Certificate Requirements

Connectware accepts certificates that meet specific requirements, helping you create certificates that function properly in your environment. Find details on recommended validity periods, required subject fields (CN), necessary extensions (SAN), signature algorithms, cipher compatibility, and TLS version support.

Following these specifications ensures your certificates are correctly processed by Connectware components, preventing connection issues and security alerts.

For information on the supported TLS ciphers and TLS versions, see Cipher Suites & TLS Versions.

Certificate File Format (PEM)

All certificate and key files must be in PEM format.

While the examples in this documentation use traditional extensions like .crt for certificates and .key for private keys, you may prefer using .pem extensions to make the format requirement more explicit.

Certificate Signature Algorithm

Connectware has specific requirements for certificate signature algorithms. Ensure that your certificate's signature algorithm (e.g., SHA-256 with RSA) is compatible with the Connectware components. Modern, secure algorithms like SHA-256 or SHA-384 are recommended for signature generation.

Key Exchange & Cipher Compatibility

Your client certificates should be issued using key types compatible with Connectware's supported cipher suites. For example, if a component supports ECDHE-ECDSA cipher suites, your client certificate should be issued using an ECDSA key. Similarly, RSA certificates may not work with cipher suites specifically requiring ECDSA keys. Review the supported cipher suites for each Connectware component to ensure compatibility.

TLS Version Support

Connectware components enforce specific TLS versions (generally TLS 1.2 and 1.3). Certificates using outdated signature algorithms (e.g., SHA-1) may be rejected by Connectware. Ensure your certificates use modern signature algorithms that are compatible with these TLS versions.

Validity Period

When deploying certificates for Cybus Connectware in your enterprise environment, you can define validity periods according to your organization's security policies and certificate lifecycle management practices. While shorter validity periods align with current security best practices and reduce exposure in case of compromise, you may follow your established PKI standards.

Make sure to renew your certificates before they expire to prevent service disruptions.

Subject Information (CN, etc.)

The Common Name (CN) field in your certificates should identify the specific Connectware component or service. For server certificates, this typically matches the hostname through which clients will access the service. While historically the CN was the primary identifier for certificate validation, modern systems are increasingly moving away from this approach.

Extensions (SAN, etc.)

Subject Alternative Name (SAN) extensions are now the preferred and recommended method for specifying host identifiers in certificates used with Connectware. Modern clients prioritize SAN entries over the Common Name field during certificate validation. When creating certificates for Connectware components, we recommend including relevant hostnames, IP addresses, and other identifiers as SAN entries to ensure proper connectivity across all clients. This approach improves compatibility and follows current industry security standards.

For multi-node deployments or services accessible through multiple hostnames, using SAN extensions becomes especially important as they allow a single certificate to be valid for multiple identifiers.