Adding TLS certificates in MC

You can add one or more certificates to MC for later use, without immediately associating the certificates with a database.

You can add one or more certificates to MC for later use, without immediately associating the certificates with a database. Adding certificates ahead of time makes it easier to configure security for a database or for one or more MC users, because you can just choose a CA or client certificate from a list rather than having to add it to MC during the configuration steps.

Adding CA certificates in MC

To add one or more CA certificates in MC:

From the MC home page, navigate to MC Settings > SSL/TLS Certificates.
Under Manage TLS Certificates for Database Connection, click Add New CA Certificate.
In the Add new CA certificates for TLS connection window, enter an alias for the certificate, to make it easier to refer to later.
Click Browse to locate the certficate file you want to add. MC opens an Explorer window.
Select the file you want to upload, and click Open.

Note
Make sure the certificate file is unexpired, and is not protected by a password.
To add just this one certificate, click Add New CA. MC adds the certificate to its list.
To add additional CA certificates, click Add More CA Certificates. MC adds the certificate to a list, and clears the fields so you can enter the next CA certificate.
Repeat the process until you have entered the last certificate you want to add.
Click Add New CA to add all the CA certificates in the list to the MC:

Adding client certificates and keys in MC

You can add one or more client certificate and private key pairs to MC. In each pair, you can add either a single certificate, a preexisting certificate chain, or a series of client certificates that MC uses to create a new certificate chain.

To add one or more client certificates with their private key files to MC for later use:

Navigate to Home > MC Settings > SSL/TLS Certificates.
Under Manage TLS Certificates for Database Connection, click Add New Client Certificate. MC displays the Add new Client Certificate and Private Key for TLS Connection screen.

Note
When you add a client certificate to MC, you always add it with its private key file. The client certificate and its key are a key pair.
Click one of these file upload options:
- Upload Client Certificate and Private Key for TLS Connection. With this option, you paste a certificate and key into browser fields. MC posts the certificate and key from your browser to the MC server via an https connection over the network, secured with TLS/SSL.
- Manually upload Client Certificate and Private Key on MC host and provide paths. Sending the certificates from your browser to the MC server across an https network connection may not be not your preference. If so, you can use this option to specify the paths on the MC server host where you have manually uploaded the client certificate and private key files, instead. The URL of your MC browser shows the IP address of the MC host. Using this option, you must manually handle the transfer of the certificate and the key files to the server.
To provide a single client certificate and private key with either input option:
- Enter a recognizable alias for the key pair.
- Browse and select the private key file or provide the path.
- Browse and select the client certificate file or provide the path.
- Click Add New Client Certificate.
- MC adds the key pair to its list.
To upload several certificates and private keys and create a certificate chain:
- Enter an alias for the key pair.
- Browse and select the private key file or provide the path.
- Browse and select the client certificate file or provide the path.
- Click Add Certificate to Chain (or Add More Certificate Paths).
- Repeat the process until you have added the last certificate and key for this certificate chain.
- Click Add New Client Certificate.
- MC adds the resulting certificate chain to its list.

Adding a new certificate for the browser connection

You can view the existing TLS certificate for the browser connection to the MC server, or add a new certificate to replace it.

To view or replace the current SSL/TLS certificate that MC uses for the user's browser's HTTPS connection to the MC server:

From the MC home page, navigate to MC Settings > SSL/TLS Certificates.

The top pane displays the current certificate for the browser connection to the MC server, including the certificate's expiration date:
To replace the current certificate, click Browse next to the Upload a new SSL certificate field.

MC opens an explorer window.
Select the certificate file you wish to upload and click Open. The certificate file must be in PEM (Privacy-enhanced Email Message) format.

MC replaces the prior certificate with the new certificate.