Manage certificates

Note:

Access to this application is managed by Guidewire Hub. For details, see Access Cloud Platform apps and services.

To manage certificates:

1. Select a star system.

2. From Apps, select Certificates or select it from your pinned apps.

Extract certificates from a certificate chain

You can extract certificates from a chain inside a PEM container file to multiple PEM files. The root certificate is usually the last certificate in the file. Typically, certificate chain files contain an ordered list of certificates, where the first certificate is the leaf, followed by intermediate certificates, and ending with a root certificate.

For details on what files you need to upload, see Create an mTLS configuration.

To extract certificates:

1. In command prompt, go to the directory where you saved the PEM file.

2. Create one file per certificate.

   Start each file with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.

   For example, when splitting a chain consisting of three certificates, you can name your files certificate1.pem, certificate2.pem, and certificate3.pem.

3. If the source file contains a private key, copy it to a separate PEM file.

   Warning:
   

   Anyone with access to both your private and public keys might send encrypted messages on your behalf. Don't share private keys with external entities.

Check the files for a CA certificate

To check which of the files contains a CA certificate:

1. Run the following command for each tested PEM file:

   openssl x509 -in filename.pem -text -noout

2. Look for CA:true or CA:false in the output.

   CA:true indicates that the PEM file contains a CA certificate.

   CA:false indicates that the PEM file doesn't contain a CA certificate.

Note:

The root certificate is self-signed and you can identify it by checking if Issuer and Subject have the same value.

Validate certificates

Check the certificates before uploading them.

Run the following command to verify if a secure connection can be established:

$ curl --cert client.crt --key client.key --cacert ca.crt https://myserver.internal.net:443

Where:

• --cert client.crt specifies a client certificate file.

• --key client.key specifies a client private key file.

• --cacert ca.crt specifies a certificate authority (CA) certificate file.

• https://myserver.internal.net:443 specifies a URL of the server to which the request is being made and the standard port for HTTPS traffic.

Create an mTLS configuration

Note:

To create an outbound mTLS configuration, generate Client certificate and Client private key using, for example, OpenSSL.

To create an mTLS configuration:

1. Select Add configuration.

2. Select the configuration type:

   • Inbound

     This mTLS configuration is used to verify a client certificate provided by third-party applications that connect with the InsuranceSuite application. It's for connections that come from the outside of Guidewire network.

     Example: A third-party server initiates an mTLS connection and sends an HTTPS request to the InsuranceSuite application hosted by Guidewire.

   • Outbound

     This mTLS configuration is used to connect with a third-party server using mTLS. You need to provide configuration for both the client (InsuranceSuite) and the server (the remote application called by InsuranceSuite). It's for connections that come from the inside of Guidewire network.

     Example: InsuranceSuite application initiates a connection to the remote database to fetch external data needed to process a policy.

3. Provide a name for the configuration.

   The name has to be unique for a star system and begin with a letter. The name can contain only letters, digits, or the - character.

4. For an outbound mTLS configuration, provide a host name.

   The host name has to be a valid domain name and contain at least one period.

5. Upload certificate files.

   Depending on the configuration type, you have the following options:

   Configuration type	Section	File	Description
   Inbound	TrustStore	Client CA certificate	A CA certificate used to trust inbound mTLS client certificates. A self-signed root CA certificate is required. To avoid issues with intermediate certificates, Guidewire recommends using client leaf certificates issued directly by the root certificate. If the client certificate chain contains intermediate certificates between the leaf and root certificate, the mTLS client must provide the full chain when connecting to the server.
   Outbound	TrustStore	Server CA certificate	A root certificate created by a trusted certificate authority (CA), used to trust the outbound server.
   	KeyStore	Client certificate	A client certificate used by the InsuranceSuite application to confirm its identity to an outbound server during the mTLS handshake.
   		Client private key	A private key of an InsuranceSuite application used to encrypt the public certificate during the mTLS handshake.

   The files must meet the following criteria:

   • For certificates, file extensions must be in .pem or .crt format.
   • For private keys, file extensions must be in .pem or .key format.
   • Each certificate file must contain one certificate or one private key.
   • Certificates must be in the X.509 format.

   Cloud Platform accepts certificates that expire soon and highlights them with the Expires soon status. If your mTLS configuration contains such certificates, the Certificates app displays a warning listing these configurations.

   Note:
   

   You don't need to redeploy an application after uploading certificates.

6. Select Create.

New mTLS configurations are inactive by default. In order to use an already created configuration, you need to activate it.

Activate and deactivate mTLS configurations

Hover over the mTLS configuration:

• To activate it, select Activate.

  Your configuration is now active and is displayed in the Activation status column.

• To deactivate it, select Deactivate.

  Your configuration is now inactive, and is no longer displayed in the Activation status column.

Important:

Outbound connections aren't possible without a certificate. Activate at least one outbound certificate for a star system.

Activate and deactivate mTLS for inbound connections

For inbound connections, mTLS is active by default. You can deactivate mTLS for one or more applications or the entire planet:

1. Select Manage certificates.
2. Deactivate mTLS:

• For a planet

  Use the toggle in the Status column.

• For a deployment

  Open the planet drop-down list and switch the application toggles.

3. Deploy the affected applications .

Important:

When you deactivate mTLS, communication continues unsecured.

Download an mTLS configuration

To save an mTLS configuration to a ZIP file:

1. Hover over the configuration that you want to download.
2. Select Download.
3. Wait for the ZIP file to be prepared and save it.

To increase security, the ZIP file doesn't contain Client private key.

Delete an mTLS configuration

To delete an mTLS configuration:

1. Hover over the configuration that you want to delete.
2. Select Delete.