The Certificates Menu¶
In this page you find:
The certificates menu can be used to manage the lifecycles of all system certificates across the entire 4i Edge X.
The sub-menu on the left-hand side of the screen contains these items, each of which groups several configuration options:
Certificates–create, import and manage certificates or sign certificate signing request (CSR)
Certificate Authorities–create,import and manage certificate authorities (including trusted root CAs)
Certificate Revocation Lists–import certificate revokation list (CRL)
Enrollment Requests–create and manage enrollment requests for ACME providers
Changed in version 6.8.0: new top-level menu and added enrollment requests
Certificates¶
Here it is possible to manage all the certificates stored on the 4i Edge X. The table contains tabs for each of the different certificate statuses including Active, Valid, Revoked, Not yet valid, Expired, Invalid. The default tab is Active and shows all existing certificates along with the following details, one per each column:
ID. The name (certificate ID) assigned to the certificate.
Subject. The collection of information that identify the certificate itself.
Type. The certificate type used to generate the certificate (server, client, or custom).
Expiration. The final date of validity of the certificate.
Expires In. The human readable time left before expiration.
Status. The current status of the certificate.
Issuer. The certificate issuer (CA) that verified and signed the certificate.
Actions. What actions can be done on the certificate.
View. Click to view details of the certificate.
Above the list, there are three options availalbe to choose from to create, import or add a certificate to the 4i Edge X:
Sign CSR Click this button to sign a Certificate Signing Request (CSR) which is used to request a certficate from a CA (Certificate Authority).
Import Click this button to import a certificate to the 4i Edge X.
Create certificate Click this button to create a new certificate. Upon clicking, the page will be replaced by a form that allows to provide all data necessary to the generation of a new certificate.
Certificate options
Create certificate
This option allows a user to create a new certificate directly on the 4i Edge X, by providing the following information. The capital letters in parentheses show the field of the certificate that will be filled by the value supplied and form the Subject of the certificate.
Note
A Root Certificate Authority is needed to create certificates, so create the Root CA before creating certificates.
- Certificate ID
The system unique identifier string for this particular certificate. This is only used internally by the 4i Edge X certificate management engine.
- Certificate name
The common name (CN) of the certificate’s owner. This is typically the hostname or domain name used with this certificate but can be unique identifier of the entity.
- Not Valid Before
The date before which the certificate is not valid (default is today’s date).
- Duration (days)
The number of days before the certificate expires (default is 365 days or 1 year).
- Certificate Authority
Select an existing CA (Certificate Authority) to use for generating this certificate.
Certificate Type
- Type preset
Select the certificate type to use for this certificate:
Server. This certificate will be used by a server or a machine to validate authenticity.
Client. This certificate will be used by a client (or user) to authenticate to a server.
Custom. Here you can create a custom certificate with specific attributes for Key Usage and Extended Key Usage
Certificate Attributes
- Organization name
The organisation (O) to which the owner belongs to.
- Organizational unit name
The Organisation Unit (OU) to which the owner belongs to, i.e., the company, enterprise, or institution department identified with the certificate.
- City
The city (L) in which the organisation is located.
- State or province
The state or province (ST) in which the organisation is located.
- Country
The Country (C) in which the organisation is located, chosen from those in the selection menu. By typing one or more letters, matching countries are searched for and displayed.
The e-mail address of the certificate’s owner.
- Subject Alternative Name
The alternative name for the subject, which allows a single certificate to be associated to multiple domains or resources. The available options are:
DNS. The DNS entry of the site.
IP. The IP address of the site.
email. An email address.
The actual value for each option must be written in the textbox.
Hint
To add more alternative names, click on the + button.
Preferences
- Omit issuer name and serial number in authority key
Check this box to omit the issuer name and serial number as this can be discouraged or required by certain providers.
Encryption Options
- Key Type
Choose the certificate encyrption algorithm to use in generating the certificate.
- Algorithm and Digest
Choose from the available secure encryption digest algorithm to use in generating the certificate.
- Key size
Choose from the drop-down menu the size of the key (in bits) used to generate the certificate.
Import (upload) a certificate
In this alternative, upload an existing certificate from the local workstation to the 4i Edge X.
The platform supports importing three different types of certificates:
Base64 Encoded Certificate (PEM) - This is an ASCII format in Base64 format. It is commonly used for SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates and can optionally include the server, intermediate certificates and private key.
Encrypted Private Key and Certificate (PKCS12) - This is a archive file format that can contain the server, intermediate certificates and private key in a single, password protected file.
DER (Binary Encoded) - This is binary format the provides a compact digital file. This format can only contain the certificate and does not support storage of private keys.
