-
Notifications
You must be signed in to change notification settings - Fork 0
Certificate Service
The sys/Certificates
node provides several certificate-related services
The Certificate Service provides actions for interacting with the keystore holding the SSL key pair and certificates used by DSA. By default, the keystore holds a self-signed certificate for DSA.
-
Cert File
- The path to the keystore file -
Cert File Pass
- The password for the keystore -
Cert File Type
- The format of the keystore file
-
Generate Certificate Signing Request
- Generates a CSR for DSA, to be signed by a Certificate Authority -
Import CA Certificate
- Import a certificate for a Certificate Authority (an intermediate certificate in the chain) -
Import Primary Certificate
- Import a signed certificate for DSA -
Generate Self-Signed Certificate
- Re-generate the default self-signed certificate for DSA -
Get Keystore Entry
- Returns the DSA keystore entry -
Delete Keystore Entry
- Deletes the DSA entry from the keystore
When the SDK encounters a non-trusted certificate, it will create a node for that certificate as a child of the Quarantine
node. If this certificate is to be trusted, invoke its Allow
action. This will move the certificate out of Quarantine
and into the Local Truststore
. Later, if trust needs to be revoked, invoke the certificate's Remove
action to remove it from the Local Truststore
.
In addition, the following metrics can be used to disable this process:
-
Allow Anonymous Clients
- If set totrue
, all client certificates will be trusted -
Allow Anonymous Servers
- If set totrue
, all server certificates will be trusted
By default, when Java connects to a client or server using SSL, it checks whether its hostname matches its certificate and aborts the connection if not. This check can be disabled by setting Enable Hostname-Certificate Verification
to false
.
In addition, the Hostname Whitelist
acts as a combined whitelist/blacklist when Hostname Whitelist/Enabled
is set to true
. Invoke Hostname Whitelist/Add Hostname
to add a hostname to the list. If necessary, you can later change the value of the hostname in the list to one of:
-
ALLOWED
- The hostname will always be allowed -
FORBIDDEN
- The hostname will never be allowed -
REMOVE
- Removes the hostname from the list, so that the default hostname verification is used for it