Introduction

The built-in certificate authority offers the functionality

• to create a root private key and certificate, to self-sign the root certificate,
  • The root private key and certificate are stored with the JS7 - Database.
• to create private keys and certificates per Controller instance and Agent, to sign the resulting certificates.
  • The private keys and certificates are not stored with the database, instead, they are requested by Controller instances and Agents, are created on-the-fly and are forwarded to the requester.
• to create security tokens that allow Controller instances and Agents to authenticate their request for a private key and certificate.
  • Security tokens are applied during JS7 - Certificate Authority - Rollout Certificates for HTTPS Connections.
  • Security tokens are created for one-time use, they are invalidated after being used a single time or if their lifetime is exceeded.

Certificate Management includes to perform the following steps:

• to manage the root private key and certificate with JOC Cockpit,
• to create security tokens for Controller instances and Agents with JOC Cockpit,
• to request private keys and certificates to be created on-the-fly by Controller instances and Agents.

Manage Root Private Key and Certificate

The root private key and self-signed certificate have to be created from an initial step:

The User->Profile menu of JOC Cockpit offers user accounts that are assigned the administrator role the sub-tab CA Management.

Explanation:

• Operations offered from this sub-tab include
  • to generate the private key and certificate and to self-sign the certificate,
  • to import and to update the private key and self-signed certificate in case that they are generated by an external certificate authority.
• Consider that updates to the root private key and certificate require new private keys and certificates for Controller instances and Agents to be created.
  • The private keys and certificates remain in place with Controllers and Agents, they continue to work but cannot be verified by a user.
  • It is therefore recommended to create and to roll-out new private keys and certificates within a foreseeable time.
• JOC Cockpit supports ECDSA key algorithms only as RSA key algorithms are not considered secure for a longer future.

Manage Private Keys and Certificates for Controllers and Agents

The User->Manage Controllers/Agents menu of JOC Cockpit offers to create tokens for Controller instances and Agents individually:

• You can use the Controller's action menu to create one-time security tokens for Controller instances.
• You can select one or more Agents to create one-time security tokens per Agent. Then use the Create one-time Token button.
• After selection of the Controller or Agents a popup window is displayed that asks for the lifetime of the token.

Explanation:

• The token is valid until its lifetime expires. 
  • It is recommended to use short lifetimes such as 30 minutes that are sufficient to perform the steps for roll-out of certificates to the respective Controller and Agents.
  • The lifetime is specified for a time zone as the user browser's time zone and the time zone of the server operating a Controller instance or Agent might differ.
• Tokens become invalid after one-time use. Cleanup of expired tokens is performed automatically by JOC Cockpit.
• Once the security tokens are generated they become accessible from the user interface.

Explanation:

• Each Agent for which a security token has been created displays the expiration date and offers a key symbol:
  • when hitting the key symbol the security token will be displayed,
  • display of the security token offers a button to copy the security token value to the clipboard.
• Having copied the security token to the clipboard, proceed by switching to the Controller instance's or Agents server and perform the steps for JS7 - Certificate Authority - Rollout Certificates for HTTPS Connections that require to specify the security token for authentication with JOC Cockpit.