Skip to content

Certificate Service

Jump to bottom
Aaron edited this page Sep 15, 2018 · 2 revisions

The sys/Certificates node provides several certificate-related services

Local Keystore

The Certificate Service provides actions for interacting with the keystore holding the SSL key pair and certificates used by DSA. By default, the keystore holds a self-signed certificate for DSA.

Metrics

  • Cert File - The path to the keystore file
  • Cert File Pass - The password for the keystore
  • Cert File Type - The format of the keystore file

Actions

  • Generate Certificate Signing Request - Generates a CSR for DSA, to be signed by a Certificate Authority
  • Import CA Certificate - Import a certificate for a Certificate Authority (an intermediate certificate in the chain)
  • Import Primary Certificate - Import a signed certificate for DSA
  • Generate Self-Signed Certificate - Re-generate the default self-signed certificate for DSA
  • Get Keystore Entry - Returns the DSA keystore entry
  • Delete Keystore Entry - Deletes the DSA entry from the keystore

Local Truststore

When the SDK encounters a non-trusted certificate, it will create a node for that certificate as a child of the Quarantine node. If this certificate is to be trusted, invoke its Allow action. This will move the certificate out of Quarantine and into the Local Truststore. Later, if trust needs to be revoked, invoke the certificate's Remove action to remove it from the Local Truststore.

In addition, the following metrics can be used to disable this process:

  • Allow Anonymous Clients - If set to true, all client certificates will be trusted
  • Allow Anonymous Servers - If set to true, all server certificates will be trusted

Hostnames

By default, when Java connects to a client or server using SSL, it checks whether its hostname matches its certificate and aborts the connection if not. This check can be disabled by setting Enable Hostname-Certificate Verification to false.

In addition, the Hostname Whitelist acts as a combined whitelist/blacklist when Hostname Whitelist/Enabled is set to true. Invoke Hostname Whitelist/Add Hostname to add a hostname to the list. If necessary, you can later change the value of the hostname in the list to one of:

  • ALLOWED - The hostname will always be allowed
  • FORBIDDEN - The hostname will never be allowed
  • REMOVE - Removes the hostname from the list, so that the default hostname verification is used for it

Home

Developer Docs

User Docs

Clone this wiki locally