Certificates

Certificates are used to control which gateway clusters can connect to Gateway Manager and the Itential Platform. To enable this connection, you must upload a certificate that represents the host machine endpoint of your gateway server(s).

Generating Gateway Manager certificates

Gateway Manager supports self-signed certificates, CA-issued certificates, and CA-issued wildcard certificates.

To generate self-signed certificates that establish secure communication between your gateway cluster and Gateway Manager, you can run the following example OpenSSL command on the Linux server where you installed your gateway server:

openssl req -x509 -newkey rsa:4096 \
               -keyout /etc/gateway/certificates/gw-manager-key.pem \
               -out /etc/gateway/certificates/gw-manager.pem \
               -days 1825 -nodes \
               -subj "/CN=$(hostname)" \
               -addext "basicConstraints=CA:FALSE" \
               -addext "keyUsage=digitalSignature,keyEncipherment" \
               -addext "extendedKeyUsage=serverAuth"

This command generates a private key file and certificate file at the following locations:

/etc/gateway/certificates/gw-manager-key.pem
/etc/gateway/certificates/gw-manager.pem

You can also provide your own certificates. For example, you might choose to obtain certificates from a trusted certificate authority for production environments.

To provide your own Gateway Manager certificates, specify the certificate file and private key file with the following configuration variables:

• GATEWAY_CONNECT_CERTIFICATE_FILE
  • The default location for this value is /etc/gateway/certificates/gw-manager.pem
• GATEWAY_CONNECT_PRIVATE_KEY_FILE
  • The default location for this value is /etc/gateway/certificates/gw-manager-key.pem

For information on generating certificates for secure node-to-node communication within your gateway cluster, see Gateway cluster TLS.

Uploading certificates

The Itential Platform must be able to recognize and trust your certificate before your gateway can establish a secure connection. Upload your certificate to Gateway Manager to establish this trust relationship between your Gateway and the Platform.

1. Open Itential Platform in your browser
2. Navigate to the Gateway Manager app
3. Navigate to the Certificates tab
4. Click Upload Certificate
5. Upload your certificate
6. Click Add Certificate

Troubleshooting

Gateway Manager validates your certificate when you upload it:

• Valid: If your certificate is valid, the certificate details are displayed and you can accept the certificate by selecting Add Certificate.
• Invalid: If your certificate is invalid, the certificate details cannot be displayed and the uploaded certificate is marked as Invalid. A certificate might be marked as invalid if it is expired or self-signed. You can still choose to accept and trust an invalid certificate.
• Malformed: If your certificate is rejected, the certificate is likely malformed. For example, Gateway Manager might flag your certificate as malformed if the Subject Alternative Name (SAN) in the certificate does not match the host it represents.

Managing certificates

The Certificates tab in Gateway Manager lists all of your certificates and displays the basic properties of the certificate:

• Certificate Alias
• Host
• Issuance
  • Valid values: Self-Signed | CA-Issued | CA-Issued-Wildcard
• The date that the certificate will expire
• The certificate status
  • Valid values: Valid | Invalid
  • A certificate might be marked as invalid if it is expired or self-signed. You can still choose to accept and trust an invalid certificate.

View certificates

To view the details for a certificate uploaded to Gateway Manager:

1. Open Itential Platform in your browser.
2. Select Gateway Manager from the Administration collection in the left-side navigation menu.
3. Navigate to the Certificates tab in Gateway Manager.
4. Select the certificate that you want to view from the list of certificates.

The details drop down for each certificate displays the certificate Host and Issuer. You can also view, download, or delete the certificate from the detail dropdown.