Managing Domain and Client Certificate Authorities

Event broker services use certificates to authenticate the servers that they establish TLS connections with. Event broker services can also use certificates to authenticate the client applications that they connect with. Certificates are issued by a certificate authority (CA). When a CA issues a server (domain) or client certificate, the CA signs the issued certificate. If an event broker service has the signing CA's own certificate in its trust store, the event broker service can verify that certificate presented for authentication was issued by a trusted CA and can therefore be sure of the identity of the server or client.

The trust store for advanced event mesh event broker services can include these types of CA certificates:

Standard Domain Certificate Authorities

The trust store for all event broker services contains CA certificates for Mozilla's standard trust of server certificate CAs. Mozilla is a highly-trusted, industry-accepted, de-facto standard. Servers with certificates issued by these CAs are trusted in many environments. The Standard Domain CA certificate trust store enables event broker services to authenticate a server's name and domain for all outgoing TLS connections.

This trust store is read-only and can be disabled if you don't want to allow TLS connections to servers that use certificates issued by these CAs.

Domain Certificate Authorities

You can also add domain CA certificates to the trust store if, for example, your organization uses your own internal CA to sign domain certificates. These domain CA certificates can be used in combination with the CA certificates in the Standard Domain CA trust store to authenticate servers for outgoing TLS connections.

Client Certificate Authorities

For greater security, you can require client applications to present a client certificate to authenticate their identity to an event broker service to establish a mutual TLS connection. The Client CA trust store can contain CA certificates that enable event broker services to authenticate clients using client certificate authentication or OAuth authentication for incoming TLS connections.

Managing Certificates in the Cloud Console

You can manage the domain CA certificates and client CA certificates for each event broker service in the Cloud Console. You can add and remove CA certificates and you can modify the Open Certificate Status Protocol (OCSP) revocation policies for client certificates. By default, the event broker service also uses standard domain CAs for server certificate validation.

For information, see:

Adding Domain CA Certificates

You can add domain CA certificates to an event broker service's trust store for CAs that issue server certificates. When a server presents a certificate to an event broker service to establish a TLS connection, the event broker service authenticates that the server certificate was issued by a known CA whose certificate has been added to the trust store.

To add a certificate to the domain CA trust store, perform these steps:

  1. Log in to the Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your SAP BTP region. For more information, see Logging In to the Cloud Console.

  2. On the navigation bar, select Cluster Manager, and then click the card of the event broker service you want to configure.
  3. Select the Manage tab and then click the Certificate Authorities tile.
  4. Select the Domain Certificate Authorities tab.
  5. Click Add Domain Certificate Authority.
    Screenshot showing the settings described in the surrounding text
  6. In the Add Domain Certificate Authorities dialog, do the following:

    • Enter a name for your certificate, such as OurInternalServerCA (the name should be alphanumeric only and cannot contain spaces or special characters).
    • Upload the PEM file using the Upload button or paste the contents of the certificate from your PEM file into the Certificate Content text box starting from (and including) the lines -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----.

    Screenshot showing the settings described in the surrounding text.

  7. Click Save.

The certificate appears in the list, under the Domain Certificate Authorities.

Disabling the Standard Domain Certificate Authorities List

For event broker services, the standard domain CA list includes industry-standard, trusted CA certificates used to verify the server names for outgoing TLS connections. This list can't be modified and is enabled by default. If you want to use only your custom domain CA list, you can disable the standard domain CA list.

To disable the standard domain CA list, perform the follow steps:

  1. In Cluster Manager, click the card of the event broker service you want to configure.
  2. Select the Manage tab and then click Certificate Authorities.
  3. Click the Domain Certificate Authorities tab.
  4. Beside the Standard Domain Certificate Authorities entry, click Disable.
  5. In the confirmation dialog, click Disable.

Adding CAs for Client Certificates

You can add certificates to an event broker service's trust store for CAs that issue client certificates. When a client application presents a certificate to establish a mutual TLS connection, the event broker service validates that the client certificate was issued by a CA whose certificate has been added to the trust store.

You should be aware of these considerations when using client certificate authentication:

  • While it's possible to use certificates signed by a public CA, organizations often set up an internal CA to issue certificates - typically for client certificates. Certificates signed by a public CA are expensive and are generally unnecessary. You need to accept certificates signed by a public CA only if you want to allow clients from the public Internet to connect to your event broker service.

    Typically this is not the case, so an internal CA is suitable. An internal CA is also potentially more secure because your organization controls the entire certificate issuing process. For example, you can use OpenSSL tools to create an internal CA that can be used to sign the client certificates. For an end-to-end tutorial, see Configuring an Event Broker Service to use Client Certificate Authentication.

  • To use client certificate authentication on the event broker service, you must enable client authentication. For more information, see Configuring Client Certificate Authentication. After you enable client certificate authentication on the event broker service, you must configure the connecting client applications to use client certificate authentication.

To add a CA certificate to the client CA list, perform these steps:

  1. In Cluster Manager, click the card of the event broker service you want to configure.
  2. Select the Manage tab and then click the Certificate Authorities tile.
  3. On the Client Certificates Authorities tab, click Add Client Certificate Authority.

    Screenshot showing the elements described in the surrounding text.
  4. In the Add Client Certificate Authority dialog, do the following:

    • Enter a name for the CA certificate, such as OurInternalCA (the name should be alphanumeric only and cannot contain spaces or special characters).
    • Upload the PEM file using the Upload button or paste the contents of the certificate from your PEM file into the Certificate Content text box starting from (and including) the lines -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----.

    Screenshot showing the settings described in the surrounding text.

  5. (Optional) Select Enable revocation check through OCSP to use OCSP revocation checking and then enter the following information:

    • OCSP Override URL — The URL of the OCSP responder. The URL must be a complete URL including http://. Only HTTP URLs are supported.
    • OCSP Timeout (sec) — The timeout to wait for a response from the OCSP responder.
    • OCSP Allow non-responder certification — Enable or disable a non-responder certificate to sign an OCSP response.
  6. Click Save.

The certificate appears in the list.

Modifying an Existing Client Certificate

You can modify the OCSP revocation checking parameters for a client CA. You can not change the CA itself, or the name you assigned to it.

  1. In Cluster Manager,click the card of the event broker service you want to configure.
  2. Select the Manage tab and then click the Certificate Authorities tile.
  3. On the Client Certificates Authorities tab, click Edit .
  4. In the Edit Client Certificate Authority dialog, update the following settings as required:
    • Enable revocation check through OCSP — Enable or disable a non-responder certificate to sign an OCSP response.
    • Override URL — The URL of the OCSP responder. The URL must be a complete URL including http://. Only HTTP URLs are supported.
    • Timeout (sec) — The timeout to wait for a response from the OCSP responder.
  5. Click Save.

Removing CA Certificates

You can remove a certificate from the Client CA or Domain CA trust store. After you remove a certificate, new client applications or server names using that certificate won't be able to authenticate with the event broker service. Existing connections that have been authenticated remain connected.

To disconnect the client applications, an administrator must manually disconnect the client using Broker Manager via the Clients as shown below.

Screenshot showing the settings described in the surrounding text.

To remove a CA certificate, perform these steps:

  1. In Cluster Manager, click the card of the event broker service you want to configure.
  2. Select the Manage tab and then click Certificate Authorities.
  3. On either the Client Certificate Authorities or Domain Certificate Authorities tab, click Delete beside the name of the certificate that you want to remove.
  4. In the Delete Certificate Authority dialog, click Continue to confirm that you are deleting the certificate; otherwise click Cancel.