Certificates
The Certificates tab allows you to import or create valid SSL certificates for a Vendor or Customer account, for use in the various interfaces, including SAFEQ Cloud Web UI, APIs, IPP print, and embedded terminal communications.
Trusted CA certificates
If the vendor or customer account are their own Certificate Authority (CA) and issue certificates for domain controllers, mail servers etc, those CA certificates can be imported to SAFEQ Cloud for LDAPS and similar.
Export the certificates from the remote server to PEM or DER format, and click Import to import the trusted certificate.
Private certificate chains
To enable valid trusted SSL connections from SAFEQ Cloud Client to the SAFEQ Cloud server, either the SAFEQ Cloud Web UI in a Web browser, API connections, IPP printing, or in embedded terminals, import a valid SSL certificate chain in PFX or PKCS12 format.
These formats include both public and private keys required for a server to create the encrypted connection. Certificates without the private key would be ignored during import.
When importing Private certificate chains, both the key pair and the keystore file has to be password protected with the same password.
Generating certificate chains
Instead of importing a trusted certificate chain, you can generate it using the default SAFEQ Cloud CA certificate as an issuer. Certificates can be generated for two purposes: TLS server security and token signing. When generating a TLS certificate, select in the drop-down list the domain name to which this chain will be generated. Embedded clients will then be able to connect to this domain name without warning.
Generating a certificate chain for token signing
Some external clients require an authorization token when calling SAFEQ Cloud public API functions. The token is only issued when there is a signing certificate chosen in the account's PKI settings. By default, each newly created account has a special signing certificate chain created which is also set as a default signing certificate in the PKI settings. It is possible to re-generate it manually or choose another certificate (e.g., import a trusted chain) for signing purposes.