Appearance
Certificate Management
Certificates Overview
Certificates are required to sign and encrypt tokens in ProAuth. ProAuth can only handle X.509 certificates with public and private key, a password is optional.
The following certificate types are distinguished:
- Default
- OIDC token signing
- OIDC token encryption
- ADFS OAuth token signing
- AuditTrail signing
A Default certificate is created without dependencies and is always used if no specific certificates are found. An AuditTrail signing certificate is also created without dependencies to a subscription or a tenant. All other certificate types must always be assigned to either a subscription or a tenant.
If several certificates are found, the first attempt is always made to use the most specific certificate on a tenant level. If no such certificate is found, a search is made one level higher on a subscription level, and if no certificate is found there either, default certificates are finally used. If several certificates are found, the certificate with the longest validity period is always used.
Certificate levels search order for token signing or token encryption:
- Apply To Tenant
- Apply To Subscription
- Default
Certificate levels search order for AuditTrail signing:
- AuditTrail signing
- Default
Default Certificate
When ProAuth is started for the first time, a default certificate must be entered, which is then created as such in the database. Once a default certificate is available, it is no longer necessary to provide a certificate when starting ProAuth.
More certificates can then either be managed by API or UI.