Management of PQ certificates.
| Type | Location | Rotation |
|---|---|---|
| Server Certificate | %CERTS_PATH%\server.pfx | Annually |
| Root CA | %CERTS_PATH%\CA\root-ca.crt | 10+ Years |
| Client Certificates | Issued via CA | Annually |
# 1. Request new certificate # 2. Update proxy configuration # 3. Restart proxy service Restart-Service "DataGatewayProxy"
# Receive CSR from client # Sign certificate openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \ -CAcreateserial -out client.crt -days 365
# Revoke certificate openssl ca -revoke client.crt -keyfile ca.key -cert ca.crt # Update CRL openssl ca -gencrl -out ca.crl -keyfile ca.key -cert ca.crt
The central Trust Server validates certificates:
POST https://trust.intern/api/validate
{
"certificate": "base64-encoded-cert",
"purpose": "client-auth"
}
Response:
{ "valid": true, "subject": "CN=developer1", "issuer": "CN=Internal CA", "expiresAt": "2025-12-31T23:59:59Z" }
For programmatic certificate management with PQ support see: