HTML5 Certificate Management view
In Niagara 4.13 and later, there is added support for Certificate Management, which is a browser implementation. Using this view, you can create digital certificates and certificate signing requests (CSRs) and import and export keys. The view always has a default certificate. This default certificate does not have a user-defined password, and cannot be deleted, signed, imported, or exported.
To access this view in web browser, expand and double-click CertManagerService or right-click CertManagerService and click .
The browser view offers functional equivalents to the Workbench view when creating certificates. There are only a few additional functions.
EC Key AlgorithmThe Elliptic Curve is a different sort of cryptographic formula used to produce the certificate keys, similar to the current RSA, which is the only Key Algorithm in the bajaui version. You select a KeySpec rather than a KeySize. The EC keys create digital signatures, generate pseudorandom numbers, and encrypt data.
ExtensionsThe Subject Alternative Name extension allows identities to be bound to the subject of the certificate.
Email
The contact address for the certificate.DNS Name
Common name of a server.Directory Name
Directory Name must be an RDNSequence, similar to a Distinguished Name such as organization name and state etc.Uniform Resource Identifier (URI)
A Universal Resource Identifier is the location of an Internet resource (for example, web-page, ftp service, and so on).IP Address
Defines the IP address of the target server.Register ID
This must be an OID with numbers separated by decimals like '1.2.3'.
Extended Key Usage:
This extension indicates one or more purposes for which the certificate may be used, in addition to or in place of the basic purposes indicated in the key usage extension. In general, this extension will appear only in end entity certificates.Basic Constraints:
The basic constraints extension identifies whether the subject of the certificate is a CA and how many certificates can follow this one in certification paths.CRL distribution points:
The CRL distribution points extension identifies how CRL information is obtained. It consists of a sequence of Distribution Points, each of which consists of three optional fields: distribution point, CRL issuer, and reasons. Although all fields are optional, there must be at least a distribution point or a CRL issuer.
User key Store
The view provides different type of certificate store tabs.
The User Key Stores contain server certificates and self-signed certificates with their matching keys. Each certificate has a pair of unique private and public encryption keys for each platform. A User Key Stores supports the server side of the relationship by sending one of its signed server certificates in response to a client ( Workbench, platform or station) request to connect.
Trust Stores
The trust stores (system and user) contain signed and trusted root CA certificates with their public keys. These stores contain no private keys. A trust store supports the client side of the relationship by using its root CA certificates to verify the signatures of the certificates it receives from each server. If a client cannot validate a server certificate’s signature, an error message allows you to approve or reject a security exemption (on the Allowed Hosts tab).
The System Trust Stores contain installed signed certificates by trusted entities (CA authorities) recognized by the Java Runtime Engine (JRE) of the currently opened platform. A User Trust Store contains installed signed certificates by trusted entities that you have imported (your own certificates).
Only certificates with public keys are stored in the trust stores. The majority of certificates in the System Trust Store come from the JRE. You add your own certificates to a User Trust Store by importing them.
Feel free to pass out such root certificates to your team; share them with your customers; make sure that any client that needs to connect to one of your servers has the server’s root certificate in its client trust store.
Allowed Hosts Tab
This tab lists self-signed certificates that have been manually approved for use to authenticate a server. As such, they have not been signed by a CA. They should not be approved unless you are certain that the communication they facilitate will be secure.
Columns
This table lists all columns in the stores.
| Columns | Description |
|---|---|
| Alias | Identifies certificates by location or function. |
| Issued By | Identifies the entity that created the certificate. |
| Subject | Identifies the company that owns the certificate. |
| Not Before | Displays the date before which the certificate is not valid. |
| Not After | Displays the expiration date for the certificate. |
| Key Algorithm | Refers the cryptographic formula used to calculate the certificate keys. For the RSA select the key size in bits and for the EC selects the key specification. |
| Key Size | For RSA keys, the size of the keys in bits. Four key sizes are allowed: 1024 bits, 2048 bits (this is the default), 3072 bits, and 4096 bits. The bigger the key, the longer it takes to generate. |
| Key Spec | For EC keys the size of the key in bits. Seven key sizes are Brainpool P256 r1 bits, Brainpool P320 r1 bits, Brainpool P384 r1 bits, Brainpool P512 r1 bits, P-256 bits, P-521 bits, and P-384 bits. |
| Signature Algorithm | Names the mathematical formula used to sign the certificate. |
| Signature Size | Shows the size of the signature. |
| Valid | Displays the dates between which the certificate is valid. |
| Self Signed | Indicates that the certificate was signed with its own private key. |
| Host | Reports the server, usually an IP address. |
| Approval | Reports the servers within the network to which the a client may connect. If approval is no, the system does not allow the client to connect. |
| Created | Identifies the date the record was created. |
Buttons
This list contains all the buttons available in the stores.
View allows you to view the information of the selected certificate.
New creates a new self-signed certificate.
Delete deletes the selected certificate from the Keystore.
Cert Request generates a certificate request and to exports it.
Import adds a new certificate in the keystore.
Export exports a selected certificate to a new directory.
Reset resets the Keystore and generates a new self-signed certificate.
Approve designates the server as an allowed host.
Unapprove prohibits a connection to this server host. The system terminates any attempted communication.