Server Certificates Exchange

The Server Certificates Exchange page allows you to:

  • upload your CA-signed TLS server certificate, as well as the root and intermediate certificates of the Certificate Authroity (CA) that signed the TLS server certificate

  • retrieve the Hub’s CA-signed TLS server certificate, as well as the root and intermediate certificates of the CA that signed the Hub’s TLS server certificate

server certificates exchange
Figure 1. Server Certificates Exchange

If you want to set up your own CA and need help creating the required server certificates, perform the procedures described in Appendix A: Create TLS certificates:

  1. Create a keystore.

  2. Create a root key pair.

  3. Create an intermediate key pair.

  4. Create a server key pair.

  5. Create the server certificate chain of trust.

  6. Export server certificates from key pairs.

DFSP server certificates

The DFSP Server Certificates tab allows you to share your CA-signed TLS server certificate chain with the Hub Operator.

dfsp server certificates
Figure 2. DFSP Server Certificates

Upload certificates

To upload your CA-signed TLS server certificate chain, complete the following steps:

If your server certificate has been signed by a trusted Certificate Authority, then uploading the root and intermediate certificates of your CA is optional.
If your server certificate has been self-signed by your own Certificate Authority, uploading the root certificate of your CA is mandatory, while the intermediate certificate is optional.

  1. In the Server Certificate field, click Choose File, and select your CA-signed TLS server certificate saved on your computer.

  2. To upload the root certificate of your CA, in the Root Certificate field, click Choose File, and select the root certificate of your CA saved on your computer.

  3. To upload the intermediate certificate of your CA, in the Intermediate Chain field, click Choose File, and select the intermediate certificate of your CA saved on your computer.

  4. Click Submit. On submitting the certificates, they are validated. To see validation rules or issues found during validation, click View Details. The following details are validated:

    • The root certificate is a root certificate indeed. It can be self-signed or signed by a global root.

    • The intermediate chain is made up of valid CAs and the top of the chain is signed by the root.

    • The certificate and its chain must form a valid trust chain.

    • The certificate must have the "TLS WWW server authentication" key usage extension.

    • The certificate must be valid at the present time according to the certificate validity period.

    • The certificate key length must be 4096 bits.

On uploading a certificate, Connection Wizard renames the file so that the file name includes information about the name of the DFSP and the type of the certificate (root, intermediate, server). This means that you will see the original file name of your certificate change to a value assigned by Connection Wizard.
The intermediate chain must be presented as a single file. If your intermediate chain is made up of multiple files, combine them into one file in the following order: host certificate first, then the certificate that signs it, then the certificate that signs the previous certificate, and so on. Go from the most specific certificate to the least specific certificate, with each certificate verifying the previous one.

Click View to view details of the certificate. Click Download to download a certificate for manually handing over to the Hub (if required).

Remove or replace a certificate

If you wish to remove or replace a certificate after it has been uploaded, complete the following steps:

  1. Click Remove File next to the relevant field. This removes the certificate.

  2. To add a new certificate in place of the one you removed in Step 1, upload the new certificate by clicking Choose File next to the relevant field and selecting the certificate file on your computer.

Hub server certificates

The Hub Server Certificates tab allows you to download the Hub Operator’s TLS server certificate chain.

The DFSP must obtain the root and intermediate certificates of the Hub’s CA that signed the Hub’s TLS server certificate. These need to be installed in the DFSP’s outbound firewall.

hub server certificates
Figure 3. Hub Server Certificates

To retrieve the Hub’s TLS server certificate chain, click Download for each certificate that you want to download.

Information about the validity of each certificate is also displayed. Click View Details for details on validation rules or issues found during validation. The following details are validated:

  • The root certificate is a root certificate indeed. It can be self-signed or signed by a global root.

  • The intermediate chain is made up of valid CAs and the top of the chain is signed by the root.

  • The certificate and its chain must form a valid trust chain.

  • The certificate must have the "TLS WWW server authentication" key usage extension.

  • The certificate must be valid at the present time according to the certificate validity period.

  • The certificate key length must be 4096 bits.