Please Note:

Certificate Authority

A Certificate Authority (CA) acts as the initially trusted shared entity between peers and issues signed certificates to make it possible for each party to trust the other. The CA issues and installs digital certificates and issues certificate signing requests (CSR).

A certificate generally acts as the identity of a server or client and this API can be used to issue server and client certificates for setting up trusted communication channels to the CipherTrust Manager system.

CipherTrust Manager distinguishes between local CAs and external CAs. A local CA can issue signed certificates since the private signing key is stored inside the CipherTrust Manager system. An external CA does not store the private key. Instead an external CA is used as a trusted entity for various interfaces and services inside the system. In this case certificates are issued externally. It is fine to have a mix of both.

The first time a CipherTrust Manager is started, a new local KeySecure root CA is automatically generated. This CA is used to issue initial server certificates for the interfaces available in the system.

An easy way to inspect the certificate chain is to view the certificates in your browser when you connect to the web interface. All interfaces and services will by default trust this CA, meaning that for interfaces that support client authentication, a client certificate, issued from this initial KeySecure root CA, will automatically be trusted by the system. If preferred, it is possible to create new local CAs and/or external CAs and use these instead for the internal interfaces and services.

Many CA operations can be performed via the CipherTrust Manager GUI.

Here are a few basic procedures for creating CAs and issuing certificates using the CLI Tool (ksctl).

Creating a local CA

When creating a new local CA, it remains pending until signed:

ksctl ca locals create --cn "Test CA" --csr-outfile csrfile

This returns a CSR, the key remains with the CipherTrust Manager. This CSR can be signed by an external CA.

To just self-sign the CA with a one year duration, use the id returned in the call above:

ksctl ca locals self-sign --id 3593c53b-fbeb-4edb-b84d-c85526ae2f83 -x 365

Issuing a signed certificate

CipherTrust Manager can only issue certificates for “local” CAs. To create a certificate, a CSR must first be generated.

For the highest level of security, it is usually best for the CSR to be generated externally to CipherTrust Manager so the private key is never exposed. However, you can also select Download CSR from the pending CA on the GUI as this will not include the private key.

For convenience, CipherTrust Manager can create a CSR and private key for you:

ksctl ca csr -cn "My Client" --csr-outfile csrfile --key-outfile keyfile

Use the following command to add Subject Alternative Names (SAN) values. If multiple values are specified, separate them with comma (optional).

ksctl ca csr -cn "My Client" --csr-outfile csrfile --key-outfile keyfile --dns "thalesgroup.com,thalesgroup2.com" --ips 1.1.1.1

Note

You cannot add SAN in a default web server certificate post-deployment.
Instead, perform the following steps:
1. Generate a new CSR with the SAN fields. Refer to the above command.
2. Issue a new certificate using the generated CSR. Refer to the below command.
3. Update the web interface by uploading this issued certificate and restart the system.

Once you have a CSR, you can have the CipherTrust Manager issue a certificate:

ksctl ca locals certs issue --ca-id 3593c53b-fbeb-4edb-b84d-c85526ae2f83 --csr-infile csrfile -x 700 -o client

Note

It is also possible to create the CSR and the private key using any other software, as this API is stateless and doesn't store anything within CipherTrust Manager.

Note

When signing the local CA and certificate, duration is set a day (24 hours) before the current date; therefore the notBefore flag also reflects the same date. This is done to handle the multiple time zone differences.
The certificate duration shouldn't be more than the CA duration. However, if the certificate duration exceeds the CA duration, the certificate duration is automatically set to CA's duration.

Steps to generate CA certificate on CipherTrust Manager

To generate CA certificate having IP SAN field used for caBundle, perform the following steps:

Log on to the CipherTrust Manager GUI.
Navigate to CA > CSR Generator. The CSR Generator screen appears.
Select Generic CSR radio button and provide the following details:
- Common name
- Algorithm as RSA
- IP address of the CipherTrust Manager machine.
You may skip the remaining parameters as they are optional.
Click Generate CSR and download Private Key.
Make sure to save the generated CSR and private key.
Navigate to CA > Local. The list of available CAs is displayed.
Click name of the any local CA displayed on the page. The Certificate issued screen by that CA is displayed.
Click Upload CSR and provide the following details:
- Display name
- CSR
- Certificate Purpose as Server.
Click Issue Certificate.
Click the ellipsis icon corresponding to the newly generated certificate and select download.
Save the downloaded certificate.
Navigate to Admin Settings > Interfaces.
Click the ellipsis icon corresponding to the web interface type and select Certificate Options.
The Interface Certificate Options on 'web' screen is displayed.
Select Upload New Certificate and click OK.
On the Upload Certificate screen, do the following steps:
- Upload the certificate downloaded in the step 9 and the private key downloaded in the step 5.
- Select Format as PEM.
Click Upload Certificate.
Restart the CipherTrust Manager services.
Navigate to Admin Settings > Interfaces.
Click the ellipsis icon corresponding to the web interface type and select Download Certificate.
Save the downloaded CA certificate.
Encrypt the downloaded certificate using Base64 encoding.
This encoded value is used for the caBundle.

Certificate expiration check

The CipherTrust Manager inspects the expiration date of the following types of certificates every day, at a preset system time to log the record:

Local CA certificates available on CipherTrust Manager
Certificate issued by Local CA and available on CipherTrust Manager
External CA certificates uploaded to CipherTrust Manager

The CipherTrust Manager then creates list a of certificates based on their expiration date:

Certificates whose expiration dates are within 91 days
This list is logged in the Records section once every week
Certificates whose expiration dates are within 7 days
This list is logged in the Records section once every day
Certificates that are already expired
This list is logged in the Records section once every day

Note

Interface setting such as NAE allows you to upload certificates directly. The CipherTrust Manager does not check the expiration dates of these certificates.

You can also create alarm triggers for these records. For more details, go to Creating Alarm Trigger for Certificate Expiration.

Revoke/resume certificate signed by the local CA

The CipherTrust Manager allows you to revoke/resume the client/server certificates signed by the local CA. You can also revoke/resume the certificates of intermediate CAs.

In addition, you can:

Publish and maintain the Certificate Revocation List (CRL) for the certificates revoked by the local CA.
Migrate the revocation status of the certificates from KeySecure Classic to CipherTrust Manager.
Resume the revoked certificates.
Note
- Revocation of local CA is not supported, only local CA signed certificates can be revoked.
- You can only resume the certificates revoked with the reason "certificateHold".

To revoke a certificate signed by local CA

Syntax


ksctl ca locals certs revoke --ca-id <ca-identifier> --id <cert-identifier> --reason <revocation-reason>

Example request


ksctl ca locals certs revoke --ca-id localca-f8aabd4f-6459-4cb0-a26a-dfd88129bd5e --id cert-2526ebf8-8ac2-4e3b-8c2c-9752c3da536d --reason certificateHold

