Menu path: UMS Administration > Global Configuration > Certificate Management
In this section, you can manage certificates for the communication between the UMS and the devices. The preconfigured certificate, which has the Keystore alias "tckey", is used by default if no changes are made.
You can set a different certificate as default; if you do so, all newly registered devices will use this certificate, and already registered devices will replace their previously used certificate with the new default certificate.
At an interval of 5 minutes, the UMS checks whether the certificate on the device and the default certificate are still identical.
If a device does not support the default certificate, the UMS checks for each certificate whether it is supported, starting from the top of the list. The first one that matches the requirements will be used. If no certificate matches, the device is not registered.
If you select a certificate in the area Certificate management, all devices which use this certificate are shown in the area Devices which use the selected certificate (<number>).
If you are running the UMS in a High Availability (HA) network, be aware that if you make changes to certificates (import a new keypair, generate a new keypair, delete a certificate or change the default certificate), a new network token is automatically generated and you will have to:
- Define a location in which the new network token should be stored.
- Deinstall all load balancers of the HA network.
- Reinstall the load balancers using the new network token.
- Restart all IGEL RMGUIServer/igelRMserver services in the HA network.
Restoring from a Backup
When restoring from a backup, check if certificates included in the backup differ from the certificates that are currently in use. If this is the case, all devices that have been registered before restoring will have to be registered again.
Certificates are not overwritten in the course of an update.
Import a certificate from a file. The file format must be PFX, and the private key must be included in the file. The file path is provided under Keystore file and the import password is entered under Keystore password. The certificate's signature algorithm is checked. If the signature algorithm is not supported by the UMS, the certificate is not imported.
Supported Signature Algorithms
The following signature algorithms are supported: SHA512withRSA, SHA384withRSA, SHA256withRSA, SHA1withRSA, SHA256withDSA, and SHA1withDSA.
Certificates which use the MD5 algorithm are not supported.
No Support for Certificate Chains
Do not import certificate chains. If you configure such a certificate, the communication between the UMS and the device will fail.
The import of expired certificates is not possible.
Generate a new certificate.
Delete the selected certificate.
Do not delete a certificate that is being used by a device; otherwise, the UMS will not be able to communicate with this device anymore.
Move the selected certificate up in the list to increase its priority.
If you move the selected certificate to the top of the list, it will become the default certificate. In this case, you must restart the IGEL RMGUIServer/igelRMserver service.
The change of the default certificate is propagated to the devices in a background task of the UMS. This task replaces the certificate on all devices that are compatible with this certificate and runs every 5 minutes.
Move the selected certificate down in the list to decrease its priority.
Activate the selected certificate. When a certificate is activated, it can be used for communication between UMS and devices.
Deactivate the selected certificate. A deactivated certificate will not be used when a new device is registered. If a certificate is deactivated while it is in use, communication between UMS and device is still possible. If only 1 certificate is active, this certificate can not be deactivated.
Export the selected certificate.
Export the key pair of the selected certificate.
Show the content of the selected certificate.