- 10 Oct 2022
- 4 Minutes to read
-
Print
-
DarkLight
-
PDF
Certificate Settings
- Updated on 10 Oct 2022
- 4 Minutes to read
-
Print
-
DarkLight
-
PDF
The Certificate Settings enables configuring certificate related settings.
To open the Certificate Settings, click from the top right corner of all pages. The System Settings page opens. Then, click the Certificate Settings tab.
The Certificate Settings consists of the following sections:
SSL Certificate
This section displays details about the current SSL certificate that is presented when accessing the Axonius GUI. The default certificate is the Axonius self-signed SSL certificate. The following details are shown in this section:
-
Issued to
-
Alternative Names (If configured)
-
Issued by
-
SHA1 fingerprint
-
Expires on
Certificate Signing Request (CSR)
This section displays the Certificate Signing Request (CSR) details:
- If there is no pending CSR request, "None" will be displayed.
- If there is a pending CSR, this section lets you to perform the following actions:
- Download CSR - Download the current CSR which is pending.
- Cancel Pending Request - cancel the current CSR request.
In order to create a CSR request click the Generate CSR option in the Certificate Actions menu.
Certificate Actions are not applicable for Axonius-hosted (SaaS) customers.
The CSR will be in pending state until you sign it with a Certificate Authority (CA) and then upload the signed CSR from the Import Signed Certificate (CSR) option in the Certificate Actions menu. A certificate signing request should have a SAN "Alternative Names" value which matches the CN "Domain Name"
IP Addresses are not supported as a Subject Alternative Name when using the "Generate CSR" option within the Axonius UI. Customers must generate their own certificate if an IP address is needed as a SAN.
SSL Trust & CA Settings
- Use Custom CA certificate (required, default: switched off) - Select whether to upload Certificate Authority (CA) certificates files that will be used when Verify SSL is enabled for an adapter connection. The CA certificates provided here will be used in combination with the Mozilla CA Certificate List to verify that the certificate presented by the host defined in the adapters connection is valid.
Mutual TLS Settings
Mutual TLS is a common security practice that uses client TLS certificates to provide an additional layer of protection, allowing to cryptographically verify the client information.
For more details, see Mutual TLS.
Certificate Actions
Certificate Actions are not applicable for Axonius-hosted (SaaS) customers.
The Certificate Actions menu is located on the top right of this section. When clicking the Certificate Actions the following options are available:
- Generate CSR
- This option generates a private key which is stored internally in Axonius and then opens the Create Certificate Signing Request modal where you need to specify Certificate Signing Request (CSR) details in order to create the CSR.
- Once the CSR is created it will be in pending state and will be shown in the Certificate Signing Request (CSR) section where it can be downloaded.
- You can specify the following CSR details:
- Domain name (required) - The domain name must match the domain name of the Axonius instance in order for the certificate to be validated. The domain name can contain wildcards.
- Alternative Names (optional, default: empty) - semicolon-separated values of either alternative IP addresses or alternate DNS names. The Domain name is always included as subject alternative name.
- Organization (optional, default: Internet Widgits Pty Ltd) - The organization or company name.
- Organization Unit (optional, default: empty) - The department.
- City/Location (optional, default: empty) - The city.
- State/Province (optional, default: Some-State) - The state.
- Country (optional, default: AU) - The country must be exactly two letters which represent the country. For a list of Country Codes.
- Email (optional, default: empty) - The email.
- Private key characteristics
- Private key will be generated using:
- Key exchange algorithm - RSA
- Key size - 4096.
- Hashing algorithm - SHA256
- Private key will be generated using:
- The generated CSR will not contain the expiration of the certificate, it is mandatory to give the expiration of the certificate while signing the CSR with your CA. Please also note since July 2020, Chrome and Firefox browsers will not allow certificates with TLS Certificate Lifespan longer than 398 days.
- The generated CSR contains constraints. The signing CA should copy these constraints to the signed CSR. Not copying these constraints may results in the browser not validating the certificate.
The following constraints are used:- keyUsage (Digital Signature, Non Repudiation, Key Encipherment)
- subjectAltName - contains the domain name (chrome must have it in order to validate the certificate)
- basicConstraints - CA:FALSE
- Import Certificate and Private Key
- This option enables you import a certificate public key and private key (with an optional passphrase) in order to replace the existing SSL certificate which will be presented when accessing the Axonius GUI.
- The imported certificate details will be displayed in the SSL Certificate section.
- The Import Certificate and Private Key modal requires you to specify the following fields:
- Domain Name (required) - The hostname of the certificate. This must match a value defined in the certificates Common Name or Subject Alternative Name.
- Certificate file (required) - The public certificate (PEM format)
- Private key file (required) - The private key certificate (PEM format)
- Private key passphrase (optional, default: empty) - The password for the Private key file, if it is password-protected.
-
Import Signed Certificate (CSR)
- This option is enabled only when you have a pending Certificate Signing Request (CSR).
- You should only import the Signed CSR after you have signed the CSR with your Certificate Authority(CA).
- This option opens the Installed Signed Certificate modal which lets you upload the signed CSR.
- The new certificate details will be replaced and will be displayed in the SSL Certificate section.
-
Restore to System Default
- This option restores the Axonius default self-signed SSL certificate which will be presented when accessing the Axonius GUI. The certificate details will be displayed in the SSL Certificate section.
Once you click Save, the Certificate settings in the webserver are 'reloaded' without any downtime.