X.509 Certificate
X.509 Certificates are digital documents used to verify digital signatures and establish trusted identity in secure communications with UDMG. These certificates are structured using the X.509 standard and contain an identity (a hostname, or an organization, or an individual) and a public key. The certificate must be signed by a certificate authority (CA) and in the PEM format.
The X.509 Certificate credential type is used in the configuration for User and Account Single Sign-On (SSO) providers with the SAML protocol (Use Case 1) and within the AS2 Remote Server Endpoint to verify signatures and encrypt outbound AS2 messages (Use Case 2 and 3). For SSO, the credential must contain a digital signature from a trusted CA and is used to verify the digital signature on the SAML response from an Identity Provider.
X.509 Certificates used in AS2 are similar to the Public Keys and Private Keys used in SFTP.
Use Case
| # | Use Case | Referenced By | Purpose |
|---|---|---|---|
| 1 | SSO - SAML Response Verification | Domain - SSO provider with SAML protocol | Verifies the the SAML response signatures and authenticates the Identity Provider (Users and Accounts). |
| 2 | AS2 Remote Server Encryption and Signature - Local | Remote AS2 Sever Endpoint | Shared with your AS2 partner to verify your signatures. |
| 3 | AS2 Remote Server Encryption and Signature - Partner | Remote AS2 Sever Endpoint | Provided by your partner and encrypts outbound AS2 messages and verifies your partner's signed MDN responses. |
SSO - SAML Response Verification
When UDMG processes a SAML login flow (Users and Accounts), the Identity Provider returns a SAML response containing a digital signature. UDMG uses the X.509 Certificate credential, storing the CA certificate (public key), to validate the signature and confirm that the response originated from the trusted Identity Provider and has not been tampered with. If valid, UDMG creates a local session for the User and grants access to the UDMG Admin UI.
Implementation
- The Identity Provider administrator generates a X.509 CA certificate (must be in PEM format) outside of UDMG and shares it with your organization.
- A new Credential (with Type: X509 Certificate) is added on the Credentials page with the certificate content from Step 1.
- A new or existing SSO provider configuration (with Protocol: SAML) for Users or Accounts is updated to reference this Credential.
- When an SSO User or Account login occurs, UDMG uses the stored certificate to verify the signature on the SAML response before granting access.
AS2 Remote Server Encryption and Signature - Local
Each Remote AS2 Server Endpoint requires a public X.509 Certificate, which matches the Private Key also required by the Endpoint. The certificate is embedded in the signature of outbound AS2 messages and should be shared with your AS2 partner to verify your signatures.
Implementation
- A TLS Certificate is generated outside of UDMG (e.g., by your organization).
- A new Credential (Credential Type: X509 Certificate) is created on the Credentials page with the public certificate from Step 1.
- A new or existing Remote AS2 Server Endpoint can now reference this Credential from the Credentials Name (Local X.509 Certificate) field.
- UDMG embeds this certificate in signed messages, allowing partners to validate signatures.
AS2 Remote Server Encryption and Signature - Partner
Each Remote AS2 Server Endpoint also requires a public X.509 Certificate, which contains your partner's public X.509 Certificate. The certificate is used to encrypt outbound AS2 messages and verify your partner's signed MDN responses (if they sign them). The certificate must correspond to your partner's Private Key.
Implementation
- Obtain the public X.509 certificate from your AS2 trading partner.
- A new Credential (Credential Type: X509 Certificate) is created on the Credentials page with the partner's public certificate.
- A new or existing Remote AS2 Server Endpoint can now reference this Credential from the Encryption Certificate Name field.
- UDMG uses this certificate to encrypt outbound AS2 messages sent to the partner.
Adding an X.509 Certificate
To add an X.509 Certificate, follow these steps:
- From the Sidebar, click Configuration > Credentials.
- Click Add Credential.
- Select X509 Certificate as the Credential Type.
- Enter an identifying Name and Description, and Valid From and Valid To dates.
- Enter or paste the CA Certificate content in the Certificate field.
- Click Add.
Each X.509 Certificate must be properly created before it can be referenced by other Configuration Items.
