Certificates

Overview

Certificates are fundamental to modern cryptography and network security, ensuring the trustworthiness of communication partners and enabling secure key exchanges. A Certification Authority (CA) functions like a central bank in a currency system: just as the Bank of Korea issues and regulates the Korean Won (KRW), a CA issues and authenticates digital certificates.

Logpresso uses a private CA system for self-signed certificates:

  • CA Certificate - Contains the CA’s public key and is shared with the Sentry and the user's web browser. It is the root certificate used to validate web server, RPC, and Sentry certificates.
  • Web Server Certificate - Used for TLS communication (TCP 443) between the Logpresso server and the user's browser.
  • RPC Certificate - Used for RPC communication (TCP 7140) between the Logpresso server and the Sentry.
  • Sentry Certificate - Used by the Sentry as a client certificate for RPC communication (TCP 7140) with the server.

The CA, web server, and RPC certificates are automatically generated when the web installer runs at first login by a cluster administrator. The Sentry certificate is generated when you create a sentry. All issued certificates can be managed under **Settings > Certificates page.

Certificates

Note
The certificate management feature is available starting from version 2312.0. Logpresso Server uses TCP port 44300 to distribute Sentry installation files and certificates.

Server Certificate

All server certificates issued by the Logpresso server are listed in **Settings > Certificates page.

Server Certificates

  • Type: Certificate type (CA, TLS/SSL, or RPC)
  • S/N: Unique hexadecimal serial number issued with the certificate
  • Subject: Identification information of the certificate holder (CN, Common Name)
  • Issued: Date the certificate was issued
  • Validity Period: Duration during which the certificate is valid

The certificate status is shown in the bottom-left corner of each card—green indicates a valid certificate. On the bottom-right are icons for copying, reissuing, or downloading the certificate.

Copy Certificate Information

Click the Copy icon to copy the certificate’s type, serial number, subject, and validity period to the clipboard.

Reissue Certificate

Certificates are generated automatically during initial setup but must be reissued before they expire. Reissuing updates only the specific certificate—except for the CA certificate, which triggers reissuance of all related server and Sentry certificates.

To reissue a server certificate:

  1. Click the Reissue icon on the certificate card.

  2. In the Reissue Certificate dialog, enter the Expiration Date and the Certificate Password, then click OK.

    Reissue Certificate

    • The CA certificate is generated with a default expiration of 3650 days (10 years).
    • The default expiration for other server certificates is 365 days (1 year).

When a certificate is reissued, communication using that certificate is paused and restarted based on the new certificate.

Download Certificate

Click the Download icon to download the certificate.

Download Certificate

  • CA Certificates: Downloadable in JKS or DER format.
  • Other Certificates: Downloadable in PFX format.

JKS (Java KeyStore) can be managed with keytool. DER is a binary format compatible with tools like openssl.

Sentry Certificate

Sentry devices connect to the server over TLS and require a dedicated certificate, generated during the Sentry creation process. Both issued and revoked certificates are shown in Settings > Certificates page.

Sentry Certificate

Search Certificate

You can search for a Sentry certificate by expiration period, status, and keyword.

Search Certificate

  • Start Date, End Date: Search by expiration window
  • Status: Filter by Issued, Revoked, or Expired
  • Search: Match terms in the Subject
Reissue Certificate

To reissue a Sentry certificate:

  1. Select the certificate from the list.

  2. Click Reissue on the toolbar.

  3. In the Reissue Certificate dialog, Set the new expiration date (default: 365 days).

    Reissue Sentry Certificate

  4. Click OK to reissue. The new certificate will be sent to the Sentry and the old one revoked. The Sentry will reboot.

  5. Check the Sentry's connection status in System > Sentries.

Revoke Certificate

To revoke a Sentry certificate:

  1. From the Sentry certificate list, select the checkbox of the certificate you want to revoke.

  2. Click Revoke on the toolbar.

  3. When the Revoke Certificate dialog appears, click OK to revoke the certificate. If you do not want to proceed, click Cancel.

    Revoke Sentry Certificate

  4. Check the Sentry's connection status in System > Sentries. If necessary, remove the Sentry from the list.

Download Certificate

To download a Sentry certificate:

  1. From the Sentry certificate list, check the box of the certificate you want to download. Selecting the checkbox at the top of the list will select all certificates on the current page.

  2. Click Download > Certificates from the toolbar.

    Download Sentry Certificate

    • The file is provided as a ZIP archive containing the Sentry Certificate PFX file, even if only one certificate is selected.
Download Certificate List

To download the certificate list:

  1. Click Download > List from the toolbar.

    Download Sentry Certificate List

  2. In the Download Certificate List dialog, specify the File Name, Columns, File Format, Encoding, and Range, then click OK.

    Download Sentry Certificate List Dialog