Example response


{
"id": "2526ebf8-8ac2-4e3b-8c2c-9752c3da536d",
"uri": "kylo:kylo:naboo:certs:2526ebf8-8ac2-4e3b-8c2c-9752c3da536d",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-05-10T15:13:08.429514Z",
"updatedAt": "2021-05-12T06:45:05.421753856Z",
"cert": "-----BEGIN CERTIFICATE-----\nMIIEuDCCAqCgAwIBAgIQOivQNtvy1bsD+ZtTiktSbjANBgkqhkiG9w0BAQsFADBa\nMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUQxEDAOBgNVBAcTB0JlbGNhbXAxEDAO\nBgNVBAoTB0dlbWFsdG8xGjAYBgNVBAMTEUtleVNlY3VyZSBSb290IENBMB4XDTIx\nMDUwOTE1MTMwOFoXDTIzMDUwOTE1MTMwOFowJTEOMAwGA1UEAxMFYWRtaW4xEzAR\nBgoJkiaJk/IsZAEBEwMxMjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQDf0/l5sDKlmZ940mc3YAmpdEHmAPf6kDZgtqpuN9ftXji65WIHywZ5VN/5YYVD\nREdbs96kAdNMNyec8As0E0lbgirxaW2HFOzVcdfUyh8FnQWq4kAcGBdL19gvdEm6\noZOaX6XlKZq3REfvFXjPg3YkhOvmaiF/9WFoVafCplpgpib3kiijd3m1ZUHP+uxW\nkfJ6ddxMs3Qe3gltfmpnjoHY433rzh2CFr/W5wufRKZWmlu2OBwTKJsixJbcRJR1\n93+XVELt6r7UmrycZjmi3RIMkJ0WC+KpkL0ZetYtXL/7IykRkzlqAwKI4mpyJjAS\n/3yQgJKCdSBz80BzmbnDevQ9AgMBAAGjga4wgaswDgYDVR0PAQH/BAQDAgOIMBMG\nA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUl4YP\nF8V39/lnMb8i5iDOPtXjQ4owVQYDVR0fBE4wTDBKoEigRoZEaHR0cDovL2tleXNl\nY3VyZS5sb2NhbC9jcmxzL2Y4YWFiZDRmLTY0NTktNGNiMC1hMjZhLWRmZDg4MTI5\nYmQ1ZS5jcmwwDQYJKoZIhvcNAQELBQADggIBAAYsYXivy9vD+WMqs4ceC+W3O8Tx\nIW/jaCHfWZKXr4fk01n1Mh020T67wIKqQXUoTKgp9U7vmNMd/RKrj1NS19lEh8sm\nHxy7/bvcSDXajw2LpsmIRaWeqYgO0qOTluMQMMnSBiLbdgSAXKEAjRMQQvQfzqUV\neTSPWaWzyFbnfhSEfU0s46Xs61gWTfvwclvB40Xk7HKFTNUP/xPIfLlhT4H9J3Bx\nyrWz5bJY1z6Cx95/gXsQptccmYik+WGY7IJofvNJD8ugc1t6SeVG2aEl8fNiuS5a\np9O6ThUcM3MqHcL0cOlqm9+jzs5j8pUWbJ+7lsDS17Y+uFvHEJN8XGXQLhFf3p/4\nvNgyMAmB9uvC5rbqEsCKUgpxkNa0sm0WflVoIQ1h2ku01yqtG8krma9qr4zy+bML\nO6Zk37Vn1/8pUjGYWHIPhjX6e+/wlRIMufyqKg7M/OHlg0S6eOpaX13tXxYNnaVm\ngN2mKfvmN3W6sMdtCKifRNeTcuF5R7ZRWXKqHp00Y6N2Tk2FyZjgWAxUtg7VnLPW\nRfuQBQ/Jud7zVDWxtftv6nmrV1nlqErPPDnRt3D49AD5lj4+JhdzKz47F094T++8\n+rauAODq6i+FZe/05RwSCB1fqWJ8ja9gwAWaBVXfQpIDIY3KFTC2tZhjUUOii++d\nP6WaJc1NqTcWns8H\n-----END CERTIFICATE-----\n",
"ca": "kylo:kylo:naboo:localca:f8aabd4f-6459-4cb0-a26a-dfd88129bd5e",
"revoked_reason": "certificateHold",
"revoked_at": "2021-05-12T06:45:05.421580648Z",
"state": "revoked",
"sha1Fingerprint": "C5BF83559D11C81ED84D8F7CC15094DA365D775D",
"sha256Fingerprint": "11C91396CB62BA28EDAE07E79681C25276C7B93DBA033DF08DEB13D9FDBE353F",
"sha512Fingerprint": "28C66DAA4775F37B4294964D45BCC9DB8BAD26C24EB4D9370DE6AB3BEF32C4D156D5FC45D98F6201F97F0D5DEBB43BBC6E24A1FE3743F64E5D1F0B9B2B93FCEE",
"serialNumber": "77322715608031240047279766081599394414",
"subject": "/CN=admin",
"issuer": "/C=US/ST=MD/L=Belcamp/O=Gemalto/CN=KeySecure Root CA",
"notBefore": "2021-05-09T15:13:08Z",
"notAfter": "2023-05-09T15:13:08Z"
}

To resume a certificate signed by local CA

Syntax


ksctl ca locals certs resume --ca-id <ca-identifier> --id <cert-identifier>

Example Request


ksctl ca locals certs resume --ca-id localca-f8aabd4f-6459-4cb0-a26a-dfd88129bd5e --id cert-2526ebf8-8ac2-4e3b-8c2c-9752c3da536d

Example Response


{
"id": "2526ebf8-8ac2-4e3b-8c2c-9752c3da536d",
"uri": "kylo:kylo:naboo:certs:2526ebf8-8ac2-4e3b-8c2c-9752c3da536d",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-05-10T15:13:08.429514Z",
"updatedAt": "2021-05-12T06:44:54.401005002Z",
"cert": "-----BEGIN CERTIFICATE-----\nMIIEuDCCAqCgAwIBAgIQOivQNtvy1bsD+ZtTiktSbjANBgkqhkiG9w0BAQsFADBa\nMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUQxEDAOBgNVBAcTB0JlbGNhbXAxEDAO\nBgNVBAoTB0dlbWFsdG8xGjAYBgNVBAMTEUtleVNlY3VyZSBSb290IENBMB4XDTIx\nMDUwOTE1MTMwOFoXDTIzMDUwOTE1MTMwOFowJTEOMAwGA1UEAxMFYWRtaW4xEzAR\nBgoJkiaJk/IsZAEBEwMxMjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQDf0/l5sDKlmZ940mc3YAmpdEHmAPf6kDZgtqpuN9ftXji65WIHywZ5VN/5YYVD\nREdbs96kAdNMNyec8As0E0lbgirxaW2HFOzVcdfUyh8FnQWq4kAcGBdL19gvdEm6\noZOaX6XlKZq3REfvFXjPg3YkhOvmaiF/9WFoVafCplpgpib3kiijd3m1ZUHP+uxW\nkfJ6ddxMs3Qe3gltfmpnjoHY433rzh2CFr/W5wufRKZWmlu2OBwTKJsixJbcRJR1\n93+XVELt6r7UmrycZjmi3RIMkJ0WC+KpkL0ZetYtXL/7IykRkzlqAwKI4mpyJjAS\n/3yQgJKCdSBz80BzmbnDevQ9AgMBAAGjga4wgaswDgYDVR0PAQH/BAQDAgOIMBMG\nA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUl4YP\nF8V39/lnMb8i5iDOPtXjQ4owVQYDVR0fBE4wTDBKoEigRoZEaHR0cDovL2tleXNl\nY3VyZS5sb2NhbC9jcmxzL2Y4YWFiZDRmLTY0NTktNGNiMC1hMjZhLWRmZDg4MTI5\nYmQ1ZS5jcmwwDQYJKoZIhvcNAQELBQADggIBAAYsYXivy9vD+WMqs4ceC+W3O8Tx\nIW/jaCHfWZKXr4fk01n1Mh020T67wIKqQXUoTKgp9U7vmNMd/RKrj1NS19lEh8sm\nHxy7/bvcSDXajw2LpsmIRaWeqYgO0qOTluMQMMnSBiLbdgSAXKEAjRMQQvQfzqUV\neTSPWaWzyFbnfhSEfU0s46Xs61gWTfvwclvB40Xk7HKFTNUP/xPIfLlhT4H9J3Bx\nyrWz5bJY1z6Cx95/gXsQptccmYik+WGY7IJofvNJD8ugc1t6SeVG2aEl8fNiuS5a\np9O6ThUcM3MqHcL0cOlqm9+jzs5j8pUWbJ+7lsDS17Y+uFvHEJN8XGXQLhFf3p/4\nvNgyMAmB9uvC5rbqEsCKUgpxkNa0sm0WflVoIQ1h2ku01yqtG8krma9qr4zy+bML\nO6Zk37Vn1/8pUjGYWHIPhjX6e+/wlRIMufyqKg7M/OHlg0S6eOpaX13tXxYNnaVm\ngN2mKfvmN3W6sMdtCKifRNeTcuF5R7ZRWXKqHp00Y6N2Tk2FyZjgWAxUtg7VnLPW\nRfuQBQ/Jud7zVDWxtftv6nmrV1nlqErPPDnRt3D49AD5lj4+JhdzKz47F094T++8\n+rauAODq6i+FZe/05RwSCB1fqWJ8ja9gwAWaBVXfQpIDIY3KFTC2tZhjUUOii++d\nP6WaJc1NqTcWns8H\n-----END CERTIFICATE-----\n",
"ca": "kylo:kylo:naboo:localca:f8aabd4f-6459-4cb0-a26a-dfd88129bd5e",
"revoked_at": "0001-01-01T00:00:00Z",
"state": "active",
"sha1Fingerprint": "C5BF83559D11C81ED84D8F7CC15094DA365D775D",
"sha256Fingerprint": "11C91396CB62BA28EDAE07E79681C25276C7B93DBA033DF08DEB13D9FDBE353F",
"sha512Fingerprint": "28C66DAA4775F37B4294964D45BCC9DB8BAD26C24EB4D9370DE6AB3BEF32C4D156D5FC45D98F6201F97F0D5DEBB43BBC6E24A1FE3743F64E5D1F0B9B2B93FCEE",
"serialNumber": "77322715608031240047279766081599394414",
"subject": "/CN=admin",
"issuer": "/C=US/ST=MD/L=Belcamp/O=Gemalto/CN=KeySecure Root CA",
"notBefore": "2021-05-09T15:13:08Z",
"notAfter": "2023-05-09T15:13:08Z"
}

