-----------------------------------------------------------------------------------------------------------------------

 Description of Certificates for TAx6xx and PAx6xx Web Sensors

 v1.0 for firmware version 11-0-0-0 or higher

-----------------------------------------------------------------------------------------------------------------------

1.  History of changes

    |-----------------------|--------------------|--------------------------------------------------------------------|
    | Date                  | Version            | Description of changes                                             |
    |                       |                    |                                                                    |
    |-----------------------|--------------------|--------------------------------------------------------------------|
    | 2026-03-11            | v1.0               | Initial revision of the document                                   |
    |-----------------------|--------------------|--------------------------------------------------------------------|


2.  COMET Root certificate (CA)

    This directory contains the COMET root certificate in DER and PEM formats. The certificate can be used to validate
    HTTPs communication with the device. By default, TLS (HTTPs) communication uses pre-installed COMET certificates
    that are signed by the COMET root certificate. A user certificate, private key, and CA certificate can also be
    uploaded if required. This can be done using Vision software.

    The COMET root certificate is used to validate:
    - Access to the device web interface when HTTPs is enabled.
    - Mutual authentication when the Cloud protocol is used (HTTPs POST requests with JSON content sent to the user
      data acquisition server).
    
       
3.  User certificates
     
    User certificates can be uploaded using Vision software. The binary DER format is supported for certificates, 
    CA files, and private keys. If the files are available in PEM format, they must be converted before uploading 
    to the device. Private keys with a PKCS#1 structure are supported. If a private key uses the PKCS#8 format, 
    it must be converted to PKCS#1 before being uploaded to the device. Once uploaded to the device, files cannot 
    be downloaded for security reasons. The presence of uploaded files is indicated by their size. Performing 
    a factory default reset deletes all uploaded certificates.
    
    
    |---------------------------------|---------------------------------------------------|---------------------------|
    | Protocol                        | Certificate and Private key                       | CA                        |
    |                                 |                                                   |                           |
    |---------------------------------|---------------------------------------------------|---------------------------|
    | Device webserver                | Default COMET certificate is used. If needed, a   | n/a                       |
    |                                 | user certificate and private key may be uploaded. |                           |
    |---------------------------------|---------------------------------------------------|---------------------------|
    | SMTP (TLS or STARTTLS)          | Default COMET certificate is used. Uploading      | No CA file is used by     |
    |                                 | a user certificate and private key is not         | default. A proper CA may  |
    |                                 | supported.                                        | be uploaded if needed.    |
    |---------------------------------|---------------------------------------------------|---------------------------|
    | Cloud protocol (HTTPs POST)     | Default COMET certificate is used. If needed,     | No CA file is used by     |
    |                                 | a user certificate and private key may be         | default. A user CA may    |
    |                                 | uploaded to allow mutual authentication.          | be uploaded to allow      |
    |                                 |                                                   | validation of the server. |
    |---------------------------------|---------------------------------------------------|---------------------------|
    
