register it using the procedure below.
1StarttheRemoteUIandlogoninAdministratormode.
StartingRemoteUI(P.450)
2Click[Settings/[email protected][SecuritySettings@[Keyand CertL4cate [email protected][KeyName@or >CertL4cate@forthecertL4cate toberegistered.Security
441    
						

							5Click[RegisterCertL[email protected][Browse@,specifythe 4leforthe certL4cate signingrequest,andclick[Register@.
LINKS
UsingCA-issuedKeyPairsandDigital CertL4cates(P.443)
VerifyingKeyPairsandDigital CertL4cates(P.446)
EnablingTLSEncryptedCommunicationfortheRemoteUI(P.426)
Security
442