Certificate Infrastructure

dbWatch Control Center uses an internal public key infrastructure (PKI) to ensure secure communication, identity management, configuration integrity, and access control across all nodes and users in the domain.

Each Control Center domain operates its own certificate authority (CA) that issues and manages certificates for server nodes, clients, users, and configuration files.

Domain Root Certificate

The Domain Root Certificate is the trust anchor for the entire dbWatch Control Center domain. It:

• Acts as the Certificate Authority (CA) for all issued certificates
• Is self-signed by default, but can be signed by dbWatch AS for external trust scenarios
• Is required to bootstrap trust between nodes (server, monitor, client)

> If a domain’s root certificate is compromised, all trust relationships must be revoked and re-established.

User Identity Certificate

This certificate is used by the domain CA to sign user certificate requests. It ensures:

• That each user identity is cryptographically verifiable
• That Control Center clients only accept users with valid, domain-issued credentials
• Secure authentication and authorization within the UI or command-line (CCC)

Granting Certificate

The Granting Certificate is used by the domain to:

• Sign user permission assignments
• Validate access rights for roles, instances, and modules
• Ensure that privilege changes are authorized and verifiable

This enables strong role-based access control (RBAC) backed by cryptographic assurance.

Configuration Certificate

The Configuration Certificate is used to sign system-wide settings, such as:

• Node configuration files
• Job deployment templates
• Credential distribution

This ensures configuration integrity during replication or rollout to other nodes. Tampering with a signed configuration will result in a validation failure.

Publication Certificate

The Publication Certificate is used to:

• Digitally sign reports, exports, or published datasets generated by Control Center
• Ensure data authenticity when sent to external systems (e.g., emailed reports, dashboard exports)
• Optionally verify the origin of reports if audited or received via third-party systems

Security and Trust Model

All certificates are managed within the dbWatch Control Center domain and:

• Stored securely on the primary server node
• Distributed to clients and monitor nodes during controlled registration
• Validated at connection time between all nodes
• Automatically revoked if a node is deregistered or removed

No external certificate authority is required unless cross-domain trust or third-party integration demands it.

Recommendations

• Keep the domain root certificate and private key secure and backed up
• Use strong passphrases and limited-access storage for certificates
• Rotate certificates periodically or immediately upon compromise
• Do not share domain certificates between unrelated environments
• Enable audit logging for certificate events and domain changes

Related Topics

• Encryption
• Sensitive Data Transmitted
• Domain Configuration – Users and Privileges
• Audit Logging

For advanced certificate management or trust configuration in segmented environments, contact:
support@dbwatch.com