Skip to content

Trusted CA

The Administration > Trusted CA page provides a means to allow UIP and its adapters to securely connect to external resources which use a certificate that is not signed by a widely-trusted Certificate Authority (CA). CA certificate files must comply with the following rules in order to be uploaded.


All certificates expire eventually so they must be updated periodically. Administrators should include this in their annual maintenance planning for the UIP system.


If multiple CA certificates are uploaded with the same filename, only the newest certificate with that filename will be kept. Avoid using a generic filename such as ca.crt.

Uploaded certificates must use the Base64 PEM format and have a .crt file extension. Certificate files with binary format (DER) are not supported. The first and last lines of the certificate file will be the following.



If the certificate authority provided a binary DER format certificate it can be converted to PEM format using the following OpenSSL command.

# Convert DER binary format certificate to PEM format
openssl x509 -inform DER -in cacertificate.der -outform PEM -out cacertificate.crt

The uploaded certificates' Version field value must be V3 or higher and the certificate must not be expired or premature. The Basic Constraints field value property for Subject Type must be CA.

# Display the Version, Valid From, Valid To, and V3 extensions of certificate 
openssl x509 -noout -text -noout --certopt no_header,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux -startdate -enddate -in certficate.pem

Services are not interrupted during the installation of CA certificate files.

  • UIP will immediately trust certificates signed by the installed CA certificate.
  • Adapters must be restarted before changes to trusted CA certificates will take effect.


Use caution when deleting installed certificates. Deleting an installed certificate could cause connections which were dependent on it to stop functioning properly.