Updated on 2022-04-02 GMT+08:00

Configuring TLS

Context

  • TLS is designed to ensure data confidentiality and integrity between two communication application programs.
  • In the multi-tenant deployment scenario, you need to contact the system administrator to configure the TLS certificate.

Procedure

  1. Choose System > About > Certificate Authority Service from the main menu.
  2. Choose Global Configuration > TLS Configuration from the navigation tree on the left.
  3. Click Certificate Configuration. On the page that is displayed, set required parameters.

    For detailed parameter descriptions, see Table 1.
    Table 1 TLS certificate parameters

    Parameter

    Description

    Value

    Trust certificate chain

    Trust certificate chain

    Used by the server to check whether the client certificate is trusted during communication.

    • The trust certificate chain file to be uploaded must be in .pem, .cer, or .crt format.
    • The certificate to be uploaded must be a complete certificate chain. A maximum of 16 files can be uploaded, and the size of the file to be uploaded at a time cannot exceed 100 KB.
    • The certificate file name is a string of 1 to 256 characters containing Chinese characters, digits, letters, underscores (_), and hyphens (-), spaces, dots (.) and round brackets. It cannot start with a dots (.) or space.

    Identity certificate

    Application protocol

    The CMP or privacy CA protocol can be used for the identity certificate. Each application protocol corresponds to only one identity certificate.

    N/A

    Identity certificate

    Identity certificate of the server, which is verified by the client to determine whether the server is trusted during communication.

    • The identity certificate file to be uploaded must be in .p12 format. Only one file can be uploaded and the file size cannot exceed 20 KB.
    • The certificate file name is a string of 1 to 256 characters containing Chinese characters, digits, letters, underscores (_), and hyphens (-), spaces, dots (.) and round brackets. It cannot start with a dots (.) or space.

    Certificate password

    Password set for a certificate during certificate application. The password is contained in the .p12 file. You need to enter this password when uploading the certificate file.

    N/A

    Upload certificate chain

    Upload the corresponding certificate chain. You can select multiple files. For example, if a level-3 CA certificate is imported, upload the corresponding level-1 and level-2 CA certificates.

    • The identity certificate chain file to be uploaded must be a .cer, .crt, or .pem file smaller than 100 KB. A maximum of 10 files can be uploaded.
    • The certificate file name is a string of 1 to 256 characters containing Chinese characters, digits, letters, underscores (_), and hyphens (-), spaces, dots (.) and round brackets. It cannot start with a dots (.) or space.

    If the TLS identity certificate exists, a dialog box is displayed when you select Identity Certificate or change the application protocol.

    • If you click OK, the current identity certificate will be replaced. If an identity certificate issued by another CA is uploaded, the trust certificate of the device must be updated accordingly. Otherwise, the TLS connection between the device and the Certificate Authority Service fails to be established.

    • If you click Cancel, the identity certificate will not be replaced.

  4. Upload the trust certificate chain or identity certificate and click Submit.

    When one-way TLS is selected, you only need to upload the identity certificate. When two-way TLS is selected, you need to upload both the trust certificate chain and identity certificate.

Follow-up Procedure

Restarting the Certificate Authority Service

After the TLS certificate is uploaded or deleted, restart HiSecLiteCA on the PowerEcho for the TLS configuration to take effect. For detailed operations, see "Stopping Product Services" and "Starting Product Services" in the Administrator Guide.

Related Tasks

  • Viewing a TLS certificate

    On the Global Configuration > TLS Configuration page, click the SN of the TLS certificate to view the certificate details.

  • Deleting a TLS certificate

    On the Global Configuration > TLS Configuration page, click Delete on the right of the TLS certificate to delete the TLS certificate.

  • Importing a CRL

    On the Global Configuration > TLS Configuration page, click Import CRL on the right of the TLS certificate to upload the CRL of the trusted certificate chain for checking whether the peer server certificate is revoked.

    The CRL file to be uploaded must be in .crl or .pem format and the file size cannot exceed 2 MB.

  • Uploading a TLS certificate chain

    On the Global Configuration > TLS Configuration page, click Upload Certificate Chain on the right of the TLS certificate to upload the certificate chain file. You can perform this operation only for TLS identity certificates that are not configured with a certificate chain.