Skip to content

Trusted CA

The Administration > Trusted CA page provides a means to allow UIP and its adapters to securely connect to external resources which use a certificate that is not signed by a widely-trusted Certificate Authority (CA). CA certificate files must comply with the following rules in order to be uploaded.

Important

All certificates expire eventually so they must be updated periodically. Administrators should include this in their annual maintenance planning for the UIP system.

Important

If multiple CA certificates are uploaded with the same filename, only the newest certificate with that filename will be kept. Avoid using a generic filename such as ca.crt.

Uploaded certificates must use the Base64 PEM format and have a .crt file extension. Certificate files with binary format (DER) are not supported. The first and last lines of the certificate file will be the following.

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

If the certificate authority provided a binary DER format certificate it can be converted to PEM format using the following OpenSSL command.

# Convert DER binary format certificate to PEM format
openssl x509 -inform DER -in cacertificate.der -outform PEM -out cacertificate.crt

The uploaded certificates' Version field value must be V3 or higher and the certificate must not be expired or premature. The Basic Constraints field value property for Subject Type must be CA.

# Display the Version, Valid From, Valid To, and V3 extensions of certificate 
openssl x509 -noout -text -noout --certopt no_header,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux -startdate -enddate -in certficate.pem

Services are not interrupted during the installation of CA certificate files.

  • UIP will immediately trust certificates signed by the installed CA certificate.
  • Adapters must be restarted before changes to trusted CA certificates will take effect.

Warning

Use caution when deleting installed certificates. Deleting an installed certificate could cause connections which were dependent on it to stop functioning properly.

Update Container CA Certificates Command Line Utility

If you are unable to use UIP due to an issue with out-of-date or missing root CA certificates within the UIP containers, there is a command line utility which can be executed on the host machine used to update their CA certificates.

To use this utility you must have root/sudo access to the UIP host machine.

  1. Connect a terminal to the UIP host machine and login using an account with root or sudo access.

  2. Execute the Orchestrator updateca command.

    sudo docker exec -it $(sudo docker ps --filter name=nap-orch_orchestrator -q) dotnet NAP.Orchestrator.dll updateca