Certificates/Key Material
The Certificates/Key Material tab lets you configure TLS/SSL certificates for SSL Termination by DSG.
This tab displays key material and other files in three different subtabs.
The Certificates/Key Material tab and subtabs are illustrated in the following figure.
The following table describes the available subtabs:
| Callout | Column/Textbox | Description |
|---|
| 1 | Certificates | View self-generated or trusted certificates. |
| 2 | Keys | View paired keys associated with certificates and unpaired keys. |
| 3 | Other Files | View other files such as GPG data, etc. |
| 4 | Upload | Upload a certificate, key, or other files. |
The following subtabs are available:
Certificates
Keys
Other Files
1 - Certificates Tab
The Certificates subtab displays certificates that are available in DSG after it is installed.
The certificates uploaded to DSG are displayed in this section. Other information such as paired key, validity, and last modified date is also displayed.
A certificate and key that is paired displays a (
) icon indicating that the certificate is ready to use. A certificate or key without any pairing is indicated with a ( 
) icon. If a certificate or key has expired, it is indicated with a (
) icon. Files available in the Other Files subtab will always be marked with a ( ) icon.
The Cloud Gateway Certificate Expiration Check scheduled task is created by default to alert about certificates that are due to expire in the next 30 days.
Before you regenerate any default expired certificates, ensure that the best practices for certificates and keys are noted.
The Certificates subtab is shown in the following figure.
The following table describes the available options:
| Callout | Icon (if any) | Column/Textbox | Description |
|---|
| 1 |  | Information | View Certificate details. |
| 2 |  | Download | Download a certificate. |
| 3 |  | Delete | Delete a Certificate. |
2 - Delete Certificates and Keys
Delete existing certificates or keys.
Clikc the Delete option in the Certificates/Key Material tab.
The Delete Certificate screen is shown in the following figure:
The following tables describes the available options:
| Callout | Column/Textbox/Button | Description |
|---|
| 1 | Cancel | Cancel the process of deleting a certificate |
| 2 | Delete | Delete the certificate, key, or other files. |
3 - Keys Subtab
Keys subtab displays the keys paired with the certificates and the keys that are no longer paired with a certificate.
Keys cannot be downloaded, but the information can be viewed () or a key can be deleted ().
A certificate and key that is paired displays a ( ) icon indicating that the certificate is ready to use. A certificate or key without any pairing is indicated with a ( ) icon. If a certificate or key has expired, then it is indicated with a ( ) icon. Files available in the Other Files subtab will always be marked with a ( 
) icon.
The supported key formats that can be uploaded are .crt, .csr, .key, .gpg, .pub, and .pem. For any private key without an extension, when you click Deploy to All Nodes, the permissions for the key changes to 755 making it world readable. To restrict the permissions, ensure that you generate the key with the .key extension.
The keys uploaded to the DSG can either be a non-encrypted private key or an encrypted private key. For either of the key types uploaded, the DSG ensures that the keys in the DSG ecosystem are always present in an encrypted format. When a non-encrypted private key is uploaded to the DSG, you are presented with an option to encrypt the key. If you choose to encrypt the key, DSG requests for a password for encrypting the key before it is stored on the DSG.
It is recommended that any non-encrypted private key is encrypted before it is uploaded to the DSG. Also,
It is recommended that any key uploaded to the DSG is of RSA type and a minimum of 3072-bits for optimum security.
5 - Upload Certificate/Keys
Certificates and paired keys can be uploaded to the DSG.
Click Upload option in the Certificates tab to upload the certificate.
After clicking Upload Certificate, you can either upload a key or a certificate. When you upload a certificate, the password field does not appear.
After you click Choose File to select the key file, you must click Upload Certificate. Enter the password, and then click Upload Certificate again.
It is recommended that upload of any certificate or key is performed on the ESA. If the certificate is uploaded to a DSG node and configurations is deployed from ESA, then the changes made on the DSG node are overwritten by the configuration pushed by the ESA.
Note: Ensure that the passphrase for any key that is uploaded to the DSG Web UI is of minimum 8 character length.
If the key you uploaded is an encrypted private key, then you must enter the password for the key.
If the key you uploaded is a non-encrypted private key, an option is presented to encrypt the private key. If you select the option, you must provide a password that the DSG uses to encrypt the non-encrypted private key before it is stored internally.
The following figure illustrates the Upload Cerficate/Key screen
The following table describes the available options:
| Callout | Column/Textbox/Button | Description | Notes |
|---|
| 1 | Choose File | Select certificate and key files to upload. | You cannot upload multiple files in an instance. You must first upload the certificate file, and then the paired .key file. If you upload unpaired keys or certificates, then they are not displayed on the Certificate screen. |
| 2* | Do you want to encrypt the private key | Select the check box to encrypt a non-encrypted private key. If you clear the check box, then the private key will be uploaded without encryption. | It is recommended that any non-encrypted private is encrypted when uploaded to the DSG. |
| 3* | Password | Enter the password for an encrypted private key. For a non-encrypted private key, provide a password that will be used to encrypt the key. | The DSG supports ASCII passwords for keys. If your private key is encrypted with any other character password, then ensure that it is changed to an ASCII password. |
| 4* | Confirm Password | Re-enter the password | |
| 5 | Upload Certificate | Upload the certificate or .key file. | If you upload a private key without an extension, then ensure that you append the .key extension to the key. |
| *-Appears only when a key is uploaded. | | | |
) icon.