Authentication Settings for NAE, KMIP, and Web Interfaces

The Web, KMIP, and NAE interfaces have several options to control authentication to those interfaces.

Note

Refer to Basic Interface Configuration for the following operations:

• Viewing interfaces

• Enabling/disabling interfaces

• Adding/removing interfaces

• Changing an interface web port

Effect of updating interface settings

Warning

If you have active NAE, KMIP, or web connections, we recommend that you plan for connection downtime before updating interface settings, especially for updates to the initial default interfaces.

Note

• When you update the port of the default interface of NAE, KMIP, and WEB, all nodes in the cluster restart. However, if you update any other setting apart from the port, no node in the cluster restarts.

• If you update any setting on the non-default interfaces of NAE, KMIP, and WEB, no node in the cluster restarts.

There are some interface changes that are applied immediately and trigger an automatic services restart. This restart can disrupt running NAE, KMIP, and web connections and cause an immediate downtime of a few minutes. If your CipherTrust Manager is part of a cluster, the interface settings change can also replicate to other nodes, and disrupt running NAE, KMIP, and web connections to those nodes. Therefore, plan for some downtime before updating interfaces.

Interface settings changes that are known to cause an immediate loss of connection are:

• Changing the interface mode

• Changing any TLS-related setting, including updating minimum/maximum TLS version, trusted CAs, enabled cipher suites, uploading a new server certificate, changing any option for auto-generating the server certificate.

• Changing the interface default connection between LDAP or local accounts.

Other interface changes require a manual Services Restart.

SSL/TLS supported protocols and cipher suites

CipherTrust Manager allows the customers to customize the cipher suites for TLS handshake for the following interfaces:

• NAE

• KMIP

• Web

A cipher suite is a set of algorithms that help secure a network connection that uses Transport Layer Security (TLS). The set of algorithms that cipher suites usually contain include: a key exchange algorithm, an authentication algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.

When you add an Interface, it is added with the default recommended list of cipher suites. You can customize them by updating an interface.

Note

The protocol has a higher priority than the cipher suites. In other words, if certain protocol is disabled and its respective cipher suites are enabled, then the cipher suites will not be used for communication.

You can not add/remove any cipher suite, however, they can be enabled/disabled from the given list of cipher suites.

Following table details the priority list of cipher suites for the respective Interfaces in the descending order.

Note

• TLS 1.3 ciphers suites are not configurable that is, they cannot be disabled. However, you can disable the TLS protocol as a whole.

• The CipherTrust Manager uses an in-built order for TLS ciphers, therefore the order of TLS ciphers cannot be changed to set the preference order.

• The cipher suites marked as disabled remain disabled by default as they are considered weak. If required, user can explicitly enable them for use.

If you update the minimum and maximum TLS versions, the cipher suite also gets updated based on the TLS versions. Consider a scenario for a cipher suite where the minimum TLS version is 1.1 and maximum version is 1.3 and the cipher is enabled for TLS 1.1, 1.2, and 1.3. Now, if you update the minimum TLS version to 1.2, ciphers corresponding to TLS 1.1 will be disabled and rest will remain the same.

Following table details the recommended and supported versions of the TLS protocol for the respective Interfaces. The recommended versions are enabled by default.

Updating cipher suites using ksctl

To update cipher suite list in an Interface, run:

For Web interface-Syntax

ksctl interfaces modify --name web --tls-ciphers-file <json-file>

Example Request

ksctl interfaces modify --name web --tls-ciphers-file tls-ciphers.json

For NAE interface-Syntax

ksctl interfaces modify --name nae --tls-ciphers-file <json-file>

Example Request

ksctl interfaces modify --name nae --tls-ciphers-file tls-ciphers.json

For KMIP interface-Syntax

ksctl interfaces modify --name kmip --tls-ciphers-file <json-file>

Example Request

ksctl interfaces modify --name kmip --tls-ciphers-file tls-ciphers.json

Format of the JSON File

{
    "tls_ciphers": [
        {
            "cipher_suite": "TLS_AES_256_GCM_SHA384",
            "enabled": true
        },
        {
            "cipher_suite": "TLS_CHACHA20_POLY1305_SHA256",
            "enabled": true
        },
        {
            "cipher_suite": "TLS_AES_128_GCM_SHA256",
            "enabled": true
        },
        {
            "cipher_suite": "ECDHE-ECDSA-AES256-GCM-SHA384",
            "enabled": true
        },
        {
            "cipher_suite": "ECDHE-RSA-AES256-GCM-SHA384",
            "enabled": true
        },
        {
            "cipher_suite": "ECDHE-ECDSA-AES128-GCM-SHA256",
            "enabled": true
        },
        {
            "cipher_suite": "ECDHE-RSA-AES128-GCM-SHA256",
            "enabled": true
        }
        {
            "cipher_suite": "ECDHE-ECDSA-AES256-SHA384",
            "enabled": false
        },
        {
            "cipher_suite": "ECDHE-ECDSA-AES128-SHA256",
            "enabled": false
        },
        {
            "cipher_suite": "ECDHE-RSA-AES256-SHA384",
            "enabled": false
        },
        {
            "cipher_suite": "ECDHE-RSA-AES128-SHA256",
        "enabled": false
        },
        {
            "cipher_suite": "ECDHE-ECDSA-AES256-SHA",
            "enabled": false
        },
        {
            "cipher_suite": "ECDHE-ECDSA-AES128-SHA",
            "enabled": false
        },
        {
            "cipher_suite": "ECDHE-RSA-AES256-SHA",
            "enabled": false
        },
        {
            "cipher_suite": "ECDHE-RSA-AES128-SHA",
            "enabled": false
        }
    ]
}

Example modify TLS version of an interface

Note

• The CipherTrust Manager supports TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3.

