Skip to main content

Certificates

In USP certificates are essential for securing TLS-based communication between USP components and external systems. Certificates enable identity verification and trust validation during mutual TLS (mTLS) authentication and other TLS-secured interactions.

USP uses two types of certificates:

  • TLS Certificates are used by the USP Manager, USP Server, and external services (such as LDAP servers) to present their identity during a TLS handshake.
  • CA Certificates are used to validate the TLS Certificates presented by remote systems, ensuring they were issued by a trusted authority.
info

For information on how to create these certificates, refer to mTLS Certificates Generation Guide.

How USP Uses Certificates

Keys are used in two different scenarios:

USP Manager and USP Server mTLS Authentication

mTLS Authentication Diagram with Certificates

To enable secure and authenticated communication, the USP Manager and USP Server components use mutual TLS (mTLS). This process requires two sets of:

  • A TLS Certificate to assert the component's identity.
  • A private key to prove ownership of the TLS Certificate.
  • A CA Certificate to verify the identity of the remote peer.

This mutual validation ensures that only authorized components can establish a secure connection within USP.

USP Manager Side

From the USP Manager perspective, a CA Certificate and a TLS Certificate are selected when adding a Proxy Server:

  • CA Certificate: Validates the TLS Certificate presented by the USP Server.
  • TLS Certificate: Identifies the USP Manager when it connects to the USP Server.
info

Before they can be selected in a Proxy Server configuration, CA Certificates and TLS Certificates must be added to the USP Manager repository.

USP Server Side

On the USP Server side, a TLS Certificate, its corresponding private key, and a CA Certificate are configured directly in the USP Server Configuration File:

  • web.tls.cert: Path to the TLS Certificate presented by the USP Server.
  • web.tls.key: Path to the private key associated with the TLS Certificate.
  • web.tls.ca: Path to the CA Certificate used to validate the TLS Certificate presented by the USP Manager.
info

If you need help generating these certificates, refer to our mTLS Certificates Generation Guide.

LDAP Server Identity Validation

certificates-ldap-server.png

When a Rule is configured with Inbound Authentication Method set to Password, Authentication at the Proxy enabled, and Inbound Authentication Source set to LDAP, the USP Server authenticates inbound credentials against an external LDAP directory. This process relies on two components: an LDAP Connection and an LDAP Query.

If the LDAP Connection is configured to use SSL/TLS, a CA Certificate is required to validate the TLS Certificate presented by the LDAP server. This ensures that the USP Server connects only to a trusted LDAP endpoint before transmitting credentials.

Summary

To use a CA Certificate to validate the TLS Certificate presented by the LDAP server, the Rule must be set with the following:

  • Inbound Authentication Method: Password
  • Authentication at the Proxy: Enabled
  • Inbound Authentication Source: LDAP
  • LDAP Connection, with:
    • Use SSL/TLS Connection: Enabled
    • CA Certificate: A CA Certificate that matches the issuer of the LDAP server's TLS Certificate
  • LDAP Query: An LDAP Query to locate and validate user entries in the directory