When selecting one of the above formats the next form you see will vary based on your selection.
Base64 Encoded Certificate (PEM)
- Certificate ID
The system unique identifier string for this particular certificate. This is only used internally by the certificate management engine.
- PEM File (.PEM)
By clicking on the Choose file button, a file chooser will open, in which to supply the path to the certificate to be uploaded.
Encrypted Private Key and Certificate (PKCS12)
- Certificate ID
The system unique identifier string for this particular certificate. This is only used internally by the certificate management engine.
- PKCS File (.P12)
By clicking on the Choose file button, a file chooser will open, in which to supply the path to the certificate to be uploaded.
- PKCS password
The password for the certificate, if needed. This field can be left blank if file has no password protection. Tick the eye icon on the right-hand side to show the password’s characters.
DER (Binary Encoded)
- Certificate ID
The system unique identifier string for this particular certificate. This is only used internally by the certificate management engine.
- DER File (.CRT)
By clicking on the Choose file button, a file chooser will open, in which to supply the path to the certificate to be uploaded.
Sign CSR (Certificate Signing Request)
This method requires a user to upload a CSR from the local workstation to the system. A CSR is an encrypted text file containing all necessary information to generate a new certificate, recognised by the server.
- Certificate ID
The system unique identifier string for this particular certificate. This is only used internally by the certificate management engine.
- Certificate Authority
Select an existing CA (Certificate Authority) to use for generating this certificate.
- Algorithm and Digest
Choose from the available secure encryption digest algorithm to use in generating the certificate.
- Duration (days)
The number of days before the certificate expires (default is 365 days or 1 year).
- CSR File (.CSR)
By clicking on the Choose file button, a file chooser will open, in which to supply the path to the CSR to be uploaded.
- Omit issuer name and serial number in authority key
Check this box to omit the issuer name and serial number as this can be discouraged or required by certain providers.
For each certificate list there is an option menu represented by the 3-dot menu. The available options will vary depending on whether the certificate was from an ACME provider / imported vs ones created by the system CA certificate.
Options for ACME Provider / Imported Certificates
- Delete
Select this option to delete the certificate.
- Download
Select this option to download the certificate. This will bring up a the certifcate export window which gives you the file format options to export the certificate.
Export a certificate
Here you can export a certificate from the 4i Edge X to you local workstation.
The platform supports exporting three different types of certificates:
PEM (Base64 Encoded) - This is an ASCII format in Base64 format. This is the most commonly used certificate file format and can include both the certificate and private key.
PKCS12 (Cert & Key) - This is an archive file format that can contain the server, intermediate certificates and private key in a single, password protected file.
DER (Binary Encoded) - This is binary format the provides a compact digital file. This format can only contain the certificate and does not support storage of private keys.
When selecting one of the above formats the next form you see will vary based on your selection.
PEM (Base64 Encoded)
- Download certificate
Click this button to download the PEM certificate file to your local workstation.
PKCS12 (Cert & Key))
- PKCS12 Export Type
Here you are presented with three different PBE (Password Based Encryption) export options types to choose from depending on your need:
- PBESv1
An older encryption standard that is often supported by Windows systems.
- PBESv2
A modern, more secure encryption standard which is recommended when possible.
- PBESv1-legacy
A legacy standard which should only be used when required.
- Password
Enter and confirm a password for the certificate, if desired. This will encrypt the exported file in order to protect the private key from disclosure.
- Download certificate
Click this button to download the PEM certificate file to your local workstation.
DER (Binary Encoded)
- Download certificate
Click this button to download the PEM certificate file to your local workstation.
Options for Certificates from System CA
- Revoke
Select this option to revoke the certificate. Usually this option is used when its private key has or is suspected of being compromised or for when the domain for which it was issued is no longer operational.
When revoking a certificate you will be prompted to select a reason for the revokation which follows the RFC 5280 standard. You can find more information about each of these reasons by referencing the standard documentation.
- Renew
Select this option to renew the certificate. A new window will appear with the following options:
- Revoke the existing certificate and replace it with a new one
Select this option replace the existing certificate you are renewing. If this option is not checked, you will be creating a new certificate alongside the existing and should enter a new Certificate ID.
- Duration (Days)
The number of days before the certificate expires (default is 365 days or 1 year).
- Algorithm and Digest
Choose from the available secure encryption digest algorithm to use in generating the certificate (default is SHA 256).
- Download
Select this option to download the certificate. This will bring up a the certificate export window which gives you the file format options to export the certificate.
Export a certificate
Here you can export a certificate from the 4i Edge X to you local workstation.