Certificate revocation list (CRL)

CRL is a list of certificates that have been revoked by the CA before their scheduled expiration date and should no longer be trusted.

On CipherTrust Manager, when you create a local root CA, one CRL file is created for the CA with the name <local_ca_id>.crl.
It is mandatory to pass the valid DNS names while creating local root CA to ensure that the CRL URL is accessible. If DNS names are not provided, the default name keysecure.local is used.
When a new certificate is issued by the local root ca, the certificate contains the URL of the CRL. You can check the URL of the CRL in the certificate under CRL Distribution Points by decoding it and can download the CRL file from the URL.
Example: OpenSSL command to decode and check the URL of the CRL:
```
openssl x509 -in intermediate/certs/bob2@example.com.cert.pem -noout -text
X509v3 CRL Distribution Points:
Full Name:
URI:http://keysecure.local/1d073d93-b156-49ee-8533-e338953fc6d9.crl
```

Steps to download and decode the CRL

Download the CRL from the URL and decode it to check the revocation list.


openssl crl -in 1d073d93-b156-49ee-8533-e338953fc6d9.crl.crl -noout -text

After decode, you can see the list of revoked certificates. It contains serial numbers of the revoked certificates. The serial numbers are in hex format; whereas CipherTrust Manager stores the serial numbers in decimal format.
Therefore, to convert the serial number to decimal format, run:
echo "ibase=16; <hex_serial_number>" | bc

Managing upcoming server certificate

When a server certificate is about to expire, we need to advertise to the service consumers (the clients) that a new replacement certificate chain will be coming soon. This allows the clients to prepare upfront to accept both old and new server CA chains in order to avoid any downtime when the Server CA certificate actually switches to the new one.

Therefore, a mechanism is introduced for clients to check if any pending new CA Server certificate is coming or not, to have the chance to timely download and configure their local trusted ca stores.

The following operations can be performed:

Get upcoming certificate
Put or upload upcoming certificate
Delete upcoming certificate
Apply upcoming certificate

All the responses in the sub-sequent sections will contain the certificate chain including the CA.

Get upcoming certificate

To fetch the upcoming server certificate:

Example request

ksctl interfaces renewal-cert get --name nae

Example response

{
    "certificates": "-----BEGIN CERTIFICATE-----\nMIICajCCAg+gAwIBAgIQX8CTju31Jry7vZyOCoIq+TAKBggqhkjOPQQDAjCBijEL\nMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xNjA0BgNV\nBAkTLTk0NDIgQ2FwaXRhbCBvZiBUZXhhcyBIaWdod2F5IE5vcnRoIFN1aXRlIDQw\nMDEPMA0GA1UEChMGVGhhbGVzMRQwEgYDVQQDEwtDaXBoZXJUcnVzdDAeFw0yMzA0\nMTMwNzEwNTRaFw0yNDA0MTMwNzEwNTRaMIGKMQswCQYDVQQGEwJVUzELMAkGA1UE\nCBMCVFgxDzANBgNVBAcTBkF1c3RpbjE2MDQGA1UECRMtOTQ0MiBDYXBpdGFsIG9m\nIFRleGFzIEhpZ2h3YXkgTm9ydGggU3VpdGUgNDAwMQ8wDQYDVQQKEwZUaGFsZXMx\nFDASBgNVBAMTC0NpcGhlclRydXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nxP1SETV3zzuYodXPWGaIT46oJStDQj1dnp8QHTVSZjY6+dNZ/U6ZiOpR+yPlNXFs\nQmDfn/EtC0ViaAqbszQAF6NVMFMwDgYDVR0PAQH/BAQDAgKkMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMCwGA1UdEQQlMCOBIXRlY2huaWNhbC5zdXBwb3J0QHRoYWxlc2dy\nb3VwLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAmCR6dDLlPoAykXqmSCIbypFFq276\nFKcKRh1QLTrX8ncCIQCblJYOuV+PqLqg+7gwZ5+R6Y1LFsA4PqyPdnTLC6xz6g==\n-----END CERTIFICATE-----\n"
}

It returns the public portion (only public key and CA chain) of the upcoming renewal certificate in the PEM format.

Upload upcoming certificate

To upload a new upcoming certificate server and its CA chain:

Example request

ksctl interfaces renewal-cert upload --name nae --file ./serverCertKey.pem --format pem

Make sure not to activate it yet for the interface.

The certificate and its associated key data must be in PEM format or base64 encoded PKCS12 format. The certificate can also include a chain of certificates. For the certificate chain, maintain this order - <server CA> <root CA>.

