X.509 Certificates Management Infrastructure

Sentinet provides a X.509 certificates management infrastructure with two distinct and independent features:

  1. Sentinet can be used as a trusted Certificate Authority that issues other certificates used by Sentinet Nodes, business services and business service consumers.

  2. Sentinet can monitor and alert administrators on all certificates that are used by Sentinet and about to expire.

Certificate Authority

During initial installation and configuration of the Sentinet Repository Web Application, it is configured with a self-signed X.509 certificate that has the capability to issue other X.509 certificates (see the Sentinet Installation Guide on how to generate and configure Sentinet Signing certificate). The use of this Sentinet feature is entirely optional and complementary to the use of well-known and industry standard Certificate Authorities (CAs). At the same time, the feature enables administrators to operate Sentinet in an explicitly trusted X.509 certificates realm, where some or all the certificates used by the business services and consumers are required to be signed by an organization's unique signing certificate. In addition to cost savings associated with issuance of certificates through commercial CAs, developers can also benefit from the immediate issuance of unlimited test certificates for their development and test environments, where issued certificates will be guaranteed to be valid and trusted by Sentinet and its managed services.

There are two distinct processes that can use Sentinet as a Certificate Authority:

  1. The Sentinet Node registration process that always requires an X.509 certificate to be assigned to a Sentinet Node. (See the Sentinet Installation Guide for more details on how to generate and configure Sentinet Nodes with the certificate issued by a Sentinet Repository Application.)

  2. Issuance of an X.509 certificate using the Sentinet Administrative Console for any generic purpose such as using a certificate with business services, virtual services or with consumer applications.

Select the Repository root element, click the CONFIGURATION tab and then the CERTIFICATES sub-tab.

Certificates tab
Figure. CERTIFICATES tab

Repository Signing X.509 Certificate

View details of the Repository Signing (CA) certificate. Click the Save button to export the certificate's public part to an external base-64 .CER file. This public certificate can be used by applications requiring a Repository Signing certificate in its trusted chain.

Repository Signing Certificate
Figure. Repository Signing Certificate

Generate X.509 Certificates

Click the Generate New Certificate button to generate a certificate issued by the Sentinet Repository Application, and provide Certificate Signing Request info and a password for the generated certificate's PFX file, which is a standard certificate file format secured with a password. The generated certificate will be valid from the current time until the next Valid Days field value.

Note

The Sentinet Repository Web Application may limit the requested Valid Days value according to the global limit set in the Repository Application’s web.config file:

<nevatech.vsb.repository>     
   <security requireHttps="true" httpsRedirectHost=" contoso.com" httpsRedirectPort="-1">          
       <certificateAuthority keySize="2048" expirationMonths="24">       
       …

Certificate Signing Request
Figure. Certificate Signing Request in the Generate X.509 Certificate dialog box

The certificate will be generated by the Repository Web Application and securely delivered to the Sentinet Administrative Console. A Sentinet administrator can save it in an external password-protected PFX file.

Save generated certificate
Figure. Save generated certificate in a PFX file or public part of the certificate as .CER file.