The platform supports exporting three different types of certificates:
PEM (Base64 Encoded) - This is an ASCII format in Base64 format. This is the most commonly used certificate file format and can include both the certificate and private key.
PKCS12 (Cert & Key) - This is an archive file format that can contain the server, intermediate certificates and private key in a single, password protected file.
DER (Binary Encoded) - This is binary format the provides a compact digital file. This format can only contain the certificate and does not support storage of private keys.
When selecting one of the above formats the next form you see will vary based on your selection.
PEM (Base64 Encoded)
- Download certificate
Click this button to download the PEM certificate file to your local workstation.
PKCS12 (Cert & Key))
- PKCS12 Export Type
Here you are presented with three different PBE (Password Based Encryption) export options types to choose from depending on your need:
- PBESv1
An older encryption standard that is often supported by Windows systems.
- PBESv2
A modern, more secure encryption standard which is recommended when possible.
- PBESv1-legacy
A legacy standard which should only be used when required.
- Password
Enter and confirm a password for the certificate, if desired. This will encrypt the exported file in order to protect the private key from disclosure.
- Download certificate
Click this button to download the PEM certificate file to your local workstation.
DER (Binary Encoded)
- Download certificate
Click this button to download the PEM certificate file to your local workstation.
Certificate Authorities¶
This page allows to manage the CA, needed for the correct set up of the whole certificate infrastructure. Root and host certificates are usually generated automatically during the installation process. Additionally, you can view all of the trusted root certificate authorities by going to the Trusted root tab where you can view/search the various system trusted root store.
The list, once populated, shows essentially the same information as in the Certificates page, with the only difference is the Has Key column which signifies whether CA has a private key and in the Options menu.
Above the list, there are two options available to choose from to create or import a certificate to the system:
Import Click this button to import a certificate to the 4i Edge X for example to integrate the system under an existing enterprise CA.
Create CA Click this button to create a new certificate. Upon clicking, the page will be replaced by a form that allows to provide all data necessary to the generation of a new certificate.
Certificate options
Create certificate
This option allows a user to create a new certificate directly on the 4i Edge X, by providing the following information. The capital letters in parentheses show the field of the certificate that will be filled by the value supplied and form the Subject of the certificate.
Note
A Root Certificate Authority is needed to create certificates, so create the Root CA before creating certificates.
- Certificate ID
The system unique identifier string for this particular certificate. This is only used internally by the certificate management engine.
- Certificate name
The common name (CN) of the certificate’s owner. This is typically the hostname or domain name used with this certificate but can be any unique identifier of the entity.
- Duration (days)
The number of days before the certificate expires (default is 365 days or 1 year).
Certificate Attributes
- Organization name
The organisation (O) to which the owner belongs to.
- Organizational unit
The Organisation Unit (OU) to which the owner belongs to, i.e., the company, enterprise, or institution department identified with the certificate.
- City
The city (L) in which the organisation is located.
- State or province
The state or province (ST) in which the organisation is located.
- Country
The Country (C) in which the organisation is located, chosen from those in the selection menu. By typing one or more letters, matching countries are searched for and displayed.
The e-mail address of the certificate’s owner.
- Subject Alternative Name
The alternative name for the subject, which allows a single certificate to be associated to multiple domains or resources. The available options are:
DNS. The DNS entry of the site.
IP. The IP address of the site.
Email. An email address.
The actual value for each option must be written in the textbox.
Hint
To add more alternative names, click on the + button.
Encryption Options
- Key Type
Choose the certificate encryption algorithm to use in generating the certificate.
- Algorithm and Digest
Choose from the available secure encryption digest algorithm to use in generating the certificate.
- Key size
Choose from the drop-down menu the size of the key (in bits) used to generate the certificate.
Import (upload) a certificate
In this alternative, upload an existing certificate from the local workstation to the 4i Edge X.
The platform supports importing three different types of certificates:
Base64 Encoded Certificate (PEM) - This is an ASCII format in Base64 format. It is commonly used for SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates and can optionally include the server, intermediate certificates and private key.
Encrypted Private Key and Certificate (PKCS12) - This is a archive file format that can contain the server, intermediate certificates and private key in a single, password protected file.
DER (Binary Encoded) - This is binary format the provides a compact digital file. This format can only contain the certificate and does not support storage of private keys.
When selecting one of the above formats the next form you see will vary based on your selection.
Base64 Encoded Certificate (PEM)
- Certificate ID
The system unique identifier string for this particular certificate. This is only used internally by the certificate management engine.
- PEM File (.PEM)
By clicking on the Choose file button, a file chooser will open, in which to supply the path to the certificate to be uploaded.