Example response

{
    "certificates": "-----BEGIN CERTIFICATE-----\nMIIEqjCCApKgAwIBAgIQZkQE+oYbUzqL+bmYF2f3VjANBgkqhkiG9w0BAQsFADBa\nMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxDzANBgNVBAcTBkF1c3RpbjEPMA0G\nA1UEChMGVGhhbGVzMRwwGgYDVQQDExNDaXBoZXJUcnVzdCBSb290IENBMB4XDTIz\nMDMyMjA2MTExOVoXDTMzMDMxODA5MzM1OFowDjEMMAoGA1UEAxMDbmFlMIIBIjAN\nBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuB2UJMu2lMYSx181SaLKXxuOrz39\nDFd6yae+fzFYXzyZxudRDeHMSt0knPoV2L3Wsfp8PibtAKHyUK6b8Ego9Ccah16X\nYeOmeehBcYk/IwbUcp0LAW4/4lB/a++Gkd9HPmUmOezbVMOyjk4LoerSLiqfbXIU\nHpbrFcxuTNKjve1ymMMT2LubguXWu6xPB6faZtspn3ZB22FgqT4KPULUrDuiTTJ3\nwXJyKCIEb5kpEIk56u6aE2N+IGQ2gFWN9tHWr6SwjQNm7QhdV63y5+JLMXyHuINf\nLr24fHEBUoSptbu4yhTu5t7hlO5TTKIV/PBjjvbYtt0uYIcQhw3U5qhQWQIDAQAB\no4G3MIG0MA4GA1UdDwEB/wQEAwIDiDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNV\nHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDEexvfPs6aqKYwDCCc6r7dQUEhKMF4GA1Ud\nHwRXMFUwU6BRoE+GTWh0dHA6Ly9jaXBoZXJ0cnVzdG1hbmFnZXIubG9jYWwvY3Js\ncy9iMTk2M2U4NS0wMmUxLTQ2MmQtYTQzNi1hNWUxMWNlY2NhMDEuY3JsMA0GCSqG\nSIb3DQEBCwUAA4ICAQA+4SrI4C42l4C8Aw5CAlbPdLFpOMoABwaCg2p0DqR0Su7E\nXZSZexDxod8w/5aNZAJ2rrHCJqwaDoKehNfaa/fQ/wDhVPkw6Nn2gjn6IEVNpxgU\nBQbE+i0vmU0NnsHF6VEMh3299sf94K9IxHqZbDgogBeBLxtqjvLSsECeoHmMfL2V\n/GfzMXKsiHp97gNwK8Mt6vWA4uJ/ojhK5mUlfRoEp4MyH6IuauLoWMNDGQ9xEmj9\nRYKzZgZsEraS3sOLj3ZWDkpF/tGMAiadqRav9Zyb7/mMJ014RZdpRKMtLFQ/xqnM\nZPsKYj0g+Q9BfK2vRKmTX2phTnjqeoVTy3qB6XxIHItmViURCT0t40tva7Ici89U\nxYanshAtFyCzq+1aMKbt+SeDD6jo2Q4LBNnMTK8liZqMhNUs3A0rz1mTlpUbiLBi\nd4Nz8d55iJxwOMSkbdQvWpoXHJnDEQW9d/9KFgnJu4nR8192Yta5BuxvuZHY57HL\nriA3FJ+VFzZeZpEJOdUIpaAfGcsMBWd+irH+uPA70bcrkIlF+9YCr81LOcv7gY7l\n8cIMrAIkMjY3YMOgXmqxzHq1WeooHKFrtrjYJDL9gVeKn2EmMWCSYY1lKXzZ1pgG\nmdEOyrSYjCYgMyj5vp/Irfl57KwVVUo5DHzVx9fBLWAosKdeXNgyrXwhEUzx9A==\n-----END CERTIFICATE-----\n"
}

Delete upcoming certificate

To delete the previously uploaded upcoming renewal certificate for the specified interface:

Example request

ksctl interfaces renewal-cert delete --name nae

There will be no response if the certificate deleted successfully.

Apply upcoming certificate

To replace the existing or in-use certificate of the specified interface with the upcoming renewal certificate:

Example request

ksctl interfaces renewal-cert apply -n nae

There will be no response if the renewal certificate applies successfully.

Renewing CA certificate

The CipherTrust Manager allows you to renew the CA certificates in the certificate chain when they are about to expire. When the CA in the certificate chain expires, the entire certificate chain validation fails.
In such scenarios, the user has to create a new CA and renew the client/server certificates or both using the new CA.

When to renew

To avoid any service downtime, it is recommended to prepare the new CA certificate chain in advance before the CA expiration. During the overlapping period, the new server certificate chain as described in the below section should be downloaded and added to the trust store in the client's setup.

How to renew

The CA certificate chain renewal process contains the following steps as described in the below headings.

Create a new CA

The CipherTrust Manager provides a utility that copies the CSR attributes of the old CA while creating a new CA. Only key-pair and validity/expiration date are altered. To copy the CSR attributes of the old CA, use the copy_from_ca: <old_ca_id> field.

Example request

ksctl ca locals create --cn example.com --copy-from-ca b1963e85-02e1-462d-a436-a5e11cecca01

Example response

{
    "id": "305c1af0-e087-4004-aeba-d59f275ac477",
    "uri": "kylo:kylo:naboo:localca:305c1af0-e087-4004-aeba-d59f275ac477",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2023-03-22T07:04:18.33905Z",
    "updatedAt": "2023-03-22T07:04:18.33905Z",
    "name": "example-CA",
    "state": "pending",
    "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIE1jCCAr4CAQAwUjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQH\nEwZBdXN0aW4xDzANBgNVBAoTBlRoYWxlczEUMBIGA1UEAxMLZXhhbXBsZS5jb20w\nggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDR4xfGAJcGT3eg432YHXF7\nm+5Vtm5lDATk6sdDL8oEJFrHNVFtZG8hNdw8hK2pNmbFoKk2DRF8sAPc8t/3KumP\nKZLdzKdhi5V088dOr4crz/pj/zd0r7X3E77WSNr5R+O5kIa/UC9txQBi5TtxsJeo\n45clpIvcNfADVrYdZUtnW/60zuNEreTvKTztlcYaV30aYsDe6qAKR/5jQKlpXWwZ\n4jSrIwE0PRZIoGDhgVPn62dx3Ii3cSaZresr56sfFtVgyn8IQKNqDCGQi+a2c5TC\nTdi5MV/JCi2aPM7I5Tx3bunb1dkYye/tLtP6awT66FUgGTFcGZrg5USkpCLM/GC8\n7GekiL4AY1SyXOWrO98uu8Xkm16iMwGSmAbModr2rNqSKmzSkuZER6JCQ4GstKZS\n13NGUlz9qFivE24QM7eh+acz23eOFVGowAq+gA9atQyrkhVOBu/sT3MpHsOCUB/+\nSBofYFpSzROUQ9rSr/H/dSR/wGKFeNr6NnuR+otESQNe6GwzNWqGdkIyTxq6H47v\n/j1UwYaEWQolj6YtX0MUVR6HNWv5GNXkAGvPbBAP7e6k4+tDJQ3J0Zv8HjN1YUhe\nKo9KhKcVTOMSfd0PCTnD/JIGTlR2KBwmue5QvBRulfozlOPKX07py6NPHgmcdnjQ\n5Fdwia0orliOLD8nj8OGCQIDAQABoD8wPQYJKoZIhvcNAQkOMTAwLjAsBgNVHREE\nJTAjgSF0ZWNobmljYWwuc3VwcG9ydEB0aGFsZXNncm91cC5jb20wDQYJKoZIhvcN\nAQENBQADggIBALy6p5tjaDzg7WJzF5K2eOZ4LNS7Nm71qRNc68wHCU1YViobF8WF\npUAXK/IZ7apKLGIwPT8Sz39r3JDtN00UIAWVxSrnR6PVmiPEjuDICj1wWswSYCoA\nrW8hlUR8Ph5dzzto88vSxJpc2TvfaW6h46/+Day/iKbAjlGrGMiqFA6Prha7aJo6\nGphMfQx7EQWXSqeo3EIDfbZVKwn5zd676yKiyKGSowtR5B6pgftfwbLY6iVldjpX\nxbYjJvbFZk6G1T1LTOZC5YxS4foDj0WyKn7XK6QkJ+VDaHWX76Z9zfnPosHZmWqD\nFFVvnlP0afRi0vKyuLBV6pbQEVrEtgG/uaaxUm1ItYksIVSgjuPLgrLrj46lYUxc\nAbwxJRvtwZNWPfxgrqQeJrN/+5gGU/div4oO8py5Yq75G8o2fBzXbjK9/pYNe0Mo\n5Y01vP3Id5hWHZDNaND1TjxqgzoGGU2vgxN6GTesgsOxjwzunOO6YQTzbHMQ6ZHe\n10xncYrMSiiiLVE6ZvG8SZipODtPvUF2C/EcZmG7VSTqNYw9szc6vu20RlkeBds2\nUuvwv9t069IRfLv6OuSQJNQQuGJhzvFWv068q0spDuAdxPTWYnXnBhKaPC6YNDGE\n6/tjV1ldCwtbfhKesGs16A61u1hkOXbJVZvKFczrZmg0TmcYcG+B2ARs\n-----END CERTIFICATE REQUEST-----\n",
    "subject": "/C=US/ST=TX/L=Austin/O=Thales/CN=example.com",
    "notBefore": "0001-01-01T00:00:00Z",
    "notAfter": "0001-01-01T00:00:00Z",
    "sha1Fingerprint": "7666371994B5A8EB88F25925108EEE381629F20A",
    "sha256Fingerprint": "48D3918E611D51FB37643146461FBB78B582AF528766C4E76FF2350F6011152F",
    "sha512Fingerprint": "491913CB31D2567BFE7EE85B9F01B4D0E63A1B64C06E145EB111002FA6C649F28D4A9C52C307ECF554BC35CF906A1E1EFBB1FD29A9CF193E99144B37CD86E1FE"
}

This operation returns a CSR that either can be self-signed or signed by another CA.

