[Advanced] Certificate

This section is only visible when the advanced view is chosen.


../../../_images/certificate.png

The Genius Server provides some security methods to ensure a secure communication between server and client.

Using an SSL connection, server and client can identify themselves and establish an encrypted communications session. To establish a such communication, keystore and trustore certificates are required.

The Genius Server uses digital certificates (released by the public Certification Authority) that guarantee the ownership of a public key and are tusted both by the owner and the replying party.

Warning

To make the SSL connection work, enable HTTPS in the Web section (for further details refer to Web).

Keystore

The keystore uploaded in this section contains all the keys used by the Genius Server to communicate over an HTTPS protocol.

  • Keystore path: the path to the SSL keystore. The keystore must be in JKS or PKCS12 format. Set the used type with the Keystore type setting.

  • Keystore password: the password to access the keystore. Certificates in the keystore must have the same password as the keystore itself (required).

  • Keystore type: select the keystore type. Possible values are JKS and PKCS12.

Warning

Only certain algorithms to generate keypairs are supported. If a keypair is generated with an unsupported algorithm, Genius Server will not start correctly. Supported algorithms are "RSA" and "EC (SEC, secp112r1)". Currently not supported is "EC (ANSI X9.62, c2tnb191v1)".

Truststore

The truststore uploaded in this section contains all the keys used by devices and other external servers, so that the Genius Server can recognize them as secure.

  • Truststore type: a drop down menu for the truststore type. Possible values are WINDOWS-ROOT, JKS and PKCS12.

    • WINDOWS-ROOT: if selected, Genius Server trusts all certificates stored in the Windows "Trusted Root Certification Authorities" folder. Note that if you previously used a certificate that was only located in the Genius Server truststore, you will need to copy it to the Windows root certificate folder, when selecting this option.

    • INTERNAL: if selected, the Genius Server trusts the certificate that is configured inside Genius Server configuration tool (setting: truststore path).

  • Truststore path: the path to the SSL truststore. The truststore must be in one of the supported formats ( JKS , PKCS12 ).

  • Truststore password: the password to access the truststore. Certificates in the truststore must have the same password as the truststore itself (leave empty if any password is provided).

More on TrustStores

In secure communications, the Genius Server can have the role of TLS Client or TLS Server.

If the Genius Server is the client role, it has to trust the TLS server part of the communication. To achieve this goal, a trust chain has to be established between the client and the server.

A chain can consist of the following items:

Certificate Authority -> Intermediate certificate authority -> 2nd Intermediate certificate authority -> Server certificate

Usually the TLS server provides:

  1. The server certificate.

  2. All intermediate certificates.

Usually the TLS Client provides:

  1. The CA certificates to trust.

Only if both parties together, client and server, can complete the chain, the connection will be trusted.

The Genius Server allows two ways to configure a trustStore:

  • Windows-ROOT (This will not include the intermediate certificates, but only the trusted root certificate authorities)

  • An internal trustStore which has to be configured and managed on all Genius Server nodes.

This configuration is done by choosing the corresponding Truststore Type as described above.

If there are issues when configuring the TLS connection please refer to How to Fix TLS Connection Issues.

Advanced

The advanced section offers more configuration options for the certificate handling. The Jetty server inside the Genius Server is able to use encryption communication. With the settings Exclude protocols and Exclude cipher suites you can fine tune which protocols are not to be used, see below for more info.

Additionally, to ensure that old and unsecure configurations are not allowed, the JDK running the Genius Server has its own Java security file. Per default the file can be found here: C:\Program Files\Genius CDDS Server\jdk\conf\security\java.security. If you check the file using an editor, you will see, that TLS1.1 is disabled per default, for example.

  • Keystore cert alias: a unique string to identify a keystore certificate.

  • Renegotiation allowed: if checked, during the handshake, SSL parameters can be renegotiated to continue the previously established secure communication between server and client.

  • Exclude protocols: the protocols to exclude when establishing an SSL communication. If you want to disallow TLS1.2 for example, add it here. As an alternative, you could edit the java.security file, but keep in mind that the file will be updated and overwritten when doing a Genius Server update.

  • Exclude cipher suites: the cipher suites to exclude when establishing an SSL communication.

  • SNI host check: if checked, the SNI host check allows the Genius Server to present the correct certificate to a client, if the server is reachable via multiple hostnames. If the connection is not opened with an FQDN or no certificate is found, the TLS session will fail.

Warning

We strongly recommend to not modify default parameters except for particular cases.

Hint

Do not forget to click on Save to save the changes. When everything in the config tool is configured, the Genius Server needs to be restarted.