Encrypted Private Key and Certificate (PKCS12)
- Certificate ID
The system unique identifier string for this particular certificate. This is only used internally by the certificate management engine.
- PKCS File (.P12)
By clicking on the Choose file button, a file chooser will open, in which to supply the path to the certificate to be uploaded.
- PKCS password
The password for the certificate, if needed. This field can be left blank if file has no password protection. Tick the eye icon on the right-hand side to show the password’s characters.
DER (Binary Encoded)
- Certificate ID
The system unique identifier string for this particular certificate. This is only used internally by the certificate management engine.
- DER File (.CRT)
By clicking on the Choose file button, a file chooser will open, in which to supply the path to the certificate to be uploaded.
For each CA certificate list there is an option menu represented by the 3-dot menu. The available options are the same for every CA certificate.
Options for CA Certificates
- Delete
Select this option to delete the certificate.
- Download
Select this option to download the certificate. This will bring up a the certifcate export window which gives you the file format options to export the certificate.
Export a CA certificate
Here you can export a CA certificate from the 4i Edge X to you local workstation.
The platform supports exporting three different types of certificates:
PEM (Base64 Encoded) - This is an ASCII format based in Base64 format. This is the most commonly used certificate file format and can include both the certificate and private key.
DER (Binary Encoded) - This is binary format the provides a compact digital file. This format can only contain the certificate and does not support storage of private keys.
When selecting one of the above formats the next form you see will vary based on your selection.
PEM (Base64 Encoded)
- Download certificate
Click this button to download the PEM certificate file to your local workstation.
DER (Binary Encoded)
- Download certificate
Click this button to download the PEM certificate file to your local workstation.
Certificate Revocation Lists¶
In this page can be managed all the Certificate Revocation lists that have been uploaded.
The table shows all the Certificate Revocation Lists and for each item in the table are show the name of the certificate, the issuer, the issued date, and the available actions.
It is possible to upload a certificate Revocation List by clicking on the Import list button. You can then enter a string for the CRL ID and then click Choose file to browse for it on the local workstation, then select the Import list button to finalise the process.
Enrollment Requests¶
In this page, you can create enrollment request for the supported providers of the ACME (Automated Certificate Management Environment) protocol. By leveraging ACME, organizations can streamline and automate otherwise time-consuming processes for obtaining and renewing certificates.
ACME is primarily used to obtain domain validated (DV) certificates. This is because DV certificates do not require advanced verification. Only the existence of the domain is validated, which requires no human intervention. This is typically done through either an HTTP-based or DNS-based challenge mechanism.
HTTP challenge
For an HTTP-based challenge, the 4i Edge X will automatically place a challenge file on the local system web server using the requested domain, which is then validated by the ACME service in order to issue the certificate. The following requirements are needed in order to use the challenge mechanism:
Requirements
The user must have ownership of the requested domain
The 4i Edge X must have a public IP assigned and a hostname in DNS (FQDN) that resolves to the public IP address.
The 4i Edge X should be publicly accessible via HTTP (TCP port 80) and there should be no port forwarding for HTTP (TCP port 80) on the public IP address during the enrollment period.
Note
The HTTP (TCP port 80) availability can be just temporarily enabled during the enrollment and challenge period. This means any port forwarding or other interfering services can just be disabled during this time window and re-enabled afterwards.
DNS challenge
For a DNS-based challenge, the 4i Edge X will automatically create a specific DNS record on the requested domain using a supported DNS provider API. Once the record is propogated, it can then be validated by the ACME service in order to issue the certificate.
Requirements
The user must have ownership of the requested domain which should be hosted on a supported DNS provider
The user must have an account with API access on a supported DNS provider
The supported DNS providers are Hetzner, Scaleway, Azure, AWS, Cloudflare
To create a new ACME certificate, click the New order button to bring up the enrollment form with the following fields:
- Certificate ID
The system unique identifier string for this particular certificate. This is only used internally by the certificate management engine.
- Server
Choose the ACME provider you wish to use to generate and manage the certificate. The currently supported providers are Let’s Encrypt and ZeroSSL.
Enter the email address used with your ACME provider.
- Challenge
Choose the challenge mechanism you wish to use to validate the domain. There are two options to choose from:
- HTTP
Use an HTTP-based challenge to validate the domain (see above for details)
- DNS
Use a DNS-based challenge to validate the domain. When using this, you will prompted to select your supported DNS provider (see below).
- Domains
Enter your domain(s) here to use for your certificate enrollment request.
- DNS Provider
Based on your selected provider, you will then need to complete one or more fields in order to facilitate the connection from the 4i Edge X to the DNS provider. You can typically find this provider information in your account or API settings.