Renew client certificate using new CA

After the new CA is created, renew the client certificate using the new CA.

For clients that have a profile associated, use the following steps to renew the client certificate:

Update the client profile with the new CA using the ca_id.

Example request

ksctl clientmgmt profiles update --profile-id 2fa716db-2264-473f-86a6-1c0d31c69fdc --ca_id localca-b1963e85-02e1-462d-a436-a5e11cecca01

Example response

{
    "id": "2fa716db-2264-473f-86a6-1c0d31c69fdc",
    "uri": "kylo:kylo:client-management:generic-client-profiles:ceb226b8-8151-4e26-ab6c-038b4ae797e8",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2023-01-12T17:33:11.690693Z",
    "updatedAt": "2023-01-12T23:27:06.275532Z",
    "ca_id": "localca-b1963e85-02e1-462d-a436-a5e11cecca01",
    "csr_params": {
        "csr_city": "example-city",
        "csr_cn": "example.com",
        "csr_country": "example",
        "csr_email": "john.doe@example.com",
        "csr_org_name": "example",
        "csr_org_unit": "example tech",
        "csr_state": "example-state",
        "csr_uid": ""
    }
}

Renew the client certificate.

Example request

ksctl clientmgmt clients renew --client-id 1e33456b-8782-43a2-9efe-b415dc76ce52 --cert-duration 730

Example response

{
    "client_id": "1e33456b-8782-43a2-9efe-b415dc76ce52",
    "cert": "-----BEGIN CERTIFICATE----- MIIDfTCCAWWgAwIBAgIRAPvsR8igXyZzpMAnmkgldAwwDQYJKoZIhvcNAQELBQAw WjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMRAwDgYDVQQHEwdCZWxjYW1wMRAw DgYDVQQKEwdHZW1hbHRvMRowGAYDVQQDExFLZXlTZWN1cmUgUm9vdCBDQTAeFw0x ODEyMTgwMDE2MjZaFw0yMDEyMTcwMDE2MjZaMBExDzANBgNVBAMTBnRlc3RlcjB2 MBAGByqGSM49AgEGBSuBBAAiA2IABEvBmz1WRQmfiG2IGOjE7fpPyDTCNwvqSXsW HAhrVCRDOmPLuaiVn08/k7zRFum5UxcIWjwxJ5tnO7Z38Y3gKIyE42mHINqQHPOT cz9JLKqaGALwZtQCzB61M0ul7dGA5aM1MDMwDgYDVR0PAQH/BAQDAgOIMBMGA1Ud JQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIB AK7rTYW1+woOfHOLeYjs6jobO7kROm71ffdVwcHIMS3IE0B1eLdteKdG3yy2znAy VU7Jkwo2396Z9cPofrKt95wURAkSYvtz3IpTL9ibrpqJ47XxEXLHl+OycWdYoqAm YJe4A/mW3OxdR4kPbxnDXPNMZiId2xSyzkrEqaFTBBtlkdjuljEfQraKW7TiQovd dKb8xzAgozuZ4C200GlKbgjPkRF4iEXk6sihzYikmyE0s5VBEyAGvdv+s6rv6+4n mbaLkTF/ReXJryIRLDJ1uWN/PDKIqGyU1IrB26wYUWEG+4xcT1LqBxS2HL0ko1Cr 5yeWMEo952YyGeMwW0oWzhIDMxPVRXEfRu0nG35K2Gpz4KywhFVkQ1lrd7/FLwUH mrMtMwr5LG14I1NG3kEz+UVcdwfCeYxnIGW/u9CbUSmedlklZtuXjEN6bQdP+oZi f32u0mI4MSHYK55bdMWw7Rr4IlGdKRdUDOl71uZt8nztQuWVHTrii34gN5Hvz4EY g7jpDq9ZXpb1ZtLmEq2TM8XzyBzJkdIAT304L666826cle1kOgsZQw08W72ju02B 1qj/HtqGoRXPw1vk+y2XIYIwcPP3T6YctJA6TMaFZ1lIKoWWflT0uqFo19CadC8z PylaiQwwuJGV7MmJ7lC8LmYUP2Pj2v+S+5s8j0QgY0C5 -----END CERTIFICATE----- ",
    "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICVzCCAT8CAQAwEjEQMA4GA1UEAxMHa21pcDEyMjCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAO93JWGgUtIJKoZNgpzYBrLQgPKxaKgn42Js9pxeIAEo\nTvDfPGk2bKgOO+7GsoKCIthRn6/4fkd5lTwR3tBK3Y2Xs9TIkBQ+gpzyAM1bIlTf\nXd8xVaHgsvNS58laY1FTqM+jlVIfAlpKJnboYkGc8n6aCt9kgWDt56lNc0AfVBj0\nTD8n5wTm7uJy1GufiwCuYbaVuEsHZbpNh3GJ1tvXpRxyp7IzdCc+244cvat2L5xZ\niDIV4BeoOG3gfddQ9WuqWY+6TVAdZNLa7JVMW+3qofib1uHyCHNw0Bec/IMA48qg\n7JNnSwDB6FXSeYr7nqFhORWOaQi7DT7F6JdY3cXXuNMCAwEAAaAAMA0GCSqGSIb3\nDQEBCwUAA4IBAQBpUtybSG6DG5J3LROkGj3/qcvu2Fdz6oCDq+B3Pnz06iJX2w4E\nFZGIGMYotq1m0DXv4xODFOMiLa8D8waef/+cN7dihPq1wKqw6Ml2I0/5nNY/51c4\ntuCRVDZ5zuBLVfw77yp93+VqwUHKP34398PcsYwtafm9jQM4lT7mLlaTjynVmyoF\nitocPLQLdXMbakAWPpu/+XJt4rGPCh35dv8ojPyChR0H43NMcXNX8sw2MzVwAHSE\nNJBcgC/6IIME8yNcljV3YTywe0VkVIJHgA5rJN9OwV3M3Hfji/9S/u3pD1Ixto48\nDJXbUwe5ubTKH9Eqo6TIu1sxdreKz1ONvlYV\n-----END CERTIFICATE REQUEST-----\n",
    "ca_cert": "-----BEGIN CERTIFICATE-----\nMIIFoDJlbGNhbXAxEDAO\nMTUxMFowWjELMAkGA1UEBhMCVVMxCzAJBgNV\nBAgTAk1EMRAwDgYDVQQHEwdCZWxjYW1wMRAwDgYDVQQKEwdHZW1hbHRvMRowGAYD\nVQQDExFLZXlTZWN1cmUgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC\nAgoCggIBAPgJPiSciHZcAPMnEv7dpP1/jc82V9a9pmOIU2jkE7xIvhc7wQ/xVYZX\npl0c/+9v4YEcle/GjkSl7v04hOg+klf10lpTTp2ctdUd83gECDVrwpUUMpFtdhiL\nAC/hXNGobnJxjEMZPV3/gZIkxR4jDoa8A3FiLL5xLoWc9YLn85JDlYRVE1rdcpgW\n0ElTNrOko1mUJ1g90mXBiE7TGHdHR6gtbloSNZOUBFlf0P17pQPLyzZxR3tlq3qo\n/l/+hdcYfLw/Jf323c30CbuVFFbYQzADmB6k0rZaajQMZJIhYO+EUt7HKrF/gU6E\nj0uq18yxQxsXnxs2n94fpeSWF/UfuIIkjJ8mA6yGgkgT3Nw/MoD+8eTnMeoaH04S\nbm3a1pi7nlVKYdRednFphxx9YmkIMy+2VQoWfVmKvJTxCtE7rzElZsqKQ6ZFvtPi\n71YPlt0gWwHMkWY4lFuUYPMcH7x7Zzb/adggES17DhmrqUivIEQgl4VYQSBkK/b3\nPQ64+iXhtnLDiiSneKErEvMqA81RIqWd3c6XG07+6YTFoL3peOEm5XWw0KvzDhUT\nomJkNTsh+Og4OXBtLXSCJzUVeY6yuxALb6GaSS0a90k34/iRP71BESO0EtngH3lr\nQhOVYibGMKfJDSMEEfCATbY4fBn1uj1RrAUhQ3GlauU/lLzZ8gjDAgMBAAGjYjBg\nMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/B0GA1UdDgQWBBTzcq97\nqHASsOatm3N+6Iq1TD0gIzAeBgNVHREEFzAVgRNzdXBwb3J0QGdlbWFsdG8uY29t\nMA0GCSqGSIb3DQEBCwUAA4ICAQBmwTdayCb9gBlAKJVhW5mBh+muajk53cXxaXJx/VwLe\ntyyNQZhV5r6AIgdSLuy8UPj9rWeVMeI4xWutdy/ANj6737pzr4WjNNBirVtkDhRh\nMZtV9Q==\n-----END CERTIFICATE-----\n"
}

