Skip to content

Certificates

The Certificates page manages TAK CA certificates used for secure communication between TAK clients and the MAGK platform. Certificates authenticate players and encrypt CoT data streams over SSL connections.

Certificate Overview

MAGK uses a private Certificate Authority (CA) to issue client certificates for TAK devices. The certificate chain is:

TAK CA (Root) → Client Certificate (per player/device)

TAK clients (ATAK, iTAK, WinTAK) use these certificates to establish mTLS connections on port 8089 (SSL CoT) and port 8443 (Marti API).

TAK CA Certificate

The TAK CA is the root certificate authority for all TAK client certificates.

Generating the CA

  1. Navigate to CertificatesCA Management
  2. Click Generate CA to create a new TAK CA certificate
  3. Configure CA settings:
Setting Type Default Description
Common Name Text MAGK TAK CA CA certificate common name
Organization Text MAGK Tech Organization name in the certificate
Validity (Days) Number 3650 CA certificate validity period
Key Size Select 2048 RSA key size (2048 or 4096)
  1. Click Generate to create the CA certificate and private key

CA Regeneration

Regenerating the CA invalidates all existing client certificates. All players will need new certificates and data packages. Only regenerate the CA if the existing one is compromised or expired.

CA Status

The CA status panel shows:

Field Description
Status Active, Expired, or Not Generated
Common Name CA certificate common name
Created CA generation date
Expires CA expiration date
Issued Certificates Number of client certificates issued under this CA

Client Certificates

Client certificates are issued to individual players or devices for TAK client authentication.

Issuing a Certificate

Certificates can be issued in several ways:

Method Description
Manual Issue a certificate from the Certificates page for a specific player
On Registration Automatically issue a certificate when a player's registration is approved
On Data Package Issue as part of a Data Package generation
Enrollment API TAK clients request certificates via the enrollment endpoint (port 8446)

Manual Issuance

  1. Click Issue Certificate
  2. Select the player from the dropdown
  3. Configure certificate settings:
Setting Type Default Description
Common Name Text Player callsign Certificate common name (identifies the player)
Validity (Days) Number 365 Certificate validity period
  1. Click Issue to generate the client certificate

Certificate List

Column Description
Common Name Certificate common name (player callsign)
Player Associated player account
Status Active, Revoked, or Expired
Issued Issuance date
Expires Expiration date
Serial Certificate serial number

Certificate Distribution

Issued certificates are distributed to players via Data Packages. A data package bundles the client certificate, CA certificate, and server connection configuration into a single file that TAK clients can import.

See Data Packages for distribution details.

Revocation

Revoke a certificate to immediately block a player's TAK client access:

  1. Find the certificate in the certificate list
  2. Click Revoke
  3. Confirm the revocation

Revoked certificates cannot be reinstated. Issue a new certificate if the player needs access restored.

Revocation Effect

Revocation takes effect on the next connection attempt. Active SSL connections using the revoked certificate may remain open until they disconnect or the TAK service is restarted.

  • Data Packages — Bundle certificates for distribution
  • Registrations — Certificate issuance on registration approval
  • Federation — Federate certificates between TAK servers
  • Settings — TAK service SSL configuration