A certstore (certificate store) is a repository for certificates used to secure audio communication between Instant Connect components. Note that while certstores use standard X.509 certificates—the same as those used to secure HTTPS connections—the certstore described here applies only to the certificates used by the Instant Connect Engage Engine for voice traffic. The ICE certstore is required to securely provide certificates to servers, clients, and other components of the Instant Connect Enterprise system that utilizes the Engage Engine.

In version 3.6.5 and newer, ICE Enterprise systems generate unique certificates during installation or upgrade. In Tactical environments, when an ICE Server is not in use, ICE Mobile, ICE Desktop and ICE Agent components ship with a new, default, certstore.

The following changes to the certstore between versions can potentially effect the behavior and operation of existing environments. User should take note of these special considerations:

Instant Connect clients typically maintain the following two connections to the ICE Server environment:

Each of these connections is secured by a different SSL (X.509-standard) certificate:

Additionally, other certificates may be used, such as those for radio systems, telephony systems, Active Directory (LDAP), and other adjacent systems. This section primarily focuses on the certificates used for mutually authenticating the Engage Engine and Rallypoint.

Mutual authentication means the client provides a certificate to the Rallypoint, and the Rallypoint provides a certificate to the client. Both parties inspect and validate the certificate before completing the connection and allowing information to be sent between them. Verifying a certificate involves checking that it was issued by a certificate authority (“CA”) whose certificate (or certificate chain) is present on the system performing the validation. Each component—the client and the Rallypoint—contains a CA certificate and verifies that the identity certificate from their peer was genuinely created by the certificate authority and appropriately identifies the peer as an authorized agent. This process follows industry standard practices documented elsewhere. (See https://www.ssl.com/article/browsers-and-certificate-validation/).

When Instant Connect is first installed, the ICE OS Installation Wizard offers the option to create a default set of all certificates and provision them throughout the system, or to upload your own certificates. Administrators can also apply a different set of certificates at any time. The following three sets (bundles) of certificates are used in the Instant Connect media ecosystem:

While these certificate bundles are distinct elements, their contents must be interrelated for them to work. When supplying a new configuration of certificate bundles, ICE Server will validate that all three certificate bundles interoperate by ensuring these constraints are met: