User Key Store tab
If there are no certificates in a User Key Store when the server starts, such as when booting a new platform or station, the platform or station creates a default, self-signed certificate. This certificate must be approved as an allowed host. This is why you often see the certificate popup when opening a platform or station.
Default self-signed certificates have the same name in each User Key Store (tridium), however, each certificate is unique for each instance.
Clicking the New and Import buttons also adds certificates to the User Key Store.
Figure 114. Example of a Key Store
| Column | Description |
|---|---|
| Alias | Provides a short name used to distinguish certificates from one another in the Key Store. This property is required. It may identify the type of certificate (root, intermediate, server), location or function. This name does not have to match when comparing the server certificate with the CA certificate in the client’s Trust Store. |
| Issued By | Identifies the entity that signed the certificate. |
| Subject | Specifies the Distinguished Name, the name of the company that owns the certificate. |
| Not Before | Specifies the date before which the certificate is not valid. This date on a server certificate should not be earlier than the Not Before date on the CA certificate used to sign it. |
| Not After | Specifies the expiration date for the certificate. This date on a server certificate should not be later than the Not After date on the CA certificate used to sign it.
A period no longer than a year ensures regular certificate changes making it more likely that the certificate contains the latest cryptographic standards, and reducing the number of old, neglected certificates that can be stolen and re-used for phishing and drive-by malware attacks. Changing certificates more frequently is even better. |
| Key Algorithm | Refers to the cryptographic formula used to calculate the certificate keys. |
| Key Size | Specifies the size of the keys in bits. Four key sizes are allowed: 1024 bits, 2048 bits (this is the default), 3072 bits, and 4096 bits. Larger keys take longer to generate but offer greater security. |
| Signature Algorithm | Specifies the cryptographic formula used to sign the certificate. |
| Signature Size | Specifies the size of the signature. |
| Valid | Specifies certificate dates. |
| Self Signed | Indicates that the certificate was signed with its own private key. |
User Key Store buttons
- View displays details for the selected item.
- New creates a new device record in the database.
- Cert Request opens a Certificate Request window, which is used to create a Certificate Signing Request (CSR).
- Delete removes the selected record from the database.
- Import adds an imported item to the database.
- Export saves a copy of the selected record to the hard disk.
For certificates, the file extension is .pem.
- Reset deletes all certificates in the User Key Store and creates a new default certificate. It does not matter which certificate is selected when you click ResetCAUTION: Do not reset without considering the consequences. The Reset button facilitates creating a new key pair (private and public keys) for the entity, but may disable connections if valid certificates are already in use. Export all certificates before you reset.