Certificate Authorities

This section provides basic information that will help you configure certificate authorities and manage certificate revocation checking for client authentication.

Solace PubSub+ message brokers allow clients to authenticate over TLS by presenting a valid client certificate issued by a Certificate Authority (CA). Participating message broker must be configured with a list of CAs to be trusted so that the clientʾs certificate obtained during the security protocol exchanges can be verified.

Configuring Certificate Authorities

For Solace PubSub+ appliances using version 8.2.0+ and Solace PubSub+ software message brokers using version 8.7.0+, CA certificates must be configured to validate server certificates for outgoing SSL connections.

The certificate files for a CA can only contain a single certificate. If there are multiple certificates in the chain then they must be split into multiple files and configured as multiple CAs. If the client passes multiple certificates (a partial or full chain) to the message broker, the revocation check will only pass if all certificates in the chain are configured as CAs.

Each CA and the intermediate CA certificates must be configured for authentication and is a mandatory step to use certificate revocation checking.

  1. To create a CA, enter the following commands:

    solace(configure)# authentication
    solace(configure/authentication)# create certificate-authority <ca-name>

    To configure an existing CA, enter the following command:

    solace(configure/authentication)# certificate-authority <ca-name>

  2. Each certificate in the chain must be configured for authentication. To configure a CA certificate, enter the following command:

    solace(configure/authentication/certificate-authority)# certificate file <ca-certificate>

Where:

ca-name is the name of the certificate authority. You can use a maximum of 64 characters for a ca-name. Acceptable characters are alpha-numeric characters, period (.), hyphen (-), and under score (_).

ca-certificate is the filename of the CA certificate. This file must be located in the /certs directory on the message broker. Once the certificate is in the certs directory, you can individually add certificates to the list of trusted CA certificates. The maximum number of trusted CA certificates that may be loaded is 64.

The no version of the certificate command, no certificate, removes the CA from the message broker.

Note  
  • CA certificates are HA Config-Sync'ed, but not Replication Config-Sync'ed.
  • Once a CA certificate is configured, a copy of it is saved internally. The file in the /certs directory is no longer required.

Configuring Certificate Revocation Checking

A message broker can check the revocation status of the certificate that clients use when attempting to authenticate. You can configure certificate revocation checking on a per-message broker basis. However, you can also configure overrides on a per-Message VPN basis to ignore the results of the revocation check, and to allow authentication of certificates with unknown revocation status.

You can configure message brokers to check the revocation status of client certificates using one of the following methods:

  • Certificate Revocation List (CRL)
  • Online Certificate Status Protocol (OCSP)
  • OCSP-CRL (Combination of both)

For more information, see Certificate Revocation Checking Methods.

To enable certificate revocation checking, enter the following command:

solace(configure/authentication)# client-certificate-revocation-checking [none | ocsp | crl | ocsp-crl]

Where:

none (default) specifies to not check the revocation status of certificates during validation and all the certificates are considered valid.

ocsp specifies to use OCSP to verify the revocation status of the certificates during validation.

crl specifies to use CRL to verify the revocation status of the certificates during validation.

ocsp-crl specifies to use OCSP first to verify the revocation status of the certificates, if OCSP fails to return an unambiguous result, then CRL is used to check the revocation status of the certificates.

For a step-by-step procedure to configure OCSP, CRL, or OCSP-CRL certificate revocation checking, see the following.