Trusted Certificates

With the Administration > Protocol Keys > Trusted Certificates option, you can add and manage trusted certificates.

Trusted certificates are a more flexible way to define X.509 certificates for both SFTP(SSH) and FTPS transfers. Typically, a CA (Certificate Authority) certificates will be added as trusted certificates to TIBCO MFT Internet Server. When certificate authentication is enabled for your SSH server through the Administration > Transfer Servers > SSH Server > Configure SSH Server option and an SSL negotiation is performed any certificate signed by the trusted certificate will be accepted. Then, the distinguished name of the certificate will be matched against the certificate distinguished name defined in the user definition to associate the certificate with a user.

Note: If you want to monitor a CRL (Certificate Revoke List) for revoked certificates. You would need to save the CRL list in the <MFTIS_Install>\<context>\ftp\crl directory. Then, navigate to Administration > System Configuration page and expand the Global Settings section. Here, you would set the Certificate CRL Processing area. All outgoing CRL processing is for server certificate authentication. Incoming processing is for either the user or server authentication.

For the incoming processing, if a certificate is assigned to a user or server, the trusted certificate is not checked. In addition, TIBCO MFT Internet Server checks the following items:

  • If the certificate is enabled.
  • If the certificate CRL processing is enabled.

If no certificate is found assigned to a user or server, the trusted certificates will be used for validation, performing the following tasks:

  1. Verify the certificate is signed by one of the trusted certificates in the TIBCO MFT Command Center database.
  2. Check the CRL if the certificate CRL processing is enabled.
  3. Validate the distinguished name extracted from the certificate against the certificate distinguished name field defined in the user definition.