ThingWorx Remote Access Client (RAC) > Configuring RAC to Use Custom Certificates
Configuring RAC to Use Custom Certificates
The Remote Access Client (RAC) uses TLS by default to create secure connections to Global Access Server (GAS) and the ThingWorx platform. In RAC 2.5.0 or later, you can use a self-signed or a private certificate for the connection between RAC and GAS. To connect to a GAS instance that uses SSL, you must generate a certificate and add it to the Java truststore of the ThingWorx server. If you are using an SSL certificate from a trusted certificate authority, the required certificate is already added to truststore when Java is installed.
Limitations
Self-signed certificates are not supported when a proxy server is configured for GAS or ThingWorx.
Supported Certificate Formats
The following certificate formats are supported by RAC:
CER
CRT
PEM
Configuring RAC to Use a Custom Certificate
To use a self-signed certificate with RAC, add the certificate file to the tw-ra-client/certificates/ folder. The following is the location of the folder for the following operating systems:
Linux—$HOME/.config/tw-ra-client/certificates/
Windows—%USER_HOME%\AppData\Roaming\tw-ra-client\certificates/
Mac OS—$HOME/Library/Application Support/tw-ra-client/certificates/
Any certificates within subfolders are not scanned. To use certificates from a custom location, add the certs_directory property to the RAC config.json file as follows:
{
"certs_directory":"/home/user/certificates"
"proxy": {...}
}
For more information about the available JSON properties, see Configuring RAC Using a JSON File.
* 
The default location is not used when the custom directory does not exist or does not contain a valid certificate.
Adding the Custom Certificate to the Java Truststore
By default, the Java truststore is named cacerts and is located in the \lib\security folder of the Java home directory. The file contains all trusted CA certificates on the current system. You can configure and manage the file using the Java keytool utility. The initial password for the cacerts file is changeit.
* 
You should only add certificates from certificate authorities that you trust.
Before importing the certificate, make sure you have the Java keytool utility in your environment path. Then, run the following command in a terminal to import the self-signed CA into the truststore:
keytool -keystore <Java Truststore Path> -alias <Alias> -importcert -trustcacerts -file <Certificate File Path>.cer
<Java Truststore Path>—The path to the Java truststore file.
<Alias>—The alias to use for the certificate.
<Certificate File Path>—The path to the certificate file that you want to add to the truststore.
Was this helpful?