Trusting Keys and Certificates

To trust an SSH public key or an X.509 Certificate, go to Setup → Untrusted Caches menu, select the 3-dot icon and then the Trust entry.

A confirmation message will appear. Click CONFIRM to validate.

Once an entry is trusted, you will find it in the Trust Store.

When should the Keys tab be used?

The Setup → Untrusted Caches → Keys tab lists keys not yet trusted and must be used in these scenarios:

Data Mover SFTP Client connects to an external SFTP server:
- If not already trusted, the key exposed by the external server is saved.

Column

Description

Name

The syntax of the name is: [key hash]-[ip and port used for remote connection]-S.pub

Subject DN

This column displays the IP and port used for remote connection

Type

SSH Host Key is displayed in this column

Data Mover SFTP Server receives a connection from an external SFTP client:
- If this client is not already trusted, its key is saved in this repository.

Column

Description

Name

The syntax of the name is: [key hash]-[user]-C.pub

Subject DN

This column displays the username of the SFTP client

Type

SSH User Key is displayed in this column

When should the Certificates tab be used?

The Certificates tab lists certificates not yet authenticated and must be used in these scenarios:

Data Mover SSL Client (all remote connections over SSL) connects to a server on SSL protocol. The exposed certificate and its chain (depending on the counterpart server) are saved in this repository only if not already trusted.

Warning!

A successful Client Connection on SSL protocol requires the trust of the entire certification chain related to that protocol. A chain of trust cannot be completed without a trust anchor issued by a Certificate Authority. For safety reasons, a remote SSL server is only allowed to send end-entity and intermediate certificates, but CA trust anchors must be provided separately. To complete the chain, you must manually import a secure and trustworthy CA trust anchor. Be careful to import only reliable and proven CA trust anchors as it is impossible to recognize fake certificates issued by a malicious CA once its certificate has been trusted. With great power comes great responsibility! To import a certificate go to the Setup → Trust Stores → Certificates tab and click the IMPORT button. Once you have imported the CA trust anchor and trusted all intermediate and end-entity certificates, the Client Connection can be established successfully.

Data Mover SSL Server (all servers exposed in SSL) receives a connection from a client over SSL protocol that requires client authentication. The certificate is saved in this repository only if not already trusted.

PreviousUntrusted Cache 🚀NextPGP Key Store and PGP Trust Store

Last updated 20 hours ago

When should the Keys tab be used?

The Setup → Untrusted Caches → Keys tab lists keys not yet trusted and must be used in these scenarios:

Data Mover SFTP Client connects to an external SFTP server:

If not already trusted, the key exposed by the external server is saved.

Column

Description

Name

The syntax of the name is: [key hash]-[ip and port used for remote connection]-S.pub

Subject DN

This column displays the IP and port used for remote connection

Type

SSH Host Key is displayed in this column

Data Mover SFTP Server receives a connection from an external SFTP client:

If this client is not already trusted, its key is saved in this repository.

Column

Description

Name

The syntax of the name is: [key hash]-[user]-C.pub

Subject DN

This column displays the username of the SFTP client

Type

SSH User Key is displayed in this column

When should the Certificates tab be used?

The Certificates tab lists certificates not yet authenticated and must be used in these scenarios:

Data Mover SSL Client (all remote connections over SSL) connects to a server on SSL protocol. The exposed certificate and its chain (depending on the counterpart server) are saved in this repository only if not already trusted.

Warning!

Data Mover SSL Server (all servers exposed in SSL) receives a connection from a client over SSL protocol that requires client authentication. The certificate is saved in this repository only if not already trusted.