TLS Certificate Pair
The TLS Certificate Pair credential type stores a public X.509 Certificate combined with its corresponding Private Key, used to provide a TLS identity for UDMG servers and to support certificate-based encryption and signing.
A TLS Certificate Pair consists of:
- Public X.509 Certificate: The certificate that identifies UDMG to remote clients. This may optionally include intermediate CA certificates and is presented during TLS handshakes or shared with partners so they can encrypt messages to UDMG and verify digital signatures.
- PEM-encoded Private Key: The private key that matches the public key in the X.509 certificate, stored in PEM format. UDMG uses this key to prove ownership of the certificate, decrypt inbound data, and sign outbound messages.
UDMG supports several key types and verifies that each key is in the correct format when saved. These keys are TLS Certificate Pair stored securely and their values are masked in the UDMG Admin UI, and can only be retrieved via the API.
Use Cases
| # | Use Case | Referenced By | Purpose |
|---|---|---|---|
| 1 | Local AS2 Server HTTPS/TLS Identity | Local AS2 Server Endpoint | Presents the Local AS2 Server's certificate and private key for HTTPS/TLS connections, establishing the server's identity and securing the transport channel (for standard TLS). |
| 2 | Local AS2 Server Message Decryption and Signing | Local AS2 Server Endpoint | Used at the AS2 application layer to decrypt inbound AS2 messages and sign asynchronous MDNs. A copy of the public certificate should be shared with your AS2 partner so they can encrypt messages sent to you and validate your signatures. |
| 3 | Local FTPS Server TLS Identity | Local FTP Server Endpoint | Presents the Local FTPS Server's certificate and private key for FTPS connections, allowing clients to verify the server's identity and establish a secure TLS channel. |
Local AS2 Server HTTPS/TLS Identity
Each Local AS2 Server Endpoint that accepts HTTPS connections requires a TLS Certificate Pair, which provides the server's TLS identity. This credential is used during the HTTPS/TLS handshake so that AS2 partners can verify the Local AS2 Server's identity and establish a secure transport channel.
Implementation
- A TLS Certificate with the hostname used by your Local AS2 Server is generated outside of UDMG (e.g., by your organization).
- A new Credential (Credential Type: TLS Certificate Pair) is created on the Credentials page with the public certificate and private key from Step 1.
- A new or existing Local AS2 Server Endpoint can now reference this Credential from the Credentials Name (HTTPS TLS Certificate Pair) field.
- UDMG presents the configured TLS Certificate Pair during the TLS handshake, allowing the client to authenticate the server and negotiate an encrypted channel.
Local AS2 Server Message Decryption and Signing
Each Local AS2 Server Endpoint that processes encrypted or signed AS2 messages requires a TLS Certificate Pair to perform AS2 application-level cryptography. This certificate and its corresponding private key are used to decrypt inbound AS2 messages and to sign asynchronous MDNs sent back to your trading partners. A copy of the public certificate from this pair must be shared with each AS2 partner so they can encrypt messages destined for your Local AS2 Server and verify the signatures on MDNs you return.
Implementation
- A TLS Certificate is generated outside of UDMG (e.g., by your organization). It will server as the Local AS2 Server's AS2 messaging identity.
- A new Credential (Credential Type: TLS Certificate Pair) is created on the Credentials page with the public certificate and private key from Step 1.
- A new or existing Local AS2 Server Endpoint can now reference this Credential from the Credentials Name (AS2 TLS Certificate Pair) field.
- When an AS2 partner sends an encrypted AS2 message to the Local AS2 Server:
- UDMG uses the private key from the configured TLS Certificate Pair to decrypt the inbound payload.
- When sending an asynchronous MDN, UDMG uses the same private key to sign the MDN so that the partner can verify its authenticity using the shared public certificate.
This AS2-level encryption and signing is performed independently of the underlying HTTPS/TLS transport and require different TLS Certificate Pairs for the server's transport identity.
Local FTPS Server TLS Identity
Each Local FTP Server Endpoint (with Encryption Mode set to Implicit or Explicit) that accepts FTPS connections requires a TLS Certificate Pair, which provides the server's TLS identity. This credential is presented during the TLS handshake so that FTPS clients can verify the Local FTPS Server's identity and establish an encrypted control and data channel.
Implementation
- A TLS Certificate with the hostname used by your Local FTPS Server is generated outside of UDMG (e.g., by your organization).
- A new Credential (Credential Type: TLS Certificate Pair) is created on the Credentials page with the public certificate and private key from Step 1.
- A new or existing Local FTP Server Endpoint can now reference this Credential from the Credentials Name (TLS Certificate Pair) field.
- When an FTPS client connects using FTPS, UDMG presents the configured TLS Certificate Pair during the TLS handshake, allowing the client to authenticate the server and negotiate an encrypted channel for FTP commands and data transfers.
Adding a TLS Certificate Pair
To add a TLS Certificate Pair, follow these steps:
- From the Sidebar, click Configuration > Credentials.
- Click Add Credential.
- Select TLS Certificate Pair as the Credential Type.
- Enter an identifying Name and Description, and Valid From and Valid To dates.
