Transport Layer Security (TLS) Certificates
|
Ensure that the full certificate chain is included in the ThingWorx keystore.
|
When a client connects to a server that is using TLS (HTTPS), the server delivers a certificate that the client uses to verify the identity of the server and establish a secure communication channel with the server. The client must trust the certificate before using it to verify the server identity and establish a secure communication channel.
The Experience Service, Vuforia Studio, and Vuforia View must be properly configured so that the TLS certificates are trusted. For the Vuforia Studio products, there are two TLS certificates to be considered:
• The TLS certificate used by the Experience Service—Vuforia Studio and Vuforia View must trust this certificate.
• The TLS certificate used by the ThingWorx server—the Experience Service must trust this certificate.
The certificates and private keys must be encoded using one of the following:
• PEM (IETF RFC 7468)
• PCKS12 (PFX) (IETF RFC 7292)
TLS Version Support
The Experience Service does not support any version of Secure Sockets Layer (SSL). Only TLS version 1.1 or higher is supported; by default, TLS version 1.2 is used.
Certificate Authorities
A certificate authority (CA) issues an TLS certificate. A CA can belong to a hierarchical chain of CAs, where the parent CA certifies the trustworthiness of each CA in the hierarchy. The CA at the top of the hierarchy is called the root CA, and other CAs in the chain are intermediate (or subordinate) CAs.
For a client to trust a certificate, it must trust the CA that issued it. Each CA has a certificate that it uses to sign the certificates that it issues. A client trusts a CA if the CA’s certificate, or the certificate for one of its parent CAs appears in the client’s trust store. By default, certificates for well-known, public CAs, appear in a client’s trust store. Certificates for private organizational CAs must be added manually to the trust store.
Self-Signed Certificates
In some cases, a CA does not issue a certificate. These certificates are known as self-signed certificates. Since the CA did not issue the certificate, the self-signed certificate must be added to the client’s trust store for it to be trusted.
Configure Certificates
Two certificates must be configured for the Vuforia Studio product suite:
• TLS certificate used by the Experience Service
• TLS certificate used by the ThingWorx server
The steps required to configure these certificates depend on the following information about the certificate:
• Is the issuing CA a public well-known CA, a private organizational CA, or is the certificate self-signed?
• Is the issuing CA a root CA, or an intermediate CA?