For clients that don't have any profile associated, run the following command and pass the ca_id in the request:

Example request

ksctl clientmgmt clients renew --client-id 72e24314-dc1e-4bfe-80c1-8127900cee9b --ca_id 911671ca-6c15-45cf-a0a8-bcde9e82f721 --cert-duration 730

Renew server certificate using new CA

To renew the server certificate using the new CA, perform the following steps:

Issue a new server certificate from the new CA.
Create a certificate chain and combine them into a single PEM or PKCS12 file. The file should include the following in the indicated order:
a. Server certificate
b. Any intermediate certificate authorities that sign the server certificate. Start with the intermediate CA that issued the server certificate. Next, add the issuer of the intermediate CA, if any. Continue adding any intermediate CAs higher up the hierarchy, each time adding the issuer of the last certificate you uploaded.
c. The root CA that signs any intermediate CAs. If there are no intermediate CAs, add the root CA that issued the server certificate.
d. The server certificate's private key.

Upload the certificate chain on the CipherTrust Manager.

Example request

ksctl interfaces renewal-cert upload --name nae --file ./serverCertKey.pem --format pem

serverCertKey.pem

Example response

{
    "certificates": "-----BEGIN CERTIFICATE-----\nMIIEqjCCApKgAwIBAgIQZkQE+oYbUzqL+bmYF2f3VjANBgkqhkiG9w0BAQsFADBa\nMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxDzANBgNVBAcTBkF1c3RpbjEPMA0G\nA1UEChMGVGhhbGVzMRwwGgYDVQQDExNDaXBoZXJUcnVzdCBSb290IENBMB4XDTIz\nMDMyMjA2MTExOVoXDTMzMDMxODA5MzM1OFowDjEMMAoGA1UEAxMDbmFlMIIBIjAN\nBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuB2UJMu2lMYSx181SaLKXxuOrz39\nDFd6yae+fzFYXzyZxudRDeHMSt0knPoV2L3Wsfp8PibtAKHyUK6b8Ego9Ccah16X\nYeOmeehBcYk/IwbUcp0LAW4/4lB/a++Gkd9HPmUmOezbVMOyjk4LoerSLiqfbXIU\nHpbrFcxuTNKjve1ymMMT2LubguXWu6xPB6faZtspn3ZB22FgqT4KPULUrDuiTTJ3\nwXJyKCIEb5kpEIk56u6aE2N+IGQ2gFWN9tHWr6SwjQNm7QhdV63y5+JLMXyHuINf\nLr24fHEBUoSptbu4yhTu5t7hlO5TTKIV/PBjjvbYtt0uYIcQhw3U5qhQWQIDAQAB\no4G3MIG0MA4GA1UdDwEB/wQEAwIDiDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNV\nHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDEexvfPs6aqKYwDCCc6r7dQUEhKMF4GA1Ud\nHwRXMFUwU6BRoE+GTWh0dHA6Ly9jaXBoZXJ0cnVzdG1hbmFnZXIubG9jYWwvY3Js\ncy9iMTk2M2U4NS0wMmUxLTQ2MmQtYTQzNi1hNWUxMWNlY2NhMDEuY3JsMA0GCSqG\nSIb3DQEBCwUAA4ICAQA+4SrI4C42l4C8Aw5CAlbPdLFpOMoABwaCg2p0DqR0Su7E\nXZSZexDxod8w/5aNZAJ2rrHCJqwaDoKehNfaa/fQ/wDhVPkw6Nn2gjn6IEVNpxgU\nBQbE+i0vmU0NnsHF6VEMh3299sf94K9IxHqZbDgogBeBLxtqjvLSsECeoHmMfL2V\n/GfzMXKsiHp97gNwK8Mt6vWA4uJ/ojhK5mUlfRoEp4MyH6IuauLoWMNDGQ9xEmj9\nRYKzZgZsEraS3sOLj3ZWDkpF/tGMAiadqRav9Zyb7/mMJ014RZdpRKMtLFQ/xqnM\nZPsKYj0g+Q9BfK2vRKmTX2phTnjqeoVTy3qB6XxIHItmViURCT0t40tva7Ici89U\nxYanshAtFyCzq+1aMKbt+SeDD6jo2Q4LBNnMTK8liZqMhNUs3A0rz1mTlpUbiLBi\nd4Nz8d55iJxwOMSkbdQvWpoXHJnDEQW9d/9KFgnJu4nR8192Yta5BuxvuZHY57HL\nriA3FJ+VFzZeZpEJOdUIpaAfGcsMBWd+irH+uPA70bcrkIlF+9YCr81LOcv7gY7l\n8cIMrAIkMjY3YMOgXmqxzHq1WeooHKFrtrjYJDL9gVeKn2EmMWCSYY1lKXzZ1pgG\nmdEOyrSYjCYgMyj5vp/Irfl57KwVVUo5DHzVx9fBLWAosKdeXNgyrXwhEUzx9A==\n-----END CERTIFICATE-----\n"
}

For clients, the chain uploaded in the previous step is available to download.

