Crypto Catalog
This page documents the cryptographic file layout used internally by dbWatch Control Center to manage identity, encryption, and trust within the Control Center domain. These files support secure communication, certificate-based authentication, and system integrity.
Default Locations
All file paths are relative to the base installation directory.
- Windows: `C:\ProgramData\dbWatchControlCenter`
- Linux: `/var/dbwatch-controlcenter`
> Both platforms use the same folder and file structure. The contents below apply to either path.
Domain Controller – Certificate Authority Files
On the Domain Controller, which acts as the internal CA, the following files are used to manage trust across the domain:
| File Path | Description |
|---|---|
| /crypto/ca/dbw_dc_cert.pem | Domain Controller’s signed certificate |
| /crypto/ca/dbw_dc_pub.pem | Public key of the Domain Controller |
| /crypto/ca/dbw_dc_priv.pem | Private key of the Domain Controller |
| /crypto/keys/root/root_cert.pem | Self-signed root certificate of the domain |
| /crypto/keys/root/root_pub.pem | Root certificate’s public key |
| /crypto/keys/root/root_priv.pem | Root certificate’s private key |
These files are foundational for all domain-issued certificates, including users, nodes, and configuration signatures.
Node Identity and Key Files
Each Monitor or local node stores its unique keypair and certificate under its domain-specific context:
| File Path | Description |
|---|---|
| /crypto/keys/[domain_name]/dbw_cert.pem | Node certificate issued by Domain CA |
| /crypto/contexts/node/dbw_pub.pem | Node’s public key |
| /crypto/contexts/node/dbw_priv.pem | Node’s private key |
| /crypto/contexts/node/keyContext.json | Metadata for key usage and identity context |
> `[domain_name]` corresponds to the active Control Center domain (e.g., `exampledomain.local`).
TLS Communication Context
For secure transport-layer encryption, TLS-specific keys and certificates are maintained separately:
| File Path | Description |
|---|---|
| /crypto/contexts/tls/dbw_pub.pem | TLS public key |
| /crypto/contexts/tls/dbw_priv.pem | TLS private key |
| /crypto/contexts/tls/keyContext.json | Key metadata for TLS operations |
| /crypto/contexts/tls/certificates/CN=dbw-tls-self.pem | Self-signed TLS cert for internal use |
| /crypto/contexts/tls/certificates/CN=tls-[domain].pem | Domain-specific TLS cert (used if externally signed) |
These files are used for securing connections over port 7100 between all Control Center components.
Trust Store (Optional – Cross-Domain)
If dbWatch nodes are expected to trust external certificates (e.g., signed root authorities), trust stores may be populated under:
| File Path | Description |
|---|---|
| /config/node/trustStore/CN=dbw-root-cert-[domain].pem | Trusted external root certificate |
Security Recommendations
- Restrict access to `/crypto/` and `/config/node/trustStore/` directories to administrative users only
- Do not share or replicate private key files (`*_priv.pem`) between environments
- Use OS-level encryption (e.g., LUKS on Linux, BitLocker on Windows) for sensitive storage
- Keep secure backups of CA root and domain keys
- Monitor and rotate certificates as part of standard security operations
Related Topics
- Certificate Infrastructure
- Encryption
- Sensitive Data Stored
- Domain Configuration – Users and Privileges
For assistance managing keys, restoring trust chains, or securing Control Center deployment, contact:
support@dbwatch.com