Your instance requires certificates to establish secure connections and validate signatures.

Certificates are used for features such as:

In order to use a certificate, you need to generate or purchase a certificate for the secured server or client and upload it to an instance.

LDAP certificates

An SSL certificate is required for the instance to establish an LDAP over SSL (LDAPS protocol) connection with an LDAP server.

The instance accepts two types of LDAP certificates:

Certificate Type Required for
LDAP server certificate Any supported type All LDAP configurations
LDAP client certificate Java keystore type Mutual authentication

If there are multiple server certificates, the instance tries each server certificate in turn until the LDAP server allows the connection. If you use multiple LDAP servers, be sure to include the SSL certificate for each LDAP server.

If your LDAP server requires mutual authentication, which requires the client to present a certificate in addition to the server, you must also provide your LDAP server's client certificate in a Java keystore type certificate.

Certificate criteria

A valid certificate must meet these criteria:
  • The certificate can have a key size up to 2048 bits.
  • The certificate must have one of these file extensions:
    Extension Description
    DER The Distinguished Encoding Rules format is a binary message transfer syntax. This format also supports the .CER and .CRT file extensions.
    CER Certificate file extensions for certificates using the Distinguished Encoding Rules format.
    CRT Certificate file extensions for certificates using the Distinguished Encoding Rules format.
    PEM The Privacy Enhanced Mail format is a base-64 encoded DER certificate enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" text strings.

Certificate trust

By default, your instance trusts the Certificate Authority (CA) for a certificate. This ensures the instance accepts self-issued certificates. If you do not want to trust all certificates by default, set the following general security property to false: com.glide.communications.trustmanager_trust_all.