Certificates¶
The Certificates page manages TAK CA certificates used for secure communication between TAK clients and the MAGK platform. Certificates authenticate players and encrypt CoT data streams over SSL connections.
Certificate Overview¶
MAGK uses a private Certificate Authority (CA) to issue client certificates for TAK devices. The certificate chain is:
TAK CA (Root) → Client Certificate (per player/device)
TAK clients (ATAK, iTAK, WinTAK) use these certificates to establish mTLS connections on port 8089 (SSL CoT) and port 8443 (Marti API).
TAK CA Certificate¶
The TAK CA is the root certificate authority for all TAK client certificates.
Generating the CA¶
- Navigate to Certificates → CA Management
- Click Generate CA to create a new TAK CA certificate
- Configure CA settings:
| Setting | Type | Default | Description |
|---|---|---|---|
| Common Name | Text | MAGK TAK CA | CA certificate common name |
| Organization | Text | MAGK Tech | Organization name in the certificate |
| Validity (Days) | Number | 3650 | CA certificate validity period |
| Key Size | Select | 2048 | RSA key size (2048 or 4096) |
- Click Generate to create the CA certificate and private key
CA Regeneration
Regenerating the CA invalidates all existing client certificates. All players will need new certificates and data packages. Only regenerate the CA if the existing one is compromised or expired.
CA Status¶
The CA status panel shows:
| Field | Description |
|---|---|
| Status | Active, Expired, or Not Generated |
| Common Name | CA certificate common name |
| Created | CA generation date |
| Expires | CA expiration date |
| Issued Certificates | Number of client certificates issued under this CA |
Client Certificates¶
Client certificates are issued to individual players or devices for TAK client authentication.
Issuing a Certificate¶
Certificates can be issued in several ways:
| Method | Description |
|---|---|
| Manual | Issue a certificate from the Certificates page for a specific player |
| On Registration | Automatically issue a certificate when a player's registration is approved |
| On Data Package | Issue as part of a Data Package generation |
| Enrollment API | TAK clients request certificates via the enrollment endpoint (port 8446) |
Manual Issuance¶
- Click Issue Certificate
- Select the player from the dropdown
- Configure certificate settings:
| Setting | Type | Default | Description |
|---|---|---|---|
| Common Name | Text | Player callsign | Certificate common name (identifies the player) |
| Validity (Days) | Number | 365 | Certificate validity period |
- Click Issue to generate the client certificate
Certificate List¶
| Column | Description |
|---|---|
| Common Name | Certificate common name (player callsign) |
| Player | Associated player account |
| Status | Active, Revoked, or Expired |
| Issued | Issuance date |
| Expires | Expiration date |
| Serial | Certificate serial number |
Certificate Distribution¶
Issued certificates are distributed to players via Data Packages. A data package bundles the client certificate, CA certificate, and server connection configuration into a single file that TAK clients can import.
See Data Packages for distribution details.
Revocation¶
Revoke a certificate to immediately block a player's TAK client access:
- Find the certificate in the certificate list
- Click Revoke
- Confirm the revocation
Revoked certificates cannot be reinstated. Issue a new certificate if the player needs access restored.
Revocation Effect
Revocation takes effect on the next connection attempt. Active SSL connections using the revoked certificate may remain open until they disconnect or the TAK service is restarted.
Related Pages¶
- Data Packages — Bundle certificates for distribution
- Registrations — Certificate issuance on registration approval
- Federation — Federate certificates between TAK servers
- Settings — TAK service SSL configuration