Choreo Connect components use SSL certificates (public keys and private keys) for two main purposes.
- Establish TLS connections
- Component specific tasks
Using certificates for Transport Layer Security¶
Transport Layer Security (TLS) is a point-to-point security mechanism that can be used for authentication, message integrity and confidentiality. Whether it is a HTTPS connection to an external entity or multiple gRPC connections among the Choreo Connect components, valid up-to-date digital certificates must exist in the locations referred by the components.
Each Choreo Connect component (Adapter, Enforcer, Router) has its own certificate location. By default, a set of certificates are already placed in these locations.
- Truststore (certificates trusted by the component) -
- Keystore (private key certificates used for TLS)
Using certificates for component specific tasks¶
Certificates are also used for component specific purposes.
- The Enforcer uses its truststore for signature validation of JWTs and to connect to external Key Manager endpoints. Therefore, in this case the public certificate of the external Key Manager (Identity Provider) should be added to the Enforcer truststore.
- Adapter uses its certificates to connect to external entities such as the Control Plane, and Service Discovery entities.
- Although the router also has its truststore and keystore in the above mentioned locations, there is a special case when the above locations will not be referred. This is when connecting to backend services exposed by the APIs. For more information on how to add certificates of backend services, see Backend Certificates.
As the certificates are used for different purposes, the certificate location referred for each purpose can be changed by editing the
config.toml and the relevant Docker container volume mounts.
Adding a certificate to a component truststore¶
To add a new certificate to a Choreo Connect component, the PEM formatted certificate must be added to the truststore location of that particular component.
Convert the public certificate to a PEM format. For example,
openssl x509 -inform der -in public_certificate.cert -out certificate.pem
Add the certificate to the relevant component's resource folder.
Restart the component.
docker restart <container_name>
The certificate locations are configured as a volume mount for each component container in the
docker-compose.yaml file as given below.
volumes: - ../resources/adapter/security:/home/wso2/security
volumes: - ../resources/enforcer/security:/home/wso2/security
volumes: - ../resources/router/security:/home/wso2/security
This mounts both the key store and truststore locations to the container.
Changing the private certificate of a component¶
Follow the instructions below to change the private certificate of a component:
Generate a new key pair for the component.
Copy the private key and certificate (in PEM format) into
To change the private key of the Adapter component, copy the new certificate to the
If you change the private key file name, edit the corresponding configuration in the
<CHOREO-CONNECT_HOME>/docker-compose/choreo-connect-with-apim/conf/config.tomlfile. Otherwise, use the same name as
mg.keyfor the new certificate and key.
Copy the public certificate (in PEM format) into the other two components.
Copy the certificate to
Restart the components.