Certificates
Administration Page | Application/Contract | Syracuse/Collaboration | Class | certificates | Representation | certificate |
---|
For secure connections using SSL, signed documents, and so forth, certificates are necessary. The application stores the file system certificates and the corresponding private keys with their pass-phrases. It also stores in the database only some meta information.
Remark: The pass-phrases are stored encrypted in the file system, and the encryption depends on the operating system user under which the V12 node server runs. When this user changes, the passphrases have to be re-entered for the new user. This can be done in this screen: see description below
Configuration |
Configuration
The following information must be entered for the definition of a certificate:
Name
The name used to reference the certificate information. This name can only contain lower case letters, numbers, a dot, and underscore.
Description
A user-friendly description (optional).
Internal
The internally used certificates cannot be edited using this screen and have this flag set to read-only.
Certificate
This field is used to upload a certificate file in PEM format. It will be automatically emptied after saving, and the content will be stored in the file system. When a new instance is created, a certificate must be uploaded. When updating an existing instance of this class, it is not necessary to upload the certificate.
Private key exists
This flag denotes that a private key file has already been uploaded as read-only.
Private key
This field is used to upload a private key file in PEM format. The file may be an encrypted private key with pass-phrase. It will be automatically emptied after saving, and the content will be stored in the file system. A private key is optional, but it is necessary for certain purposes such as server certificates or signing documents. The PKCS8 format for encrypted private keys is not supported (in this case, the file contains BEGIN ENCRYPTED PRIVATE KEY
). You can convert it e. g. using openssl
:
openssl pkcs8 –in original.key –out unencrypted.key
openssl rsa –des3 –in unencrypted.key –out new.key
Here
original.key
is the original key file which contains BEGIN ENCRYPTED PRIVATE KEY
, unencrypted.key
is the unencrypted key, which must be deleted after converting it to new.key
. This last file contains an encrypted private key which can be used.
Pass-phrase
This field is used to enter the pass-phrase for a private key file. This field will be automatically emptied after saving. You should enter information in this field when you upload a private key file.
When you have an existing certificate with private key, but the passphrase is not available any more for the program (e. g. because the node server has been started with a different operating system user), just the passphrase can be set here again. After entering the passphrase, please save the instance to set the passphrase.
Remark: Note that the passphrase will be transported in clear text to the server unless you use HTTPS. For the internal server certificate, you can set the passphrase either using the passphrase
command or the certificate generation tool. This will transfer all data with encryption even without HTTPS.
Distinguished Name
This field displays the distinguished name of the subject of the uploaded certificate. This information is stored in the database as read-only.
Issuer Distinguished Name
This field displays the distinguished name of the issuer of the uploaded certificate. This information is stored in the database as read-only.
Valid from
This field displays the date and time when the uploaded certificate starts to be valid. This information is stored in the database as read-only.
Valid until
This field displays the date and time when the uploaded certificate ceases to be valid. This information is stored in the database as read-only.
CA Certificates
When using a certificate that has not been issued by an official certificate authority, you should put the corresponding instance(s) of the CA certificate class in this field, which contains the certificates of the authorities who have signed the given certificate.
Server
When you select an instance of the host class, the certificate will only be installed on that server. This is useful for SSL server certificates because their content has to do with the server's network address.
When the content is empty, the certificate will be copied to all servers of the cluster. This is useful for SSL client certificates and for certificates used for signing documents because this should work on all servers in the same way. You can edit this field only when you create a new instance of the certificate class.
When you select a server, the certificate will be stored only if that server is available and has successfully stored the certificate files in its file system.