Skip to main content
Skip table of contents

Certificates

The Certificates tab allows you to import or create valid SSL certificates for a Vendor or Customer account for use in the various interfaces, including SAFEQ Cloud Web UI, APIs, IPP print, and embedded terminal communications.

Trusted valid SSL certificates are required for HTTPS/IPPS printing from SAFEQ Cloud Client.

Trusted CA certificates

If the vendor or customer account are their own Certificate Authority (CA) and issue certificates for domain controllers, mail servers etc, those CA certificates can be imported to SAFEQ Cloud for LDAPS and similar.

Export the certificates from the remote server to PEM or DER format, and click Import to import the trusted certificate.

Private certificate chains

To enable valid trusted SSL connections from SAFEQ Cloud Client to the SAFEQ Cloud server, either the SAFEQ Cloud Web UI in a Web browser, API connections, IPP printing, or in embedded terminals, import a valid SSL certificate chain in PFX or PKCS12 format.

These formats include both public and private keys required for a server to create the encrypted connection. Certificates without the private key would be ignored during import.

When importing Private certificate chains, both the key pair and the keystore file has to be password protected with the same password.

The following criteria must be matched to be able to import the private certificate chain:

  • If the SAN (Subject Alternative Names) are specified, they will be verified against the domains defined in the account.
  • If SAN are empty, CN (Common Name) will be verified against the domains defined in the account.
  • If both SAN and CN are empty, the certificate import will fail.
  • Verification is done as follows:
    • All the DNS names specified in SAN or CN must match at least one of the domains defined in the account.
    • The DNS name may contain a wildcard "*" to allow subdomains (e.g., "SAN=*.test.com" will be valid for the account domain "test.com").
    • It is not possible to import certificates for subdomains (e.g., "SAN=my.test.com" will fail for the account domain "test.com"). However, if you plan to use this subdomain, you can define it in the account information.
    • IP addresses in the SAN are filtered out of the validation; only DNS names are being validated. If the SAN contains only IP addresses, it will be considered empty.

Generating certificate chains

Instead of importing a trusted certificate chain, you can generate it using the default SAFEQ Cloud CA certificate as an issuer. Certificates can be generated for two purposes: TLS server security and token signing. When generating a TLS certificate, select in the drop-down list the domain name to which this chain will be generated. Embedded clients will then be able to connect to this domain name without warning.

For TLS security, creating a self-signed certificate chain is not recommended and should only be used for test purposes. For proper transport layer protection, a trusted certificate chain created by a trusted certificate authority must be imported.

Generating a certificate chain for token signing

Some external clients require an authorization token when calling SAFEQ Cloud public API functions. The token is only issued when there is a signing certificate chosen in the account's PKI settings. By default, each newly created account has a special signing certificate chain created which is also set as a default signing certificate in the PKI settings. It is possible to re-generate it manually or choose another certificate (e.g., import a trusted chain) for signing purposes.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close