Skip to content

TLS Certificates

assimbly edited this page Apr 19, 2019 · 3 revisions

Manage TLS certificates

TLS certificates are managed centrally from Settings --> Security (TLS)

This page contains a whitelist with all certificates used by Assimbly. All the certificates on the whitelist can be used by all flows without additional configuration. Using the whitelist is the preferred way to work with TLS/SSL certificates.

Security

Manage whitelist

The 'Manage whitelist' button let you add, remove or renew an URL to the whitelist.

Manage Whitelist

Add url

  1. Click on manage whitelist
  2. Enter a https url
  3. Click on 'Add'

TLS certificates are downloaded from the domain (url), imported into a keystore and added to the whitelist. Now all flows can use the certificates (A restart is necessary).

Remove url

  1. Click on manage whitelist
  2. Enter a https url
  3. Click on 'Remove'

TLS certificates are deleted from the keystore and removed from the whitelist.

Renew url

  1. Click on manage whitelist
  2. Enter a https url
  3. Click on 'Renew'

Old entries for the specified url are removed from the whitelist and new TLS certificates are downloaded from the domain (url), imported into the keystore and added to the whitelist. Now all flows can use the new certificates (A restart is necessary).

Manually manage TLS certificates

Using the Whitelist is the preferred way to manage certificates with Assimbly. It is however also possible to manually manage certificates. In this part all steps are described to manually handle certificates.

Download certificates

Sometimes a certificate is provided by the hosting party. If so, then this step is not needed. However, if you only have an url, but no certificates yet than you can download mannualy either with the browser or from command line.

Download certifates with a browser

Chrome and Firefox both provide functionality to view certificates and export it to file. Just click on the lock next to the HTTPS urls. If the certificates other protocols for example a FTPS site than sometimes you can download the certificate from the same domain. Just change FTPS://url to HTTPS://url.

Download certifates from command line

On most Linux distributions you can use openSSL command line tool. OpenSSL for Windows can be downloaded from this website:

https://indy.fulgan.com/SSL/

Example command:

openssl s_client -servername example.com -connect example.com:443 \ </dev/null 2>/dev/null | openssl x509 -text

Keystore

Assimbly has a build in keystore (jks). There is a keystore for server-side certificates and a keystore (mostly called truststore) for client-side certificates. On first startup the (empty) key/truststores are created in {user.home}/.assimbly/Security. Password is 'supersecret'.

Note that if Assimbly is started as system user (for example as Daemon or Windows Service) the .assimbly directory can be stored somewhere else. For example: C:\Windows\SysWOW64\config\systemprofile\.assimbly on Windows.

If you need to create your own keystore then here is a guide:

https://github.com/assimbly/gateway/wiki/How-to-create-a-keystore

Upload/Import certificates

To use downloaded certificates, they need to be added to the key/truststore. This is possible directly from Assimbly or manually by a GUI or command line.

A) Assimbly

Single certificates can be uploaded directly from Assimbly.

  1. Go to Settings --> Security
  2. Click on 'Upload certificate'
  3. Select downloaded certificate from File system

The certificate is stored as a 'Generic' certificate and added to the whitelist.

B) GUI

The easiest way to import on Windows is with the help of Keystore explorer. This tool can be download here:

https://keystore-explorer.org/downloads.html

To import certificates open the jks file and import the certificates. It's also possible to create you own keystore, but then you should check the Camel documentation to make use of it in a flow.

C) Command line

The Java installation has a command line tool 'Keytool' to manage keystores. Example to import a certificate:

C:\Program Files\Java\jdk1.8.0_144\bin>keytool -import -alias client2 -file "C:\Users\user\certificate2.crt" -keystore clientkeystore

Enter keystore password:

Owner: EMAILADDRESS=info@assimbly.org, OU=gateway, O=assimbly, L=amsterdam, ST=amsterdam, C=NL, CN=localhost Issuer: EMAILADDRESS=info@assimbly.org, OU=gateway, O=assimbly, L=amsterdam, ST=amsterdam, C=NL, CN=localhost Serial number: db5b315

Valid from: Tue Oct 09 17:50:29 CEST 2018 until: Wed Oct 09 17:50:29 CEST 2019 Certificate fingerprints: MD5: C6:0B:2E:CD:55:5A:61:04:1D:B5:8F:23:57:63:DC:AD SHA1: 87:C5:1D:33:CB:9A:77:FD:7B:12:ED:20:63:1A:EE:0B:C2:9F:CD:F7 SHA256: 7C:7D:0D:78:A8:E4:0E:3E:7A:30:7B:08:B4:4E:68:08:ED:4D:99:FE:0F: C6:79:33:DA:2D:59:42:57:D7:DF:E9 Signature algorithm name: SHA256withRSA Version: 3

Trust this certificate? [no]: yes

Certificate was added to keystore

You can’t perform that action at this time.