A self-signed certificate is one that is signed by default using its own private key rather than by the private key that is owned by a CA. This type of certificate cannot be validated by a client and is not recommended for robust security when used as a JACE server certificate. There is no procedure for self-signing a certificate. Each is created self-signed.
Two self-signed certificates are used in a JACE network:
-
A default self-signed certificate for each JACE: When a JACE starts up for the first time, it creates this unique, self-signed certificate, the primary purpose of which is to provide immediate encryption. This certificate uses a 1024-bit pair of keys.
Notice the Issuer DN and Subject DN properties. The Issuer DN (Distinguished Name) is logically the same as the Subject DN. This indicates that this certificate is signed with its own private key. Because it is self-signed, the client Trust Store does not contain a certificate with a public key that matches this certificate’s signature. The Issuer DN and Subject DN are different for a certificate signed by a Certificate Authority (CA).
The first time a client connects to the JACE, the software displays a message indicating that the default certificate is not trusted. Whether you approve or disapprove the certificate, the software lists it in the Allowed Hosts list. If approved, the host is identified as trusted and you will not have to approve the connection each time it is made.
Unless you replace it with a certificate that you create, this certificate can only be used to encrypt data. You should not copy this certificate (or a certificate you create for this server) from one platform to another.
Self-signed certificates are inherently less secure because they cannot authenticate the server. Validating the server’s identity helps protect against man-in-the-middle attacks. To minimize the risk of a man-in-the-middle attack when using self-signed certificates, all your platforms should be contained in a secure private network, off line, and not publicly accessible from the internet.
If you intend to use self-signed certificates, before you access the JACE from Workbench for the first time, make sure that
your PC and the JACE are not on any corporate network or the internet. Once disconnected, connect the PC directly to the JACE,
access the JACE from Workbench, and approve its self-signed certificate. Only then should you reconnect the JACE to the corporate
network or internet.
The approved host exception in the Allowed Hosts list is only valid when connecting to the server using the IP address or domain name that was used when the exception was originally created. If you use a different IP address or domain name to connect to the server, you will need to approve an updated exception. The same is true if a new self-signed certificate is generated on the host.
In the identity verification warning dialog, the changed items are indicated using different colored text.
-
Root certificate: This type of self-signed certificate is implicitly trusted because there is no higher authority than the entity that created this certificate. For this reason, Certificate Authorities, whose business it is to endorse other people’s certificates, closely guard their root certificate(s).
