Home Community User Groups Special Interest Groups NI Linux Real-Time NI Linux Real-Time Discussions Topic

NI Linux Real-Time Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

TCP Server with TLS on NI Linux RT

Solved!
Go to solution

TCP Server with TLS on NI Linux RT

‎02-14-2025 08:59 AM

I'm running a TCP server task that I would like to start using with TLS. Are there any recommended locations or native services for storing the associated certificates? Assume these certificates need to be accessible by lvuser in order to read them into the LabVIEW application for setting up the TLS protocol.

"All truths are easy to understand once they are discovered; the point is to discover them." -- Galileo Galilei

0 Kudos
Message 1 of 4
(438 Views)
Reply

Re: TCP Server with TLS on NI Linux RT

‎02-17-2025 11:34 AM

The recommended certificate storage for Linux is /etc/ssl/certs. I confirmed this with our NILRT engineers, and found several good resources on how to do this by searching for "Linux Distribution certificate store". 

 

In his presentation at our last conference, Tim Cannon shared several tools he's built, some of which store data to secure locations, but these were mostly Windows based. It's worth looking at hsi presentation at Security Tools for LabVIEW - TSS Oct 2024 - NI Community.

 

You can also consider using the TPM chip. If you are PXI, there is a TPM chip in your controller. We have not had TPM in cRIO, but I do have a cRIO-9048 now available with a TPM, contact me and we'll talk about it. Future cRIOs will have TPMm chips available. (steve.summers@emerson.com).

0 Kudos
Message 2 of 4
(408 Views)
Reply

Re: TCP Server with TLS on NI Linux RT

‎10-29-2025 03:11 PM

Following up on this...after placing a certificate in the suggested location, are any commands necessary to add/update the trusted certificate store? In my research I found the following: "after adding or removing certificates, use a command like update-ca-trust extract (on Red Hat-based systems) or update-ca-certificates (on Debian/Ubuntu systems) to update the system-wide trust store and ensure all applications recognize the changes."

"All truths are easy to understand once they are discovered; the point is to discover them." -- Galileo Galilei

0 Kudos
Message 3 of 4
(42 Views)
Reply
Solution
Accepted by topic author B.Settles

Re: TCP Server with TLS on NI Linux RT

‎10-30-2025 01:45 PM

The `update-ca-certificates` script does two main things. (1) It links any certificates that have been installed by packages to several locations on the disk (eg. /usr/share/ca-certificates) into the system cert store (/etc/ssl/certs). And (2) it then bundles those certificates into the `/etc/ssl/certs/ca-certificates.crt` certificate bundle - which is used by many programs to load "all the valid certs" at once.

 

Installing an organizational certificate directly into your system cert store (/etc/ssl/certs) as a part of your deployment should be fine. You should also be able to put it into the local certs location: /usr/local/share/ca-certificates/.

 

After you install to either location, you should run `update-ca-certificates` so that it gets inserted into the certificate bundle. I believe LV uses that bundle to determine what certificates it can use.

 

After you run the update script, you should be able to confirm that your cert is present using openssl.

 

```bash

openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt ${your_cert_name.crt}

```

0 Kudos
Message 4 of 4
(28 Views)
Reply