TLS Certificates

Connectware manages certificates to ensure secure communication between devices and systems. It verifies the authenticity of certificates during TLS and mTLS connections, allowing only authorized entities to access the system for increased data integrity and security in industrial environments. You can upload certificates to the Connectware certs volume.

Transport Layer Security (TLS) is a widely used protocol that secures communications between two systems, such as a client and a server, by encrypting the data being transmitted. It ensures data privacy and integrity by verifying the server's identity with a digital certificate. In standard TLS, only the server is authenticated, while the client uses mechanisms such as usernames and passwords for authentication.

Mutual TLS (mTLS) requires both the server and client to authenticate each other with digital certificates. The client also presents a certificate, ensuring that both parties are verified. This adds an extra layer of trust and security, especially in environments where strong authentication is required.

Certificate Types in Connectware

Cybus Connectware uses the following certificate types to secure communication and establish trust between clients, servers, and external systems:

• CA certificates

  CA certificates are used to validate other certificates. Connectware uses built-in Cybus CA certificates as well as custom CA certificates added by users to establish trust. CA certificates form the foundation of the public key infrastructure (PKI) and are stored in the certificate bundles cybus_ca.crt and shared_yearly_ca.crt, which is used for internal connections. See CA Certificates.

• Client certificates

  Used in mutual TLS (mTLS) configurations, client certificates authenticate devices, agents, or users to Connectware. These certificates are typically signed by a trusted custom CA and linked to user accounts within Connectware. When mTLS is enabled, only clients presenting valid, trusted certificates are allowed to connect. See Client Certificates.

• Server certificates

  These certificates authenticate the Connectware server to clients (e.g., web browsers or MQTT clients) during TLS or mTLS sessions. They ensure that clients are communicating with a trusted and verified Connectware instance. Server certificates must be signed by a trusted CA and are installed into the Connectware certificate volume. See Server Certificates.

Certs Volume

The certs volume is a dedicated volume that stores all the certificates used for secure TLS communications and authentication through mTLS, as well as the Certificate Authority (CA) to validate these. It ensures that Connectware services can reliably access the certificates they need.

Within the certs volume:

• cybus_ca.crt - Holds the current list of valid CA certificates.

• cybus_ca_backup.crt — Stores a backup of the previous CA certificate list.

• shared_yearly_ca.crt — Used internally by Connectware for authenticating inter-service communication. This bundle is managed by the system and typically does not require user modification.

• cybus_combined_ca.crt — Contains both the external (cybus_ca.crt) and internal (shared_yearly_ca.crt) bundles. This file can be provided to agents as a CA bundle, allowing them to connect securely both internally and externally to Connectware.

In addition to certificate bundles, the certs volume also stores the keys for Connectware core services. This includes both server and client keys used in mTLS authentication, as well as the associated CA certificates.