Mods certificate verification in Spotfire: Pinned vs. Windows Store Certificates.

Mods certificate verification in Spotfire: Pinned vs. Windows Store Certificates.

book

Article ID: KB0137838

calendar_today

Updated On:

Products Versions
Spotfire All

Description

When working with Mods in Spotfire, users may encounter different certificate verification statuses, specifically "Verified with root certificate from: N/A - Verified by pinned certificate" and "Verified with root certificate from: Windows certificate store." 

This distinction is crucial for understanding how Mods are secured and how they behave, especially in environments without internet access.

Pinned Certificates: Offline Verification

Mods displaying "Verified with root certificate from: N/A - Verified by pinned certificate" are signed by certificates that are pre-installed or "pinned" within the Spotfire product itself. These are typically the same certificates used to sign "Data Science Mods."

The key characteristic of pinned certificates is that they allow the Mod to bypass the standard certificate verification process. This means that Spotfire does not need to connect to external certificate authorities or rely on the operating system's certificate store to validate the Mod's authenticity. This makes pinned certificates particularly suitable for environments where Spotfire Server or Web Player servers do not have internet access, as the verification can occur entirely offline.

image.png

Windows Certificate Store Verification: Online Dependency

In contrast, Mods that show "Verified with root certificate from: Windows certificate store" rely on the operating system's built-in certificate management for verification. This process typically involves checking the certificate chain against trusted root certificates present in the Windows certificate store. For this verification to succeed, the system often needs to reach out to online certificate authorities (CAs) to confirm the validity and revocation status of the certificates.

This dependency on external verification makes Mods signed with Windows certificate store roots less ideal for offline environments. If the Spotfire server or web player lacks internet access, the verification process may fail, potentially preventing the Mod from being loaded or used.

image.png

Achieving "Verified by Pinned Certificate"

The desire to achieve "Verified with root certificate from: N/A - Verified by pinned certificate" stems from the benefits of offline verification. However, it's important to understand that this status cannot be arbitrarily assigned to any Mod.

"If a mod isn't signed by such a certificate, there's no way to turn it into a pinned certificate."

This implies that if a Mod is not inherently signed by a certificate that Spotfire recognizes as pinned, there is no workaround or configuration change that can force it to be verified as such.

Conclusion

  • The difference between "Verified by pinned certificate" and "Verified with root certificate from: Windows certificate store" lies in their verification mechanisms and their reliance on external connectivity. 
  • Pinned certificates offer a robust offline verification method, making them suitable for secure, air-gapped environments. 
  • Windows certificate store verification, while standard for many applications, requires internet access for full certificate chain validation. 
  • For users seeking the offline verification benefits of pinned certificates, the Mod must be signed with a certificate already recognized and pinned by the Spotfire product.
  • There is no method to convert a mod into a pinned certificate if it lacks a signature from an existing pinned certificate.

Environment

All

Issue/Introduction

This article details Mods certificate verification in Spotfire, specifically comparing Pinned and Windows Store Certificates.

Additional Information