Certificate Verification
Description
When you use HTTPs, outbound connections are secured using certificates. These connections include ones that are triggered by a call_webservice part or by the LogicNets runtime for functions like SSO. With HTTPS, other parties cannot view data the system passes; however, there are scenarios where man-in-the-middle attackers can manipulate networks to serve their own keys, thereby compromising any communication.
When you enable server certificate verification with the Use certificate option, the system checks the validity of the certificate (chain) provided by end-point. A valid certificate must be signed by trusted Certificate Authority (CA). LogicNets requires an up-to-date list of all trusted CAs to perform this check.
LogicNets offers 3 options to deliver a list of trusted CAs:
Use the Operation System Certificate Store
This is the recommended option, since the OS certificate store is updated regularly using the OS-specific update routines. Revoked CA certificates are also automatically removed from these stores. LogicNets automatically connects to the Windows Certificate Store. For CentOS, LogicNets expects that all trusted CA certificates are stored in /etc/pki/tls/cert.pem, which is the default location of CentOS. You can change this location in the e LogicNets configuration _session.centos_certificate_store_path.
To use this option the "Security" / "Use OS Certificate Store" option must be enabled in the System Configuration and in case of a call_webservice the 'Server certificate path' parameter must be left empty.
Use a Default Local Certificate Store
LogicNets provides a default local certificate store in PEM-format. This local certificate store is located in <installation>/dat/certificates/CA.pem. You can change the default location of this store in the configuration file using _session.cert_filename.
To use this option, you must disable the Security/Use OS Certificate Store option in the System Configuration module. For call_webservice, you must leave the Server certificate path parameter empty.
Use a Connection-specific Local Certificate Store
This is only available when using the call_webservice part. You can choose a different certificate store per connection by using the Server certificate path parameter.
More information about CAs and certificate verification can be found here:
https://en.wikipedia.org/wiki/Certificate_authority
More information about the Certificate PEM format can be found here:
https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail
Install/Update CA certificates on CentOS:
https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html
https://www.systutorials.com/docs/linux/man/8-update-ca-trust/