Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CTE UserSpace Administration

Certificate Renewal

search

Please Note:

Certificate Renewal

If the CA that signed the client certificate or the web interface certificate is modified, the CTE client is notified about this change. The CTE client can now generate or install a new certificate and update the truststore for uninterrupted connections.

Refer to CA Certificates Renewal Notification for compatiblity information.

Client Certificate Renewal

CTE Agents with the CA_RENEWAL capability support the CA renewal feature. When the CA (local or external) is updated in a client management profile, the Client Profile updated message is logged on the CipherTrust Manager. Also, all the clients linked with the updated client management profile are notified of the CA update. A message RenewCerts - Renewal has been scheduled - OK is generated in the VMD logs (client logs) on the linked clients.

Note

Client certificate renewal is applicable to all the CA_RENEWAL capable CTE clients in all the domains of the CipherTrust Manager.

Possible Scenarios

Client with the CA_RENEWAL Capability is Active

A CTE client with the CA_RENEWAL capability is active. After the CA is updated in a client management profile:

  1. The active client with the CA_RENEWAL capability linked with the updated profile receive the certificate renewal notification.

  2. The CTE Agent generates a log of CA renewal, RenewCerts: Renewal has been scheduled - OK, in the client logs. The client continues to work properly after the CA renewal.

All the active and CA_RENEWAL capable CTE clients linked with the updated client management profile reflect the same behavior.

Client with the CA_RENEWAL Capability is Inactive

A CTE client with the CA_RENEWAL capability is inactive, that is, unable to communicate with the CipherTrust Manager it is registered with. In this case, if the CipherTrust Manager administrator updates the CA in the linked client management profile, the following message is generated in the CipherTrust Manager logs. This shows that the client can't be notified of the CA update.

Client cert updated. LONGPOLL connection is not available for client

The CA Renewal Notification ERROR message is also logged in the audit records on the CipherTrust Manager (Records > Loki Audit Records > Server Records).

Now, if the connection between the client and the CipherTrust Manager is restored:

  • The CipherTrust Manager log shows that a LONGPOLL command of RenewCertificates is sent to the clients. This indicates that the communication between the CipherTrust Manager and the client is enabled. The client is notified of the CA update.

  • The client log shows RenewCerts: OK - Renewal has been scheduled.

Note

If a client with the CA_RENEWAL capability is inactive (disabled or unreachable), the CipherTrust Manager can't notify the client of the certificate update. The CipherTrust Manager will retry notifying the client when it is active again.

Client with the CA_RENEWAL Capability is Registered with an Unsupported CipherTrust Manager Version

A CTE client with the CA_RENEWAL capability is registered with a CipherTrust Manager version that does not support certificate renewal notification. In this case, if the CA is updated in the linked client management profile, the CipherTrust Manager can't notify the linked clients of any CA updates.

Client Doesn't have the CA_RENEWAL Capability

A CTE Agent doesn't have the CA_RENEWAL capability. In this case, if the CA is updated in the linked client management profile, the CipherTrust Manager doesn't send CA update notifications to the client. An audit record is logged on the CipherTrust Manager.

When the CA in the linked client management profile is updated:

  • A message Client Profile updated is displayed on the CipherTrust Manager GUI.

  • A message Client Cert updated. Cert renewal notification are not supported for the CTE Client is logged on the CipherTrust Manager. The CA Renewal Notification ERROR message is also logged in the audit records on the CipherTrust Manager (Records > Loki Audit Records > Server Records).

Web Interface Certificate Renewal

When the CipherTrust Manager's web interface certificate is updated (or renewed), all the CA_RENEWAL capable CTE clients from all the domains of the {cm} are notified of the changes in the web interface certificate.

Click the desired tab to view instructions to update the web interface certificate through the API or GUI.

To update the web interface certificate:

  1. Add the new certificate to the list of upcoming interface certificates.

    put /v1/configs/interfaces/web/renewal-certificate

    In the certificate parameter, specify the certificate chain having the primary certificate, the CA, and its private key. Also, specify the format parameter.