- Enter or paste in the Certificate and Private Key fields.
- Click Add.
Each TLS Certificate Pair must be properly created before it can be referenced by other Configuration Items. UDMG validates keys for format, but not for usage.
Field Descriptions
The following table lists all fields that can be completed when adding (or editing) a TSL Certificate Pair:
| Name | Description | Specifications | Required |
|---|---|---|---|
| Type | Type of Credential. Select: TLS Certificate Pair. | Cannot be modified after creation. | Yes |
| Name | The name of the TLS Certificate Pair. |
| Yes |
| Description | The description of the TLS Certificate Pair. | No | |
| Valid From | Date when the Credential becomes valid. | Cannot be later than Valid To date. | Yes |
| Valid To | Date when the Credential becomes invalid. info UDMG does not use or check the dates provided. The dates entered are only meant to help Users keep track of expiration dates. | Cannot be earlier than Valid From date. | Yes |
| Public X.509 Certificate | Public certificate that identifies UDMG to remote clients and partners. May include intermediate CA certificates and must match the corresponding PEM-encoded Private Key. | Values are masked and encrypted after saving. | Yes |
| PEM-encoded Private Key | Private key in PEM format that corresponds to the Public X.509 Certificate. Used by UDMG to prove ownership of the certificate, decrypt inbound data, and sign outbound messages. | Values are masked and encrypted after saving. | Yes |
Editing a TLS Certificate Pair
To edit a Credential, follow these steps:
- From the Sidebar, select Configuration > Credentials.
- Click the Credential Name you want to edit.
- Click the Edit button above the Credentials details to edit the specific fields.
- Edit details for the Credentials using the Field Descriptions table as a guide.
- Click Update.
Managing a TLS Certificate Pair
Viewing TLS Certificate Pair Details
To view the details of a TLS Certificate Pair, follow these steps:
- From the Sidebar, click Configuration > Credentials.
- Click the Name of the Credential you want to view.
- To see the key value, which is not visible after Credential creation, System and Domain Administrators can use the authenticated Reveal API.
Credential Metadata
Credential details include all parameters given in the Field Descriptions table, plus the following read-only metadata:
| Name | Description |
|---|---|
| UUID | Universally Unique Identifier of this TLS Certificate Pair. |
| Enabled | Credentials Enabled status. If enabled, field is set to True. |
| Version | Version number of the latest configuration of the Credential, including changes to the Enabled status. |
| Created | Date and time this TLS Certificate Pair was created. |
| Updated | Date and time this TLS Certificate Pair was last updated. |
| Certificate - Signature Algorithm | The cryptographic method (digital signature algorithm) used to sign the certificate (e.g., SHA256-RSA). |
| Certificate - Version | The certificate format version (typically v3), which determines the supported fields and extensions. |
| Certificate - Serial Number | A unique identifier assigned by the issuing Certificate Authority to distinguish this certificate from others it has issued. |
| Certificate - Subject | The entity (organization, domain, or individual) that owns this certificate and whose identity it represents. |
| Certificate - Issuer | The Certificate Authority (CA) that signed and issued this certificate, vouching for the subject's identity. |
| Certificate - Not Before | The start date of the certificate's validity period. |
| Certificate - Not After | The expiration date of the certificate's validity period. |
| Certificate - Is CA | Indicates whether this certificate is a Certificate Authority (CA) certificate, which can be used to sign and issue other certificates. |
| Certificate - Public Key Algorithm | The cryptographic method (public key algorithm) used to generate the key (RSA, DSA, or ECC). |
| Key - Algorithm | The cryptographic method used to generate the key (RSA, DSA, or ECC). |
| Key - Key Type | Specifies the format or cryptographic algorithm of the key. |
| Key - Fingerprint (MD5) | A legacy hash checksum that provides a unique identifier for the key. |
| Key - Fingerprint (SHA256) | A modern, more secure hash that uniquely identifies the key. |
Enabling and Disabling TLS Certificate Pairs
TLS Certificate Pairs can be Enabled or Disabled to control their active status and ability to participate in file transfers. The status is defaulted to Enabled and can be changed after creation.
- Enabled (default): The TLS Certificate Pair is active and available for use.
- Disabled: The TLS Certificate Pair is not active and unavailable for use.
To enable or disable a TLS Certificate Pair, follow these steps:
- From the Sidebar, click Configuration > Credentials.
- Click the Name of the TLS Certificate Pair you want to enable/disable.
- Click the Enable or Disable button above the TLS Certificate Pairy details, depending on the current status.
Deleting a TLS Certificate Pair
To delete a TLS Certificate Pair, follow these steps:
- From the Sidebar, click Configuration > Credentials.
- Click the Name of the TLS Certificate Pair you want to delete.
- Click the Delete button above the TLS Certificate Pairy details.
- You will be asked to confirm the deletion. Click Delete.
If a Credential is currently assigned to a Configuration Item (Endpoint, Pipeline, Account, or LDAP), then it cannot be deleted. You must first remove the Credential from the specific Configuration Item(s) it is assigned to, then go back to the Credentials page to delete the Credential.