Example request

ksctl interfaces renewal-cert get --name nae

Example response

{
    "certificates": "-----BEGIN CERTIFICATE-----\nMIIEqjCCApKgAwIBAgIQZkQE+oYbUzqL+bmYF2f3VjANBgkqhkiG9w0BAQsFADBa\nMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxDzANBgNVBAcTBkF1c3RpbjEPMA0G\nA1UEChMGVGhhbGVzMRwwGgYDVQQDExNDaXBoZXJUcnVzdCBSb290IENBMB4XDTIz\nMDMyMjA2MTExOVoXDTMzMDMxODA5MzM1OFowDjEMMAoGA1UEAxMDbmFlMIIBIjAN\nBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuB2UJMu2lMYSx181SaLKXxuOrz39\nDFd6yae+fzFYXzyZxudRDeHMSt0knPoV2L3Wsfp8PibtAKHyUK6b8Ego9Ccah16X\nYeOmeehBcYk/IwbUcp0LAW4/4lB/a++Gkd9HPmUmOezbVMOyjk4LoerSLiqfbXIU\nHpbrFcxuTNKjve1ymMMT2LubguXWu6xPB6faZtspn3ZB22FgqT4KPULUrDuiTTJ3\nwXJyKCIEb5kpEIk56u6aE2N+IGQ2gFWN9tHWr6SwjQNm7QhdV63y5+JLMXyHuINf\nLr24fHEBUoSptbu4yhTu5t7hlO5TTKIV/PBjjvbYtt0uYIcQhw3U5qhQWQIDAQAB\no4G3MIG0MA4GA1UdDwEB/wQEAwIDiDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNV\nHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDEexvfPs6aqKYwDCCc6r7dQUEhKMF4GA1Ud\nHwRXMFUwU6BRoE+GTWh0dHA6Ly9jaXBoZXJ0cnVzdG1hbmFnZXIubG9jYWwvY3Js\ncy9iMTk2M2U4NS0wMmUxLTQ2MmQtYTQzNi1hNWUxMWNlY2NhMDEuY3JsMA0GCSqG\nSIb3DQEBCwUAA4ICAQA+4SrI4C42l4C8Aw5CAlbPdLFpOMoABwaCg2p0DqR0Su7E\nXZSZexDxod8w/5aNZAJ2rrHCJqwaDoKehNfaa/fQ/wDhVPkw6Nn2gjn6IEVNpxgU\nBQbE+i0vmU0NnsHF6VEMh3299sf94K9IxHqZbDgogBeBLxtqjvLSsECeoHmMfL2V\n/GfzMXKsiHp97gNwK8Mt6vWA4uJ/ojhK5mUlfRoEp4MyH6IuauLoWMNDGQ9xEmj9\nRYKzZgZsEraS3sOLj3ZWDkpF/tGMAiadqRav9Zyb7/mMJ014RZdpRKMtLFQ/xqnM\nZPsKYj0g+Q9BfK2vRKmTX2phTnjqeoVTy3qB6XxIHItmViURCT0t40tva7Ici89U\nxYanshAtFyCzq+1aMKbt+SeDD6jo2Q4LBNnMTK8liZqMhNUs3A0rz1mTlpUbiLBi\nd4Nz8d55iJxwOMSkbdQvWpoXHJnDEQW9d/9KFgnJu4nR8192Yta5BuxvuZHY57HL\nriA3FJ+VFzZeZpEJOdUIpaAfGcsMBWd+irH+uPA70bcrkIlF+9YCr81LOcv7gY7l\n8cIMrAIkMjY3YMOgXmqxzHq1WeooHKFrtrjYJDL9gVeKn2EmMWCSYY1lKXzZ1pgG\nmdEOyrSYjCYgMyj5vp/Irfl57KwVVUo5DHzVx9fBLWAosKdeXNgyrXwhEUzx9A==\n-----END CERTIFICATE-----\n"
}

Now, the clients can use this new chain to setup their environment.

After the clients have been updated with the new certificate chain, the admin can apply the new certificate chain on the CipherTrust Manager. This replaces the existing server certificates with the newly generated server certificates.
Example request
```
ksctl interfaces renewal-cert apply --name nae
```
There will be no response if the new certificate chain is applied successfully.
If admin doesn't apply the new certificate chain manually on the CipherTrust Manager, the auto-apply option is triggered when the CA expires.

Creating an external CA

To create an external CA you just need to upload the PEM-formatted certificate file:

ksctl ca externals upload --cert-infile mycert.pem

Verifying revocation status of client certificates

The CipherTrust Manager can be configured to verify the revocation status of client certificate presented to NAE or KMIP interface before establishing a connection with the client.

To configure the CipherTrust Manager for inspecting the client certificate revocation status:

Select the TLS verify client certInterface Mode.
Enable the Certificate Revocation Check.

A certificate contains an OCSP responder URL and a Certificate Revocation List (CRL) URL, which are used for verifying the revocation status of the certificate.

Note

An LDAP URL is not supported, that is, if the CRL or OCSP URL begins with ldap://, the CipherTrust Manager skips that URL.

Let's understand how CipherTrust Manager verifies the revocation status of a certificate and permits/drops connection requests in such cases:

Verifying revocation status

CipherTrust Manager looks the client certificate for OCSP responder URL and CRL URL.

If OCSP URL is present
CipherTrust Manager accesses this URL to verify the revocation status of the client certificate.
Note
- The certificate to be verified must contain the URL of the certificate issuer(CA). The issuer certificate should be specified using the AIA extension of X.509. The issuer URL should be a http URL and must be accessible.
- If the issuer URL is not specified in the certificate, the certificate revocation check "Soft Fails" and the connection is created.
1. If OCSP URL is accessible, the status of certificate gets verified successfully, and CipherTrust Manager allows/drops connection request accordingly.
2. If OCSP URL is not accessible due to any reason, CipherTrust Manager considers the situation as a "Soft Fail". It allows the connection to establish, but reports a warning. This warning audit log and its details can be viewed in the Records.
If OCSP URL is not present, but CRL URL is present
CipherTrust Manager verifies the status of certificate using the CRL, and allows/drops connection request accordingly.
1. If CRL URL is accessible, the status of certificate gets verified successfully, and CipherTrust Manager allows/drops connection request accordingly.
2. If CRL URL is not accessible due to any reason, CipherTrust Manager considers the situation as a "Soft Fail". It allows the connection to establish, but reports a warning. This warning audit log and its details can be viewed in the Records.
If both OCSP URL and CRL URL are not present
CipherTrust Manager considers the client certificate to be signed by its local CA, and allows the connection to establish.
Note
In any case, if the certificate is found to be revoked, CipherTrust Manager drops the connection request and logs it in Records.

OCSP and CRL caching

As stated above, verifying the revocation status of a certificate involves establishing a connection with the URL (OCSP or CRL) present in the certificate, and verifying its revocation status. Once the revocation status of a certificate is verified, CipherTrust Manager stores this information for some preset time.

Let's understand how long this information is stored in and how it is used in this time frame:

For OCSP method
After successfully connecting to the OCSP URL, CipherTrust Manager stores the revocation status of the client certificate for a duration of 5 minutes.
- If CipherTrust Manager receives another connection request from the same client within 5 minutes of a previously successful connection, then CipherTrust Manager refers to the cached revocation status value to verify its revocation status.
- If CipherTrust Manager recieves another connection request from the same client after 5 minutes of a previously successful connection, then CipherTrust Manager verifies its revocation status through the OCSP URL again.
For CRL method
Each CA promises to update its CRL at the day and time specified in the Next Update field for that CA. While performing a certificate revocation check, the CipherTrust Manager inspects the Next Update value for the CRL associated with each CA on the CipherTrust Manager.
- If the Next Update value for that CRL is in the past, the CipherTrust Manager attempts to connect to the CRL distribution point (CDP) for the CA to download the updated CRL.
- If the Next Update value for that CRL is in the future, the CipherTrust Manager waits until that specified time to attempt to connect to the CDP and download the updated CRL.

Enabling/disabling certificate revocation check

The Certificate Revocation Check is enabled by default. You can enable or disable the certification revocation Check using:

API playground
Refer to "Properties" section (/v1/configs/properties).
CLI tool (ksctl)
Refer the following examples:
- Command to enable Certificate Revocation Check
```
ksctl properties modify -n ENABLE_CERT_REV_CHECK -p true
```
- Command to disable Certificate Revocation Check
```
ksctl properties modify -n ENABLE_CERT_REV_CHECK -p false
```
- Available Flags:
  Flags Input Type Description
  -h, --help not applicable Command help
  -n, --name string Name of the system configuration
  -p, --value string Value to be set for the system configuration

Flags	Input Type	Description
`-h`, `--help`	not applicable	Command help
`-n`, `--name`	string	Name of the system configuration
`-p`, `--value`	string	Value to be set for the system configuration

Getting the fingerprint of the CA certificate

The fingerprint of the old CA certificate that was used to register the client with the CipherTrust Manager is needed when re registering a client. A CipherTrust Manager administrator can provide you the fingerprint.

Fingerprint of the CA certificate can be viewed on the GUI or the API playground.

On the API Playground

To get the fingerprint of a CA certificate:

Acquire an authorization token.
In the left pane of the API playground, click Certificate Authority.
Under Certificate Authority, click Get local CA. The Get section of the API playground is displayed in the right pane.
Click id in /v1/ca/local-cas/{id}.
Enter id of the local CA in the text box.
Click GET. Details of the CA including fingerprints are displayed in the output. Only sha256Fingerprint and sha512Fingerprint are supported for reregistration.
Copy the desired fingerprint. This fingerprint will be used when re-registering clients.

Similarly, you can get fingerprint of external CA certificates.

