Skip to main content
Version: 8.1

Gateway Network Certificates and SSL

When a remote machine establishes an incoming connection, its server name is transmitted and appears in the Server Name field under Gateway Network -> Incoming Connections. However, no identity authentication is performed when the connection is created. The local system accepts the remote system id without question. To perform identity authentication on a connection, you must use Secure Socket Layer (SSL) and certificates. By default, SSL is enabled.

note

When using the Gateway Network and Redundancy, SSL Certificates are automatically pushed from the redundant Master to the Backup.

Client Certificates

New in 8.1.14
Client certificates are the certificates of peer Gateways that the current Gateway trusts when it is making outgoing connections. Client certificates live under:
$GATEWAY_HOME/data/gateway-network/client/security/pki/

When the Gateway makes an outgoing connection to a peer Gateway whose certificate is not yet trusted, the peer certificate (or its certificate chain if one is configured) is copied into:

$GATEWAY_HOME/data/gateway-network/client/security/pki/rejected/

This model allows users to configure the Gateway Network client to trust the peer Gateways on outgoing connections by moving the certificate on the file system from $GATEWAY_HOME/data/gateway-network/client/security/pki/rejected/ to $GATEWAY_HOME/data/gateway-network/client/security/pki/trusted/certs/. This file system change will be picked up immediately by the Gateway and the connection will be trusted when it attempts to reconnect again.

Server Certificates

New in 8.1.14
Server certificates are the certificates of peer Gateways that the current Gateway trusts when it is handling incoming connections. Server certificates live under:
$GATEWAY_HOME/data/gateway-network/server/security/pki/

The Gateway Network config UI's Incoming Connections tab was made compatible with this new model so that incoming connection certificates may continue to be approved, denied, or deleted there.

note

If you are using your own CA to sign Gateway Area Network certificates, add the CA public key to:

$GATEWAY_HOME/data/gateway-network/server/security/pki/trusted/certs/

Denying a Certificate

To deny a certificate, navigate to Config -> Networking -> Gateway Network -> Incoming Connections. The certificate More dropdown displays deny and delete options. If deny is selected, the connection that has been using that certificate will no longer be allowed to connect. Select delete for certificates that are no longer in use. Keep in mind that if you delete a certificate, and a remote machine is still using that certificate, it will reappear on the Certificates page. In this case, you must navigate to the remote Gateway and delete its outgoing connection. Then you can permanently delete the certificate from the Certificates page.

Regenerating Gateway Network Certificates

Ignition generates a self-signed certificate for the Gateway Network on start up if no existing certificate is found. These self-signed certificates have a lifespan of 10 years. Unlike trusted certificates, self-signed certificates cannot simply be reuploaded and replaced. Regenerating the certificates creates a new certificate with an expiration date set for ten years from the date the certificate is regenerated. If you need to regenerate a self-signed certificate, remove the $INSTALL_LOCATION/webserver/metro-keystore file and restart the Gateway. The certificate will need to be trusted again by all other gateways that trusted the expired certificate.