Skip to main content

SSL certificate handling

This topic provides information about the administration of certificates that can be used with the SSL security protocol.

You can use SSL with a self-signed certificate or with a certificate that is signed by a third-party certificate authority. Using a self-signed certificate is the simplest method for using SSL; but, it does create a small security risk. The risk arises because the SSL client has no way of validating the identity of the SSL server for the first connection that is attempted between the client and server. For example, it is possible that a third party might impersonate the XClarity Controller web server and intercept data that is flowing between the actual XClarity Controller web server and the user’s web browser. If, at the time of the initial connection between the browser and the XClarity Controller, the self-signed certificate is imported into the certificate store of the browser, all future communications will be secure for that browser (assuming that the initial connection was not compromised by an attack).

For more complete security, you can use a certificate that is signed by a certificate authority (CA). To obtain a signed certificate, you will need to select Generate Certificate Signing Request (CSR). Select Download Certificate Signing Request (CSR) and send the Certificate-Signing Request (CSR) to a CA to obtain a signed certificate. When the signed certificate is received, select Import Signed Certificate to import it into the XClarity Controller.

The function of the CA is to verify the identity of the XClarity Controller. A certificate contains digital signatures for the CA and the XClarity Controller. If a well-known CA issues the certificate or if the certificate of the CA has already been imported into the web browser, the browser can validate the certificate and positively identify the XClarity Controller web server.

The XClarity Controller requires a certificate for use with HTTPS Server, CIM over HTTPS, and the secure LDAP client. In addition the secure LDAP client also requires one or more trusted certificates to be imported. The trusted certificate is used by the secure LDAP client to positively identify the LDAP server. The trusted certificate is the certificate of the CA that signed the certificate of the LDAP server. If the LDAP server uses self-signed certificates, the trusted certificate can be the certificate of the LDAP server itself. Additional trusted certificates must be imported if more than one LDAP server is used in your configuration.