Grid keystores

The certificates used in the grid are partitioned into several single-usage keystores, which are stored in the grid database.

Some grid applications may have their own keystores. Please review the documentation for those applications when necessary.

Grid CA root certificate

The grid root key pair and certificate are stored in their own keystore in the database. The private key in this keystore is used for signing server, client, and SSL certificates used in the grid, as described in the following sections. The grid monitors the validity of the grid root certificate and issues a notification when it approaches expiration.

Grid server keystores

The server and client keystores, a pair for each host, contain a certificate and the corresponding private key used for internal grid communication. The certificates in these keystores are signed by the grid root key to enable trust between grid hosts. The grid monitors the validity of the server certificates and renews them when they approach expiration.

HTTPS keystores

HTTPS keystores are used for HTTPS connections to the Grid routers. By default, the certificate in the keystore is signed by the grid root key. It is also possible to create a Certificate Signing Request (CSR), have an external Certificate Authority sign the request, and import the signed certificate into the keystore.

HTTPS identities make HTTPS certificate reuse much easier for multi-host deployments. It is also possible to use different HTTPS keystores for different routers on the same host.