User Key Store tab
The User Key Stores contain server certificates and self-signed certificates with their matching keys. Each certificate has a pair of unique private and public encryption keys for each platform. A User Key Store supports the server side of the relationship by sending one of its signed server certificates in response to a client (Workbench, platform or station) request to connect.
If there are no certificates in a User Key Store when the server starts, such as when booting a new platform or station, the platform or station creates a default, self-signed certificate. This certificate must be approved as an allowed host. This is why you often see the certificate popup when opening a platform or station.
Default self-signed certificates have the same name in each User Key Store (default), however, each certificate is unique for each instance and is mainly used for recovery purposes. You cannot delete the default certificate.
| Column | Description |
|---|---|
| Alias |
Provides a short name used to distinguish
certificates from one another in the Key Store. This property is required. It may identify the type of certificate
(root, intermediate, server), location or function. This name does
not have to match when comparing the server certificate with the CA
certificate in the client’s Trust Store.
|
| Issued By |
Identifies the entity that signed
the certificate. |
| Subject | Specifies the Distinguished Name,
the name of the company that owns the certificate.
|
| Not Before | Specifies the date before which
the certificate is not valid. This date on a server certificate should
not be earlier than the Not Before date on
the CA certificate used to sign it. |
| Not After |
Specifies the expiration date
for the certificate. This date on a server certificate should not
be later than the Not After date on the CA
certificate used to sign it.
A period no longer than a year ensures regular certificate changes making it more likely that the certificate contains the latest cryptographic standards, and reducing the number of old, neglected certificates that can be stolen and re-used for phishing and drive-by malware attacks. Changing certificates more frequently is even better. |
| Key Algorithm |
Refers to the cryptographic
formula used to calculate the certificate keys.
|
| Key Size |
Specifies the size of the keys
in bits. Four key sizes are allowed: 1024 bits, 2048 bits (this is
the default), 3072 bits, and 4096 bits. Larger keys take longer to
generate but offer greater security.
|
| Signature Algorithm |
Specifies the cryptographic
formula used to sign the certificate.
|
| Signature Size |
Specifies the size of the
signature.
|
| Valid |
Specifies certificate dates.
|
| Self Signed |
Indicates that the certificate
was signed with its own private key.
|
User Key Store buttons
-
View displays details for the selected item.
-
New creates a new device record in the database.
-
Cert Request opens a Certificate Request window, which is used to create a Certificate Signing Request (CSR).
-
Delete removes the selected record from the database.
-
Import adds an imported item to the database.
-
Export saves a copy of the selected record to the hard disk.
For certificates, the file extension is .pem.
-
Reset deletes all certificates in the User Key Store and creates a new default certificate. It does not matter which certificate is selected when you click Reset
CAUTION:Do not reset without considering the consequences. The Reset button facilitates creating a new key pair (private and public keys) for the entity, but may disable connections if valid certificates are already in use. Export all certificates before you reset.