On the GUI

To get the fingerprint of a CA certificate:

Log on to the CipherTrust Manager as administrator.
In the left pane, click CA > Local. The list of available CAs is displayed.
Click the ellipsis icon corresponding to the CA.
Click Details. Details of the CA including fingerprints are displayed. Only sha256Fingerprint and sha512Fingerprint are supported for reregistration.
Copy the desired fingerprint. This fingerprint will be used when re-registering clients.

Similarly, you can get fingerprint of external CA certificates.

Managing usage of certificate authority (CA)

You can manage the usage of CA on individual CipherTrust Manager domains. The CipherTrust Manager supports user and client authentication.

Client authentication: If enabled, the certificates signed by the CA can be used for client authentication in that domain.
User authentication: If enabled, the certificates signed by the CA can be used for user authentication in that domain.

If authentication is disabled, the CipherTrust Manager domain does not trust the CA for respective authentication mechanisms, and the certificates are rejected even if valid.

Updating usage of a local CA

To update usage of a local CA, run:

Syntax

ksctl ca locals update --id <ca-identifier> --allow-user-authentication <true|false> --allow-client-authentication <true|false>

Example request

ksctl ca locals update --id e66d047a-2f67-48bf-bcac-862ac773e12a --allow-user-authentication true --allow-client-authentication false

Example response

{
    "id": "09e3feb5-7c37-4345-9f05-14a95eb4acd9",
    "uri": "kylo:kylo:naboo:localca:09e3feb5-7c37-4345-9f05-14a95eb4acd9",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2022-01-04T16:55:08.995526Z",
    "updatedAt": "2022-01-05T07:31:10.468173266Z",
    "name": "admin",
    "state": "active",
    "csr": "",
    "cert": "-----BEGIN CERTIFICATE-----\nMIIBoTCCASegAwIBAgIQLyw13lVuY5/+BbOYhPfRpjAKBggqhkjOPQQDAzASMRAw\nDgYDVQQDEwdhZG1pbkNBMB4XDTIyMDEwMzE2NTUxMloXDTIzMDEwMzE2NTUxMlow\nEjEQMA4GA1UEAxMHYWRtaW5DQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMhbWYui\neU0/VVZU0bsD6FWt3xGaBWaGrC2BS6EH+YcacosTm0SMWJSYHhN8YqxF8eMmTF1y\np7tTSRXo89xYqDZK/wMmOjv55l1yhwV+82o8d1y2Q9obkhgXb39JaxLAlaNCMEAw\nDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIIBQfXX\nu5bdGlOjynb7aL4Leq81MAoGCCqGSM49BAMDA2gAMGUCMQD+aEg5pq3VM78Pp5F0\nJEurbY23XoKwixe23IKUhYBTfdpvaDUZGMtV6c7zIfUa2mMCMBN4Nkc6qva1cHxo\nFbsmjX42K8fukNqzm39w8vM4o+lhnb5J4bRyghbD/Ej67F6Myw==\n-----END CERTIFICATE-----\n",
    "serialNumber": "62703269446467328287939974236420428198",
    "subject": "/CN=adminCA",
    "issuer": "/CN=adminCA",
    "notBefore": "2022-01-03T16:55:12Z",
    "notAfter": "2023-01-03T16:55:12Z",
    "sha1Fingerprint": "B3673DFB030A894EF71A71C0C382E78455C1DA84",
    "sha256Fingerprint": "0242266C65ECA9BB893A75EC425A107CCC92C0BEED8224AD87A3A64E9E077739",
    "sha512Fingerprint": "4B20E210A6FE04D5A086346E809076A17C47873D29F1DC071308121BAF2D2AD9C516726E48364281A15224CFA0365B8AFED34B61D8C109DEDBDF4AB365BBF744",
    "purpose": {
        "client_authentication": "Disabled",
        "user_authentication": "Enabled"
    }
}

Updating usage of an external CA

To update usage of an external CA, run:

Syntax

ksctl ca externals update --id <ca-identifier> --allow-user-authentication <true|false> --allow-client-authentication <true|false>

Example request

ksctl ca externals update --id 5cb55f29-2749-4960-a912-98aeff6accda --allow-user-authentication true --allow-client-authentication false

Example response

{
    "id": "f029ff14-9f27-4015-8609-23f41b6de898",
    "uri": "kylo:kylo:naboo:external_ca:f029ff14-9f27-4015-8609-23f41b6de898",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2022-01-04T16:57:34.723799Z",
    "updatedAt": "2022-01-05T07:32:10.243282197Z",
    "name": "1234",
    "cert": "-----BEGIN CERTIFICATE-----\nMIIBoTCCASegAwIBAgIQLyw13lVuY5/+BbOYhPfRpjAKBggqhkjOPQQDAzASMRAw\nDgYDVQQDEwdhZG1pbkNBMB4XDTIyMDEwMzE2NTUxMloXDTIzMDEwMzE2NTUxMlow\nEjEQMA4GA1UEAxMHYWRtaW5DQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMhbWYui\neU0/VVZU0bsD6FWt3xGaBWaGrC2BS6EH+YcacosTm0SMWJSYHhN8YqxF8eMmTF1y\np7tTSRXo89xYqDZK/wMmOjv55l1yhwV+82o8d1y2Q9obkhgXb39JaxLAlaNCMEAw\nDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIIBQfXX\nu5bdGlOjynb7aL4Leq81MAoGCCqGSM49BAMDA2gAMGUCMQD+aEg5pq3VM78Pp5F0\nJEurbY23XoKwixe23IKUhYBTfdpvaDUZGMtV6c7zIfUa2mMCMBN4Nkc6qva1cHxo\nFbsmjX42K8fukNqzm39w8vM4o+lhnb5J4bRyghbD/Ej67F6Myw==\n-----END CERTIFICATE-----",
    "purpose": {
    "client_authentication": "Disabled",
    "user_authentication": "Enabled"
    },
    "serialNumber": "62703269446467328287939974236420428198",
    "subject": "/CN=adminCA",
    "issuer": "/CN=adminCA",
    "notBefore": "2022-01-03T16:55:12Z",
    "notAfter": "2023-01-03T16:55:12Z",
    "sha1Fingerprint": "B3673DFB030A894EF71A71C0C382E78455C1DA84",
    "sha256Fingerprint": "0242266C65ECA9BB893A75EC425A107CCC92C0BEED8224AD87A3A64E9E077739",
    "sha512Fingerprint": "4B20E210A6FE04D5A086346E809076A17C47873D29F1DC071308121BAF2D2AD9C516726E48364281A15224CFA0365B8AFED34B61D8C109DEDBDF4AB365BBF744"
}

Certificate format in REST-API and UI

If you are uploading certificates using the REST API, certificates are encoded in a JSON string and have \n characters to indicate line endings. CipherTrust Manager's UI web console does not have these characters, so it's easiest to remain in the same interface for certificate operations, and/or pass in and export certificates using a file instead of a pasted string wherever possible. If you are copy-pasting certificate strings between the UI and other interfaces, you must re-encode the certificate strings.

To change PEM-encoded strings to JSON, use echo $v | jq -R --slurp where $v is a variable for the string. This is needed to format certificates in the UI to REST API format.
To change JSON encoded strings to PEM, use echo $v | /usr/local/bin/jq -r, where $v is a variable for the string.This is needed to format certificates from REST API to the UI format.

Suggest A Change

Certificate Authority

Creating a local CA

Issuing a signed certificate

Steps to generate CA certificate on CipherTrust Manager

Certificate expiration check

Revoke/resume certificate signed by the local CA

Certificate revocation list (CRL)

Managing upcoming server certificate

Get upcoming certificate

Upload upcoming certificate

Delete upcoming certificate

Apply upcoming certificate

Renewing CA certificate

When to renew

How to renew

Create a new CA

Renew client certificate using new CA

Renew server certificate using new CA

Creating an external CA

Verifying revocation status of client certificates

OCSP and CRL caching

Enabling/disabling certificate revocation check

Getting the fingerprint of the CA certificate

Managing usage of certificate authority (CA)

Updating usage of a local CA

Updating usage of an external CA

Certificate format in REST-API and UI

On this page