TLS Certificates

Connectware manages certificates to ensure secure communication between devices and systems. It verifies the authenticity of certificates during TLS and mTLS connections, allowing only authorized entities to access the system for increased data integrity and security in industrial environments. You can upload certificates to the Connectware certs volume.

Transport Layer Security (TLS) is a widely used protocol that secures communications between two systems, such as a client and a server, by encrypting the data being transmitted. It ensures data privacy and integrity by verifying the server's identity with a digital certificate. In standard TLS, only the server is authenticated, while the client uses mechanisms such as usernames and passwords for authentication.

Mutual TLS (mTLS) requires both the server and client to authenticate each other with digital certificates. The client also presents a certificate, ensuring that both parties are verified. This adds an extra layer of trust and security, especially in environments where strong authentication is required.

Certificate Types in Connectware

Cybus Connectware uses the following certificate types to secure communication and establish trust between clients, servers, and external systems:

• CA certificates

  CA certificates are used to validate other certificates. Connectware uses built-in Cybus CA certificates as well as custom CA certificates added by users to establish trust. CA certificates form the foundation of the public key infrastructure (PKI) and are stored in the cybus_ca.crt truststore. See CA Certificates.

• Client certificates

  Used in mutual TLS (mTLS) configurations, client certificates authenticate devices, agents, or users to Connectware. These certificates are typically signed by a trusted custom CA and linked to user accounts within Connectware. When mTLS is enabled, only clients presenting valid, trusted certificates are allowed to connect. See Client Certificates.

• Server certificates

  These certificates authenticate the Connectware server to clients (e.g., web browsers or MQTT clients) during TLS or mTLS sessions. They ensure that clients are communicating with a trusted and verified Connectware instance. Server certificates must be signed by a trusted CA and are installed into the Connectware certificate volume. See Server Certificates.

Certs Volume

The certs volume is a dedicated volume that stores all the certificates used for secure TLS communications and authentication through mTLS, as well as the Certificate Authority (CA) to validate these. It ensures that these certificates are easily accessible to the Connectware services.

All valid CA certificates are stored in the certs volume with the cybus_ca.crt file holding the current list of certificates. A backup of the previous certificate list is stored in the cybus_ca_backup.crt file.

The certs volume specifically holds certificates and keys for the Connectware core services, including both server keys and client keys (both sides for mTLS), as well as the necessary CA certificates.

However, clients who are not part of the core service, as well as agents, devices, and MQTT-only clients, do not use the certs volume.