Managing Certificates on a Container

Connectors require a Certificate Authority (CA) issued or self-signed SSL certificate to communicate securely with a destination. The Certificate Management wizard, available from the Containers tab, helps you add and remove certificates on a container. Using the wizard, you can:

From the Containers tab and the Connectors tab, you can view details about the certificates applied to a container. See Viewing Certificates on a Container.

For information about resolving invalid certificates, see Resolving Invalid Certificate Errors.

Adding CA Certificates to a Container

You can add a single CA certificate to a container that is in FIPS mode or non-FIPS mode.

Note: Whenever you enable or disable FIPS mode on a container, check that the required certificates are present in the trust store and add them if necessary.

Click the icon next to the container name to see the type of certificate applied to it. Click Display Certificates from the action drop down to see the list of available certificates on the container.

Before you perform the following procedure, make sure the certificate you want to add is loaded in the CA Certs repository.

To add a single CA certificate to a container:

  1. Click Node Management.

  2. In the navigation tree, click System.

  3. Click the Containers tab.

  4. On the Containers tab, select one or more containers to which you wish to add certificates.

  5. Click Certificates. The Certificate Management wizard starts.

  6. Review the dialog box, and then click Next.

  7. Under Choose an Action, select Add Certificate, and then click Next.

  8. Follow the instructions in the wizard to add the certificate.

    If a container is down or a connector is running an older build, the wizard reports errors in the progress bar and on the Summary page.

Removing CA Certificates from a Container

You can remove CA certificates from a container when they are no longer needed. When you remove a CA certificate, the certificate is removed from the container’s trust store; but it is not deleted from the repository.

Caution: Use caution when deleting certificates. When you delete a certificate on a container but the connector destination is still using that certificate, the connector can no longer communicate with the destination.

To remove CA certificates from a container:

  1. Click Node Management.

  2. In the navigation tree, click System.

  3. Click the Containers tab.

  4. On the Containers tab, select one or more containers to which you wish to remove certificates.

  5. Click Certificates. The Certificate Management wizard starts.

  6. Review the dialog box, and then click Next.

  7. Under Choose an Action, select Remove certificate, and then click Next.

  8. Select one or more certificates from the certificate list, and then click Next. The certificates are removed from the list of certificates and no longer used. When you remove a certificate from a container in FIPS mode, the container restarts automatically.

  9. The Certificate Management wizard displays the certificates that are removed successfully in a comma-separated list. Certificates that cannot be removed are shown in a comma-separated list together with a reason why the certificate removal failed.

Adding a CA Certs File to a Container

You can add a CA Certs file to any container that is in non-FIPS mode.

Caution: When you apply a CA Certs file, the entire trust store on the container is overwritten. All previously-added certificates are overwritten.

Before you follow the procedure below, make sure that the CA Certs file you want to add is loaded in the CA Certs repository.

To add a CA Certs file to a non-FIPS mode container:

  1. Click Node Management.

  2. In the navigation tree, click System.

  3. Click the Containers tab.

  4. On the Containers tab, Select one or more non-FIPS mode containers to which you wish to add a CA Certs file.

  5. Click Certificates. The Certificate Management wizard starts.

  6. Review the dialog box, and then click Next.

  7. Under Choose an Action, select CA Cert (Legacy).

  8. Follow the instructions in the wizard.

    After the CA Certs file has been added to a container, the container restarts automatically.

Enabling or Disabling a Demo Certificate on a Container

You can use the demo certificate on a container for testing purposes. By default, the demo certificate on a container is disabled. You can enable the demo certificate temporarily for testing purposes on a container that is non-FIPS mode.

Note: Enable a demo certificate on a container in non-FIPS mode for testing purposes only. Using a demo certificate in a production environment is a serious security issue because the demo certificate is not unique.

To enable or disable a demo certificate on a non-FIPS mode container:

  1. Click Node Management.

  2. In the navigation tree, click System.

  3. Click the Containers tab.

  4. On the Containers tab, Select one or more non-FIPS mode containers for which you wish to enable or disable a CA Certs file.

  5. Click Certificates. The Certificate Management wizard starts.

  6. Review the dialog box, and then click Next.

  7. Under Choose an Action, select Demo CA (Legacy), and then click Next.

  8. Follow the instructions in the Certificate Management wizard.

    After you add the demo certificate on a container, the container restarts automatically.

Adding Multiple Destination Certificates to a Container

You can add multiple destination certificates to a container, whether in FIPS mode or not.

Note: Whenever you enable or disable FIPS mode on a container, check that the required certificates are present in the trust store and add them if necessary.

Click the icon to display a list of the certificates available on the container.

Note: In the event that importing destination certificates for Transformation Hub fails due to changes in the certificate, please proceed to remove and then add the destination from the Connector as explained in Removing Destinations and Adding a Primary Destination to a Connector.

To apply multiple destination certificates to a container:

  1. Click Node Management.

  2. In the navigation tree, click System.

  3. Click the Containers tab.

  4. On the Containers tab, containers for which you wish to add multiple destination certificates.

  5. Click Certificates. The Certificate Management wizard starts.

  6. Review the dialog box, and then click Next.

  7. Under Choose an Action, select Import destination certificates to add a certificate.

  8. Follow the instructions in the wizard to complete the process.

Viewing Certificates on a Container

You can display a list of the CA certificates applied to a container and view the details for a particular certificate in the list. To view certificates on a container,

The Certificate List wizard displays the certificates applied to a container. To see details of a certificate, select the certificate, and then click Next at the bottom of the page.

Resolving Invalid Certificate Errors

If no valid CA certificates exist for the connectors in the container, resolve the invalid certificate error as follows:

To resolve the invalid certificate error:

  1. Select the container in the navigation tree.

  2. Click the Containers tab. The error message is displayed.

  3. In the Action drop-down of the container showing the issue, select Download Certificates.

  4. Follow the instructions in the wizard to download and import the valid certificates.