    After the upcoming certificate is updated successfully

    1. The active CA_RENEWAL capable clients receive notification of this update.

      • The CipherTrust Manager logs show that a LONGPOLL command of RenewCertificates is sent to the active clients. The clients are notified of the web interface certificate update.

      • The client log shows RenewCerts: OK - CA trust store updated.

    2. The CTE Agent updates the truststore with the new certificate chain. Both the old and the updated certificates are stored on the client at: /opt/vormetric/DataSecurityExpert/agent/secfs/.sec/pem

  2. Fetch the upcoming renewal certificate.

    get /v1/configs/interfaces/web/renewal-certificate

    The command returns the public portion (only public key and CA chain) of the upcoming renewal certificate in the PEM format.

  3. When the current interface certificate is about to expire, apply the new certificate.

    post /v1/configs/interfaces/{interface}/renewal-certificate/apply

    Note

    If the new certificate is not applied before the current certificate expires, the new certificate will be automatically applied when the current certificate expires.

To renew the web certificate:

Upload the updated web certificate

  1. Go to Admin Settings > Interfaces.

  2. Click the Overflow Icon (Overflow Icon) next to the web interface.

  3. Click Renewal Certificate Options... The Interface Renewal Certificate Options on 'web' dialog box is displayed.

  4. Click Upload/Generate to upload a new server certificate.

  5. Click OK. The Upload/Generate Upcoming Certificate dialog box is displayed.

  6. Select a certificate upload option. You can either upload the certificate using the File Upload option or paste the signed certificate and its private key content in the Text field.

  7. Select PEM as Format.

  8. Click Upload Certificate. The certificate is uploaded successfully.

Apply the new certificate

When the current interface certificate is about to expire, you need to apply the newly uploaded certificate.

  1. Click the Overflow Icon (Overflow Icon) next to the web interface.

  2. Click Renewal Certificate Options... The Interface Renewal Certificate Options on 'web' dialog box is displayed.

  3. Click Apply to apply the upcoming renewal server certificate. The existing server certificate is replaced with the newly generated server certificate.

    Note

    If the new certificate is not applied before the current certificate expires, the new certificate will be automatically applied when the current certificate expires.

Refer to managing upcoming server certificate for details on upcoming server certificates.

After the CTE Agent has successfully updated the truststore and the updated web interface certificate is applied successfully, the CA_RENEWAL capable clients start communicating with the CipherTrust Manager over the renewed certificate.

Important Notes

  • The CipherTrust Manager doesn't notify the clients that don't have the CA_RENEWAL capability. The following message is displayed in the CipherTrust Manager logs for such clients.

    Web interface CA is updated but Auto-CA Renewal is not supported for the CTE Client

    The CA Renewal Notification ERROR message is also logged in the audit records on the CipherTrust Manager (Records > Loki Audit Records > Server Records).

  • The CipherTrust Manager retries notifying all the CA_RENEWAL capable clients whether they are active or inactive.

    If a client with the CA_RENEWAL capability is inactive (disabled or unreachable), the CipherTrust Manager can't notify the client of the certificate update (until it is active). The following message is displayed in the CipherTrust Manager logs.

    Failed to notify the CTE client

    The CA Renewal Notification ERROR message is also logged in the audit records on the CipherTrust Manager (Records > Loki Audit Records > Server Records).

    The CipherTrust Manager retries notifying the client of the update when the client is active again (the connection is re-established). A LONGPOLL message Sending pending event to CTE client is displayed in the CipherTrust Manager logs.

    After the client is notified of the update, the Agent updates the truststore. A message RenewCerts: OK - CA trust store updated is logged in the client logs.

Caution

  • Restore the connectivity of inactive clients with the CA_RENEWAL capability before applying the updated web interface certificate. If the certificate is applied when a client is inactive, the client needs to be reregistered.

  • In a clustered environment, all the CipherTrust Manager nodes must have the same certificate active. If the web interface certificate is renewed (updated and applied) at one node, the same certificate chain must be renewed on all nodes of the CipherTrust Manager cluster. Failure to do so can break the connectivity and the CTE clients need to be reregistered.

On this page