Article For
5.2

Certificates Management View

  • The built-in RavenDB Studio enables full customization of client certificates as well as importing and exporting of certificates.

  • This article gives brief guidance about the Studio certificate management GUI.
    For detailed explanations including the RavenDB Security Authorization Approach, see the article Certificate Management.

In this page:

Studio Certificates Management View

Figure 1. Studio Certificates Management View

Studio Certificates Management View

  1. Click Manage Server tab.
  2. Select Certificates.
  3. Client certificate
  4. Server certificates
  5. Status of current server certificate. You can click Renew now here.
  6. Status of current client certificates active in this server. You can remove or edit client certificates, including configuring databases permissions and authorization (security clearance) levels here.

Client certificates are managed by RavenDB directly and not through any PKI infrastructure. If you want to remove or reduce the permissions on a certificate handed to a client, you can edit the permissions or remove them entirely in this Studio screen.

Configuring Certificates: Database and Access Permissions

In the image below, the client certificates (HR, localcluster.client.certificate, Project Managers) have different security clearance and database permissions configurations.
This is done to give admins the ability to protect the contents of their databases by customizing permissions.

For example, if an application user should have read/write but not admin access over the HR database, while project managers should have operator permissions on all databases, you can grant different access levels by using different client certificates, each with its own set of permissions.

Figure 2. Status of Registered Certificates

Status of Registered Certificates

Each client certificate contains the following:

  1. Name
    Client certificate name.
  2. Thumbprint
    Unique key for each certificate.
  3. Security Clearance
    Authorization level that determines types of actions that can be done with this certificate.
  4. Expiration date
    Client certificates are given 5 year expiration periods by default.
  5. Allowed Databases
    The databases in this cluster that this client certificate has access to.
  6. Edit Certificate
    Configure which databases it can access (applicable for User level) and its authorization clearance level.
  7. Delete Certificate

Generate Client Certificate

Using this view, you can generate client certificates directly via RavenDB.
Newly generated certificates will be added to the list of registered certificates.

Figure 3. Generate Client Certificate

Generate Client Certificate

When generating a certificate, you must complete the following fields:

  1. Name
  2. Security Clearance level
  3. Allowed databases and access level for each database.
    • If you choose User security clearance, you can give access to specific databases on the server and configure User authorization levels for this certificate.

This information is used by RavenDB internally and is not stored in the certificate itself.

Expiration for client certificates is set to 5 years by default.

Edit Certificate

Every certificate in the list can be edited. The editable fields are:

Figure 5. Edit Certificate

Edit Certificate

  1. Name
  2. Security Clearance level
  3. Allowed databases and access level for each database
    • If you choose User security clearance, you can give access to specific databases on the server and configure User authorization levels for this certificate.

This information is used by RavenDB internally and is not stored in the certificate itself.

Enabling Communication Between Servers: Importing and Exporting Certificates

Upload an Existing Certificate

Using this view you can upload existing client certificates.
Uploaded certificates will be added to the list of registered certificates.

To connect two secure databases, you must

a. Export (download) the .pfx certificate from the destination cluster.
b. Upload (import) the downloaded certificate into the source server.

Figure 4. Upload Existing Certificate

Upload Existing Certificate

When uploading an existing certificate file, you must complete the following fields:

  1. Name
  2. Security Clearance level
  3. Upload the .pfx certificate file from the destination server installation folder.
  4. Select databases and permission levels
    • If you choose User security clearance, you can give access to specific databases on the server and configure User authorization levels for this certificate.

This information is used by RavenDB internally and is not stored in the certificate itself.

Export Server Certificates

Figure 6. Export Server Certificates

Export Server Certificates

This option allows you to export the server certificate as a .pfx file. In the case of a cluster which contains several different server certificates, a .pfx collection will be exported.

Certificate Collections

Pfx files may contain a single certificate or a collection of certificates.

When uploading a .pfx file with multiple certificates, RavenDB will add all of the certificates to the list of registered certificates as one entry and will allow access to all these certificates explicitly by their thumbprint.