Managing Certificate Settings

  • Updated on Jan 27, 2025
  • Published on Apr 23, 2023
  • 5 minute(s) read
Prev Next

The Certificate Settings enable configuring certificate related settings.
To open the Certificate Settings:

  1. From the top right corner of any page, click image.png. The System Settings page opens.
  2. In the Categories/Subcategories pane of the System Settings page, expand Privacy and Security, and select Certificate.

Certificates

The Certificate Settings consists of the following sections:

SSL Certificate

You need to present an SSL certificate when accessing the Axonius GUI.
Axonius accepts X.509 SSL certificates and requests in most formats, including combined certificate files. It is recommended to use a certificate configured to meet or exceed your organization’s security requirements.
The default certificate is the Axonius self-signed SSL certificate.
This section displays the following details about the SSL certificate:

  • Issued to

  • Alternative Names (if configured)

  • Issued by

  • SHA1 fingerprint

  • Expires on

    image.png

Certificate Signing Request (CSR)

This section displays the Certificate Signing Request (CSR) details:

  • If there is no pending CSR request, "None" is displayed.
  • If there is a pending CSR, this section lets you perform the following actions:
    • Download CSR - Download the current CSR, which is pending.
    • Cancel Pending Request - Cancel the current CSR request.

In order to create a CSR request, in the Certificate Actions menu, click Generate CSR.

Note:

Certificate Actions are not applicable for Axonius-hosted (SaaS) customers.

The CSR remains in pending state until you sign it with a Certificate Authority (CA) and then upload the signed CSR from the Import Signed Certificate (CSR) option in the Certificate Actions menu. A certificate signing request should have a SAN "Alternative Names" value which matches the CN "Domain Name".

CSR

Note:

IP addresses are not supported as a Subject Alternative Name (SAN) when using the "Generate CSR" option within the Axonius UI. Customers must generate their own certificate if an IP address is needed as a SAN.

SSL Trust & CA Settings

  • Use Custom CA certificate - When enabled, upload Certificate Authority (CA) certificate files used when Verify SSL is enabled for an adapter connection. The CA certificates provided here are used in combination with the Mozilla CA Certificate List to verify that the certificate presented by the host defined in the adapter connection is valid.

CACertificates

Mutual TLS Settings

  • Enable mutual TLS - Mutual TLS is a common security practice that uses client TLS certificates to provide an additional layer of protection, allowing to cryptographically verify the client information. For more details, see Mutual TLS.

MutualTLSSettings.png

Encryption Settings

  • Allow legacy SSL cipher suites for adapters - When selected, allows adapter connectivity to systems that support only legacy ciphers. This option is only available for customer hosted on-premises instances.

EncryptionSettings-LegacySSLCipher.png

Certificate Actions

Note:

Certificate Actions are not applicable for Axonius-hosted (SaaS) customers.

The Certificate Actions menu is located on the top right of this section. When clicking Certificate Actions, the following options are available:
image.png

  • Generate CSR
    • This option generates a private key that is stored internally in Axonius and then opens the Create Certificate Signing Request dialog where you need to specify Certificate Signing Request (CSR) details in order to create the CSR.
    • Once the CSR is created, it goes into pending state and is shown in the Certificate Signing Request (CSR) section where it can be downloaded.
    • You can specify the following CSR details:
      • Domain name (required) - The domain name must match the domain name of the Axonius instance in order for the certificate to be validated. The domain name can contain wildcards.
      • Alternative Names (optional, default: empty) - Semicolon-separated values of either alternative IP addresses or alternate DNS names. The Domain name is always included as a subject alternative name.
      • Organization (optional, default: Internet Widgits Pty Ltd) - The organization or company name
      • Organization Unit (optional, default: empty) - The department
      • City/Location (optional, default: empty) - The city
      • State/Province (optional, default: Some-State) - The state
      • Country (optional, default: AU) - The country must be exactly two letters which represent the country. Refer to the list of Country Codes.
      • Email (optional, default: empty) - The email address
    • Private key characteristics
      • Private key is generated using:
        • Key exchange algorithm - RSA
        • Key size - 4096
        • Hashing algorithm - SHA256
Notes:
  • The generated CSR does not contain the expiration date of the certificate. It is mandatory to provide the expiration date of the certificate while signing the CSR with your CA. Note that since July 2020, Chrome and Firefox browsers do not allow certificates with TLS Certificate Lifespan longer than 398 days.

  • The generated CSR contains constraints. The signing CA should copy these constraints to the signed CSR. Not copying these constraints may result in the browser not validating the certificate.
    The following constraints are used:
    • keyUsage (Digital Signature, Non Repudiation, Key Encipherment)
    • subjectAltName - contains the domain name (Chrome must have it in order to validate the certificate)
    • basicConstraints - CA:FALSE

CreateCSR

  • Import Certificate and Private Key
    • This option enables you to import a certificate public key and private key (with an optional passphrase) in order to replace the existing SSL certificate that is presented when accessing the Axonius GUI.
    • The imported certificate details are displayed in the SSL Certificate section.
    • The Import Certificate and Private Key dialog requires you to specify the following fields:
      • Domain name (required) - The hostname of the certificate. This must match the value defined in the certificates Common Name or Subject Alternative Name.
      • Certificate file (required) - The public certificate (PEM format)
      • Private key file (required) - The private key certificate (PEM format)
      • Private key passphrase (optional, default: empty) - The password for the Private key file, if it is password-protected.

ImportCertificateAndPrivateKey

  • Import Signed Certificate (CSR)
    • This option is enabled only when you have a pending Certificate Signing Request (CSR).
    • You should only import the Signed CSR after you have signed the CSR with your Certificate Authority(CA).
    • This option opens the Installed Signed Certificate dialog which lets you upload the signed CSR.
    • The new certificate details are replaced and displayed in the SSL Certificate section.

InstallSignedCertificate

  • Restore to System Default
    • This option restores the Axonius default self-signed SSL certificate, which is presented when accessing the Axonius GUI. The certificate details are displayed in the SSL Certificate section.

Once you click Restore to Default, the Certificate settings in the webserver are 'reloaded' without any downtime.