The Administration > Trusted CA page provides a means to allow UIP and its adapters to securely connect to external resources which use a certificate that is not signed by a widely-trusted Certificate Authority (CA). CA certificate files must comply with the following rules in order to be uploaded.
All certificates expire eventually so they must be updated periodically. Administrators should include this in their annual maintenance planning for the UIP system.
If multiple CA certificates are uploaded with the same filename, only the newest certificate with that filename will be kept. Avoid using a generic filename such as
Uploaded certificates must use the Base64 PEM format and have a .crt file extension. Certificate files with binary format (DER) are not supported. The first and last lines of the certificate file will be the following.
-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
If the certificate authority provided a binary DER format certificate it can be converted to PEM format using the following OpenSSL command.
# Convert DER binary format certificate to PEM format openssl x509 -inform DER -in cacertificate.der -outform PEM -out cacertificate.crt
The uploaded certificates' Version field value must be V3 or higher and the certificate must not be expired or premature. The Basic Constraints field value property for Subject Type must be CA.
# Display the Version, Valid From, Valid To, and V3 extensions of certificate openssl x509 -noout -text -noout --certopt no_header,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux -startdate -enddate -in certficate.pem
Services are not interrupted during the installation of CA certificate files.
- UIP will immediately trust certificates signed by the installed CA certificate.
- Adapters must be restarted before changes to trusted CA certificates will take effect.
Use caution when deleting installed certificates. Deleting an installed certificate could cause connections which were dependent on it to stop functioning properly.