Menu path: UMS Administration > Global Configuration > Certificate Management

In this section, you can manage certificates for the communication between the UMS and the thin clients. The preconfigured certificate, which has the Keystore alias "tckey", is used by default if no changes are made.

With UMS version 5.09 or higher, the default UMS certificate uses SHA512withRSA as certificate algorithm with a key length of 4096.

You can set a different certificate as default; if you do so, all newly registered thin clients will use this certificate, and already registered thin clients will replace their previously used certificate with the new default certificate.

At an interval of 5 minutes, the UMS checks whether the certificate on the thin client and the default certificate are still identical.

If a thin client does not support the default certificate, the UMS checks for each certificate whether it is supported, starting from the top of the list. The first one that matches the requirements will be used. If no certificate matches, the thin client is not registered.

As with UMS version 5.09.100, the signature algorithm for certificates is SHA512withRSA. The following IGEL operating systems do not support this signature algorithm, so that an appropriate alternative certificate must be provided:

  • IGEL Linux v4.01.650 or lower
  • Windows 7 Embedded 3.08.100 or lower

If you have upgraded to UMS 5.09.100 from an older version, such a certificate is already provided, as certificates are not overwritten in the course of an update.

If you select a certificate in the area Certificate management, all thin clients which use this certificate are shown in the area Thin clients which use the selected certificate (<number>).

High Availability

If you are running the UMS in a High Availaility (HA) network, be aware that if you make changes to certificates (import a new keypair, generate a new keypair, delete a certificate or change the default certificate), a new network token is automatically generated and you will have to:

  1. Define a location in which the new network token should be stored.
  2. Deinstall all load balancers of the HA network.
  3. Reinstall the load balancers using the new network token.
  4. Restart all IGEL RMGUIServer services in the HA network.

Restoring from a Backup

When restoring from a backup, check if certificates included in the backup differ from the certificates that are currently in use. If this is the case, all thin clients that have been registered before restoring will have to be registered again.

Possible Actions

 Import a certificate from a file. The file path is provided under Keystore file and the import password is entered under Keystore password. The certificate's signature algorithm is checked. If the signature algorithm is not supported by the UMS, the certificate is not imported.

Certificates with any of the following signature algorithms can be imported:

  • SHA1_WITH_RSA
  • SHA1_WITH_DSA
  • SHA256_WITH_RSA
  • SHA256_WITH_DSA
  • SHA384_WITH_RSA
  • SHA512_WITH_RSA

UMS certificates which use the MD5 algorithm cannot be imported. If a device with a certificate using MD5 is selected for registration, the UMS automatically replaces its certificate by a newer one.

No Support for Certificate Chains

Do not import certificate chains. If you configure such a certificate, the communication between the UMS and the device will fail.

 Generate a new certificate.

 Delete the selected certificate.

Do not delete a certificate that is being used by a thin client; otherwise, the UMS will not be able to communicate with this thin client any more.

 Move the selected certificate up in the list to increase its priority.

If you move the selected certificate to the top of the list, it will become the default certificate. In this case, you must restart the IGEL RMGUIServer.

The change of the default certificate is propagated to the devices in a background task of the UMS. This task replaces the certificate on all devices that are compatible with this certificate and runs every 5 minutes.

 Move the selected certificate down in the list to decrease its priority.

 Activate the selected certificate. When a certificate is activated, it can be used for communication between UMS and thin clients.

 Deactivate the selected certificate. A deactivated certificate will not be used when a new thin client is registered. If a certificate is deactivated while it is in use, communication between UMS and thin client is still possible. If only 1 certificate is active, this certificate can not be deactivated.

 Export the selected certificate.

 Export the key pair of the selected certificate.

 Show the content of the selected certificate.