Field Descriptions
The following table lists all fields that can be completed when adding (or editing) an X.509 Certificate:
| Name | Description | Specifications | Required |
|---|---|---|---|
| Type | Type of Credential. Select: X509 Certificate. | Cannot be modified after creation. | Yes |
| Name | The name of the X509 Certificate. |
| Yes |
| Description | The description of the X509 Certificate. | No | |
| Valid From | Date when the Credential becomes valid. | Cannot be later than Valid To date. | Yes |
| Valid To | Date when the Credential becomes invalid. info UDMG does not use or check the dates provided. The dates entered are only meant to help Users keep track of expiration dates. | Cannot be earlier than Valid From date. | Yes |
| Certificate | CA Certificate content. | Must be in PEM format. | Yes |
Editing an X.509 Certificate
To edit an X.509 Certificate, follow these steps:
- From the Sidebar, select Configuration > Credentials.
- Click the Credential Name you want to edit.
- Click the Edit button above the Credentials details to edit the specific fields.
- Edit details for the Credentials, using the Field Descriptions above as a guide.
- Click Update.
Managing X.509 Certificates
Viewing X.509 Certificate Details
To view the details of an X.509 Certificate, follow these steps:
- From the Sidebar, click Configuration > Credentials.
- Click the Name of the X.509 Certificate you want to view. You will see a table with the Credential details.
X.509 Certificate Metadata
X.509 Certificate details include all parameters given in the Field Descriptions table above, plus the following read-only metadata:
| Name | Description |
|---|---|
| UUID | Universally Unique Identifier of this X509 Certificate. |
| Enabled | Credentials Enabled status. If enabled, field is set to True. |
| Version | Version number of the latest configuration of the Credential. Every change increases the number. |
| Created | Date and time this X509 Certificate was created. |
| Updated | Date and time this X509 Certificate was last updated. |
| Signature Algorithm | The cryptographic method (digital signature algorithm) used to sign the certificate (e.g., SHA256-RSA). |
| Algorithm | The cryptographic method (public key algorithm) used to generate the key (RSA, DSA, or ECC). |
| Bits | The key length that determines its strength against brute force attacks. |
| Version | The certificate format version (typically v3), which determines the supported fields and extensions. |
| Serial Number | A unique identifier assigned by the issuing Certificate Authority to distinguish this certificate from others it has issued. |
| Subject | The entity (organization, domain, or individual) that owns this certificate and whose identity it represents. |
| Issuer | The Certificate Authority (CA) that signed and issued this certificate, vouching for the subject's identity. |
| Not Before | The start date of the certificate's validity period. |
| Not After | The expiration date of the certificate's validity period. |
| Is CA | Indicates whether this certificate is a Certificate Authority (CA) certificate, which can be used to sign and issue other certificates. |
| Fingerprint (MD5) | A legacy hash checksum that provides a unique identifier for the key. |
| Fingerprint (SHA1) | A cryptographic hash checksum that provides a unique identifier for the key. |
| Fingerprint (SHA256) | A modern, more secure hash that uniquely identifies the key. |
Enabling and Disabling X.509 Certificates
X.509 Certificates can be Enabled or Disabled to control their active status and ability to participate in file transfers. The status is defaulted to Enabled and can be changed after creation.
- Enabled (default): The X.509 Certificate is active and available for use.
- Disabled: The X.509 Certificate is not active and unavailable for use.
To enable or disable an X.509 Certificate, follow these steps:
- From the Sidebar, click Configuration > Credentials.
- Click the Name of the X.509 Certificate you want to enable/disable.
- Click the Enable or Disable button above the X.509 Certificate details, depending on the current status.
Deleting an X.509 Certificate
To delete an X.509 Certificate, follow these steps:
- From the Sidebar, click Configuration > Credentials.
- Click the Name of the Credential you want to delete.
- Click the Delete button above the Credential details.
- You will be asked to confirm the deletion. Click Delete.
If a X509 Certificate is currently assigned to an SSO provider, it cannot be deleted. You must first remove the X509 Certificate from the SSO provider, then return to the Credentials page to delete it.