CA Certificates

Learn about Certificate authority (CA) configuration and trust management.

Certificate Authority (CA) certificates are used to validate other certificates. Connectware uses a certificate system that includes both built-in Cybus CA certificates and any custom CA certificates you choose to add. These certificates establish trust relationships between different systems and verify the authenticity of connections.

CA Certificate Types

Default Cybus CA Certificates

Connectware comes with built-in Cybus CA certificates that are pre-installed and managed by the system. These provide the baseline security infrastructure for Connectware operations.

In production environments, we recommend that you use a custom CA certificate that your organization manages and has authorized.

Custom CA Certificates

Custom CA certificates are user-provided Certificate Authority certificates that you add to the system to establish trust for secure communications with external systems. These certificates allow Connectware to authenticate and verify devices, clients, or servers that use certificates signed by a non-default or custom CA, rather than relying solely on the built-in Cybus CA.

By adding custom CA certificates, you can integrate your own Public Key Infrastructure (PKI) to ensure that Connectware can recognize and trust certificates issued by external CAs. This increases security and flexibility for specific industry use cases or corporate policies.

In production environments, we recommend that you use a custom CA certificate that your organization manages and has authorized.

Adding Custom CA Certificates

You can add custom CA certificates to Connectware via the Admin UI and via the certs volume.

All certificate and key files must be in PEM format.

Adding Custom CA Certificates via the Admin UI

You can add your custom CA certificate to Connectware via the Admin UI. When you add a certificate, a backup of the current certificates is created. The last backup will be overwritten with the newly created backup and then the uploaded certificate will be appended to the current certificate chain.

Select User > User Certificates.
In the Certificates view, click Add Certificate. See Certificates View.

In the file browser, select your certificate file and click Open.

Adding Custom CA Certificates via the Certs Volume

You can add your custom CA certificate to Connectware via the certs volume.

Prerequisites

The following files are available:

The cybus_ca.crt from Connectware.
The ca-chain.pem CA certificate chain in PEM format.
The server.crt server certificate for Connectware in PEM format, signed by your custom CA.
The server.key matching server.crt.
Connectware has a planned maintenance downtime.

Adding Custom CA Certificates via the Certs Volume (Kubernetes)

Append your ca-chain.crt to cybus_ca.crt:

cat ca-chain.pem >> cybus_ca.crt

Upload the modified cybus_ca.crt to Connectware. Make sure to specify the Connectware namespace:

namespace=<namespace>
pod=$(kubectl -n ${namespace} get pod -o name -lapp.kubernetes.io/name=auth-server | head -1 | sed 's/pod\///g');
kubectl -n ${namespace} cp -c auth-server cybus_ca.crt $pod:/connectware_certs/cybus_ca.crt
kubectl -n ${namespace} exec $pod -c auth-server -- chown -R root:root /connectware_certs
kubectl -n ${namespace} exec $pod -c auth-server -- chmod 664 /connectware_certs/cybus_ca.crt

Restart Connectware to apply the changes.

Adding CA Certificates via the Certs Volume (Docker)

Append your ca-chain.crt to cybus_ca.crt:

cat ca-chain.pem >> cybus_ca.crt

Upload the modified cybus_ca.crt to Connectware:

# Get the container ID or name using labels
container_id=$(docker container ls -q -f "label=io.cybus.connectware=core" -f "label=com.docker.compose.service=auth-server")

# Copy the modified CA certificate
docker cp cybus_ca.crt $container_id:/connectware_certs/cybus_ca.crt

# Set proper ownership and permissions
docker exec $container_id chown -R root:root /connectware_certs
docker exec $container_id chmod 664 /connectware_certs/cybus_ca.crt

Restart Connectware to apply the changes.

Removing CA Certificates

You must have at least two CA certificates in Connectware to remove a certificate, as one certificate must always remain in the system.

Select User > User Certificates.
In the certificates list, click the arrow next to the certificate that you want to remove. See Certificates View.
Click Remove Certificate.

PreviousCipher Suites & TLS Versions NextCertificates View

Last updated 9 months ago

Was this helpful?

hashtagCA Certificate Types

hashtagDefault Cybus CA Certificates

hashtagCustom CA Certificates

hashtagAdding Custom CA Certificates

hashtagAdding Custom CA Certificates via the Admin UI

hashtagAdding Custom CA Certificates via the Certs Volume

hashtagAdding Custom CA Certificates via the Certs Volume (Kubernetes)

hashtagAdding CA Certificates via the Certs Volume (Docker)

hashtagRemoving CA Certificates