TLS Certificates
TLS Certificates are digital credentials used to present and prove the identity of a system during a TLS handshake. In USP, TLS Certificates are essential for establishing secure, authenticated communication between trusted components.
For more information on where and how TLS Certificates are used, refer to How USP Uses Certificates.
Using Hardware Security Modules (HSMs)
TLS Certificates in USP can be stored in two ways:
- Locally, where the credential content is uploaded and securely stored by USP Manager.
- Externally, in a Hardware Security Module (HSM), where the key never leaves the physical device.
An HSM is a dedicated cryptographic device that stores and protects keys within a tamper-resistant environment.
When a TLS Certificate is stored in an HSM, its content remains inside the hardware, and all cryptographic operation, such as signing during TLS handshakes, are performed within the device. The USP Server never has direct access to the raw key data.
USP communicates with HSMs through the PKCS#11 interface using the configuration defined in the HSM Connection. That connection specifies the library path, token identifiers, authentication PIN, and other details required for USP Server to access the HSM.
TLS Certificate Administration via USP Admin UI
Adding a TLS Certificate
To add a TLS Certificate, follow these steps:
- From the Sidebar, click Authentication > Certificates.
- Click TLS Certificates.
- Click Add TLS Certificate.
- Complete the details for the new TLS Certificate using the Field Descriptions table as a guide.
warning
Once saved, the TLS Certificate's Private Key cannot be viewed again.
- Click Save.
Field Descriptions
| Name | Description | Specifications | Required |
|---|---|---|---|
| Name | The name of the TLS Certificate. |
| Yes |
| Description | The description of the TLS Certificate. | No | |
| Store Certificate and Private Key in HSM | When enabled, certificate and keys are managed through a preconfigured HSM Connection. | Yes | |
HSM Certificate ID | The unique identifier for the certificate or key in hexadecimal format (CKA_ID). For example, 4A4B4 or 0x4A4B4C. | Yes, if Store Certificate and Private Key in HSM is enabled. | |
HSM Certificate Label | The human-readable name assigned to the certificate or key inside the HSM (CKA_LABEL). The label is used to identify the object (e.g., TLS-Key-Prod). | Yes, if Store Certificate and Private Key in HSM is enabled. | |
| Certificate | The TLS Certificate content. | Must be in PEM format. | Yes, if Store Private Key in HSM is disabled. |
| Private Key | The Private Key for the TLS Certificate. | Yes, if Store Private Key in HSM is disabled. |
Editing a TLS Certificate
When editing a TLS Certificate, the TLS Certificate and Private Key fields appear empty, but the original values remain stored unless deliberately overwritten. This is intentional, as the USP Manager does not allow updating only one of these fields. To make changes, you must edit both the certificate and its corresponding private key.
To edit a TLS Certificate, follow these steps:
- From the Sidebar, click Authentication > Keys.
- Click TLS Certificates.
- Click the row of the TLS Certificate you want to edit.
- Click the Edit button above the TLS Certificate details.
- Edit the details of the TLS Certificate using the Field Descriptions table as a guide.
- Click Save.
If you modify a TLS Certificate that is currently in use by a USP Server instance, the changes will not take effect until you manually apply the updated configuration by pushing it to the server. To apply the changes:
- Navigate to Monitoring > Status.
- Click the Name of the associated USP Server instance.
- Go to the Configuration tab.
- Review the pending changes in the Updated Configuration column.
- If the changes are correct, click Push Configuration.
TLS Certificate Metadata
TLS Certificate details include all parameters given in the Field Descriptions table above, plus the following read-only metadata:
| Name | Description |
|---|---|
| ID | Universally Unique Identifier of this TLS Certificate. |
| Enabled | A Boolean value indicating the status of the TLS Certificate. The only possible value is true. |
| Certificate | The TLS Certificate content. |
| Created At | Date and time this TLS Certificate was created. |
| Updated At | Date and time this TLS Certificate was last updated. |
Deleting a TLS Certificate
To delete a TLS Certificate, follow these steps:
- From the Sidebar, click Authentication > Keys.
- Click TLS Certificates.
- Click the row of the TLS Certificate you want to delete.
- Click the Delete button above the TLS Certificate details.
- You will be asked to confirm the deletion. Click Delete.
USP Manager prevents deletion of a TLS Certificate if it is currently referenced by a Configuration Item.
Additionally, if the TLS Certificate is used by a USP Server instance, the updated configuration must be manually applied. To apply the changes:
- Navigate to Monitoring > Status.
- Click the Name of the associated USP Server instance.
- Go to the Configuration tab.
- Review the pending changes in the Candidate Configuration - Preview section.
- If the changes are correct, click Push Configuration.
The changes do not take effect on the server until this step is completed.