Certificate Management view
Figure 210. The certificate store tabs
You access this view and tabs by clicking .
User Key Store
This store lists server, intermediate, and code-signing certificates with their public and private keys. You use this store to create and manage certificates.
Trust Stores (System Trust Store tab and User Trust Store tab)
The trust stores (system and user) contain signed and trusted root CA certificates with their public keys. These stores contain no private keys. A trust store supports the client side of the relationship by using its root CA certificates to verify the signatures of the certificates it receives from each server. If a client cannot validate a server certificate’s signature, an error message allows you to approve or reject a security exemption (on the Allowed Hosts tab).
The System Trust Stores contain installed signed certificates by trusted entities (CA authorities) recognized by the Java Runtime Engine (JRE) of the currently opened platform. A User Trust Store contains installed signed certificates by trusted entities that you have imported (your own certificates).
Only certificates with public keys are stored in the trust stores. The majority of certificates in the System Trust Store come from the JRE. You add your own certificates to a User Trust Store by importing them.
Feel free to pass out such root certificates to your team; share them with your customers; make sure that any client that needs to connect to one of your servers has the server’s root certificate in its client trust store.
Allowed Hosts tab
This tab lists self-signed certificates that have been manually approved for use to authenticate a server. As such, they have not been signed by a CA. They should not be approved unless you are certain that the communication they facilitate will be secure.
Columns
Many columns are shared by the tabs. This table lists all columns.
| Column | Description |
|---|---|
| Alias | Identifies certificates by location or function. |
| Issued By | Identifies the entity that created the certificate. |
| Subject | Identifies the company that owns the certificate. |
| Not Before | Displays the date before which the certificate is not valid. |
| Not After | Displays the expiration date for the certificate. |
| Key Algorithm | Names the mathematical formula used to calculate the certificate keys. |
| Key Size | Shows the size of the keys in bits. Four key sizes are allowed: 1024 bits, 2048 bits (this is the default), 3072 bits, and 4096 bits. The bigger the key, the longer it takes to generate. |
| Signature Algorithm | Names the mathematical formula used to sign the certificate. |
| Signature Size | Shows the size of the signature. |
| Valid | Displays the dates between which the certificate is valid. |
| Self Signed | Indicates that the certificate was signed with its own private key. |
Buttons
This list contains in alphabetical order all the buttons available in the stores.
- Approve manually validates the selected certificate in the User Trust Store and Allowed Hosts tabs.
CAUTION: Do not approve a self-signed certificate automatically. Always confirm that you recognize the Alias, Issued By and Subject properties as valid entities.
You can reverse the approval action on the Allowed Hosts tab by selecting the certificate and clicking Unapprove.
- Cert Request opens a Certificate Request window, used to create a Certificate Signing Request (CSR).
- Delete removes the certificate from the store.
- Export saves a copy of the certificate to the hard disk with the .pem extension.
- Import adds a certificate (.pem file) to the Key Store or a company’s root CA certificate to the User Trust Store.
- New opens the Generate Self Signed Certificate window, used to create CA and server certificates.
- Reset (available only in the Key Store) deletes all certificates in the Key Store and creates a new default certificate. It does not matter which certificate is selected when you click Reset.
CAUTION: The Reset button facilitates creating a new key pair (private and public keys) for the entity, but may have unintended consequences if you delete valid certificates. Export all certificates before you reset.
- Unapprove is available on the Allowed Hosts tab. This button removes approval from the selected certificate. The next time the server that uses this certificate connects to the station the system warns you that the certificate is not valid.
- View opens the selected certificate so you can to view its details.