CA Certificates
CA Certificates are digital credentials used to verify the identity of remote systems by validating the TLS Certificates they present. In USP, CA Certificates play a critical role in two contexts:
- Mutual TLS (mTLS) authentication between the USP Manager and USP Server.
- TLS-based LDAP server validation when LDAP is used as an inbound authentication source.
For more detailed information on CA Certificates beyond what is covered on this page, refer to Certificates.
Before You Begin
CA Certificates in mTLS Authentication
USP uses CA Certificates on both ends of the mTLS connection between the USP Manager and USP Server to ensure that each component can verify the identity of the other.
| Component | Role of CA Certificate | Where It's Added |
|---|---|---|
| USP Manager | Used to confirm that the USP Server's TLS Certificate was signed by a trusted authority. | Selected in the Proxy Server configuration in the USP Admin UI or via the USP REST API. |
| USP Server | Used to confirm that the USP Manager's TLS Certificate was signed by a trusted authority. | Referenced in the web.tls.ca field of the USP Server's .hcl configuration file. |
CA Certificates in LDAP Server Validation
When a Rule uses LDAP as the Inbound Authentication Source and connects to the LDAP server over SSL/TLS, a CA Certificate is used to validate the LDAP server's identity.
| Component | Role of CA Certificate | Where It's Added |
|---|---|---|
| USP Server | Used to confirm that the LDAP server's TLS Certificate was signed by a trusted authority. | Configured in the LDAP Connection referenced by the Rule. |
CA Certificate Administration via USP Admin UI
Adding a CA Certificate
To add a CA Certificate, follow these steps:
- From the Sidebar, click Authentication > Certificates.
- Click CA Certificates.
- Click Add CA Certificate.
- Complete the details for the new CA Certificate using the Field Descriptions table as a guide.
- Click Save.
Field Descriptions
| Name | Description | Specifications | Required |
|---|---|---|---|
| Name | The name of the CA Certificate. |
| Yes |
| Description | The description of the CA Certificate. | No | |
| Certificate | The CA Certificate content. | Must be in PEM format. | Yes |
Editing a CA Certificate
To edit a CA Certificate, follow these steps:
- From the Sidebar, click Authentication > Keys.
- Click CA Certificates.
- Click the Name of the CA Certificate you want to edit.
- Click the Edit button above the CA Certificate details.
- Edit the details of the CA Certificate using the Field Descriptions table as a guide.
- Click Save.
If you modify a CA Certificate that is currently in use by a USP Server instance, the changes will not take effect until you manually apply the updated configuration by pushing it to the server. To apply the changes:
- Navigate to Monitoring > Status.
- Click the Name of the associated USP Server instance.
- Go to the Configuration tab.
- Review the pending changes in the Updated Configuration column.
- If the changes are correct, click Push Configuration.
CA Certificate Metadata
CA Certificate details include all parameters given in the Field Descriptions table above, plus the following read-only metadata:
| Name | Description |
|---|---|
| ID | Universally Unique Identifier of this CA Certificate. |
| Enabled | A Boolean value indicating the status of the CA Certificate. The only possible value is true. |
| Certificate | The CA Certificate content. |
| Created At | Date and time this CA Certificate was created. |
| Updated At | Date and time this CA Certificate was last updated. |
Deleting a CA Certificate
To delete a CA Certificate, follow these steps:
- From the Sidebar, click Authentication > Keys.
- Click CA Certificates.
- Click the Name of the CA Certificate you want to delete.
- Click the Delete button above the CA Certificate details.
- You will be asked to confirm the deletion. Click Delete.
USP Manager prevents deletion of a CA Certificate if it is currently referenced by a Configuration Item.
Additionally, if the CA Certificate is used by a USP Server instance, the updated configuration must be manually applied. To apply the changes:
- Navigate to Monitoring > Status.
- Click the Name of the associated USP Server instance.
- Go to the Configuration tab.
- Review the pending changes in the Candidate Configuration - Preview section.
- If the changes are correct, click Push Configuration.
The changes do not take effect on the server until this step is completed.