Configuring Certificates#
To add new certificates to the crypto configuration, you can have the admin node of the server have certificate files read from etc/init upon server startup. The accepted files are PEM- or DER-encoded X509-certificates, that are named with the appropriate file extension (i.e. .pem, .der, .cer or .crt). As certificates are always used with a particular purpose, an ordering is applied based on the directory that contains the particular certificate file. When a certificate is imported, the filename (without the extension) is used as its id.
The following directory structure is used:
| Directory | Certificate Purpose | Imported In |
|---|---|---|
etc/init/crypto/ssl-server-truststore | A trusted server certificate used when setting up SSL/TLS connections. | /facilities/crypto/ssl/server-truststore |
etc/init/crypto/signature-verification | A certificate that can be used to verify a digital signature. | /facilities/crypto/signature-verification-keys |
etc/init/crypto/signer-truststores | An issuer certificate that can be used to verify a digital signature from an upstream authentication provider. | /facilities/crypto/signer-truststores |
Example:
The X509-certificate stored as etc/init/crypto/ssl-server-truststore/www.example.com.der is imported in /facilities/crypto/ssl/server-truststore with an id www.example.com.
This mechanism only allows adding new or replacing existing certificates in the configuration. To delete a certificate from configuration, please see Server Configuration overview .
The server needs to be started with the appropriate start-up arguments to consider reloading configuration files. For more information please see Server Configuration overview .