• TLS 1.0 and TLS 1.1 are deprecated and will be discontinued in a future release.

Note

The TLS 1.3 version is supported from CipherTrust Manager 2.3 onward.

ksctl interfaces modify -n <interface name> -e <minimum tls version> -i <maximum tls version>

Here:

• <interface name> can be NAE, KMIP, or WEB interface name.

• <minimum tls version> can be tls_1.0, tls_1_1, tls_1_2, or tls_1_3. Support for tls_1_0 and tls_1_1 will be discontinued in a future release.

• <maximum tls version> can be tls_1.0, tls_1_1, tls_1_2, or tls_1_3. Support for tls_1_0 and tls_1_1 will be discontinued in a future release.

Example

ksctl interfaces modify -n kmip_all_5697 -e tls_1_2 -i tls_1_3

Response

{
  "id": "6199c8d1-f59a-4bd1-8dfd-cf4d43900264",
  "name": "kmip_all_5697",
  "mode": "tls-cert-and-pw",
  "cert_user_field": "CN",
  "auto_gen_ca_id": "kylo:kylo:naboo:localca:afdebde8-a5ff-4cbd-9bb2-6dc5186e4c03",
  "trusted_cas": {
    "local": [
      "kylo:kylo:naboo:localca:0a4bf97b-1294-41d2-93cd-d19e6290cfa3",
      "kylo:kylo:naboo:localca:b7860db1-b7d1-4163-996e-22b14090d55a",
      "kylo:kylo:naboo:localca:afdebde8-a5ff-4cbd-9bb2-6dc5186e4c03"
    ]
  },
  "createdAt": "2019-08-28T05:21:05.36768Z",
  "updatedAt": "2019-08-28T07:41:38.62511Z",
  "default_connection": "local_account",
  "port": 5697,
  "network_interface": "all",
  "interface_type": "kmip",
  "kmip_enable_hard_delete": 0,
  "minimum_tls_version": "tls_1_2"
  "maximum_tls_version": "tls_1_3"
}

Restoring to default TLS cipher suite using ksctl

To restore to the default TLS Cipher suite of an Interface, run:

Example Request

ksctl interfaces restore-default-tls-ciphers --name nae_all_9009

Interface default connection (NAE and KMIP)

NAE and KMIP interfaces may be configured to use a default connection other than local_account for username/password authentication and client certificate authentication. Typically this setting is modified to simplify authentication because the username does not need to provide the connection name. For example, when a user presents their username for authentication without a connection, e.g. jdoe, then the CipherTrust Manager uses the default connection of the interface to authenticate the user. If the default connection is configured as local_account then the user is authenticated as if local_account|jdoe was presented. However, if configured as myldapdomain then the user is authenticated as if myldapdomain|jdoe was presented.

Example - Interface configuration update for KMIP to use a new default connection

ksctl interfaces modify -n kmip -d myldapdomain

Response

{
  "id": "476618b4-7310-4783-819f-517c387d2281",
  "name": "kmip",
  "mode": "tls-cert-pw-opt",
  "cert_user_field": "CN",
  "auto_gen_ca_id": "kylo:kylo:naboo:localca:0d29d15d-0ddd-444d-8cc5-ffcc85d0928a",
  "trusted_cas": {
    "local": [
      "kylo:kylo:naboo:localca:0d29d15d-0ddd-444d-8cc5-ffcc85d0928a"
    ],
    "external": []
  },
  "createdAt": "2018-07-09T14:49:43.316319Z",
  "updatedAt": "2018-07-09T14:49:50.136975Z",
  "default_connection": "myldapdomain"
}

SSL/TLS server certificate (NAE, KMIP, and WEB)

During initial bootstrapping of a new CipherTrust Manager, a new local KeySecure Root CA is automatically generated. This CA is later used to issue a server certificate for the interfaces available in the system. All interfaces and services trust this CA by default, meaning that a client certificate issued from this initial KeySecure Root CA is automatically trusted by the system.

Note

The certificate duration shouldn't be more than the CA duration. However, if the certificate duration exceeds the CA duration, the certificate duration is automatically set to CA's duration.

Trusting the default server certificate

Clients connecting to an interface examine the presented server certificate and match the signing CA against their trust stores. If the server certificate doesn't match, the client might present an error or close the connection. To avoid this mismatch, you can either add the KeySecure Root CA to the client truststore, so that the default server certificate is trusted, or you can upload an external, already trusted server certificate to the CipherTrust Manager interface.

Using an externally generated server certificate for an interface

The CLI tool (ksctl) can be used to upload an external server certificate for a given interface. You can upload a certificate (full chain including server certificate, intermediate CA, and external root CA) and private key or regenerate a self-signed certificate. The certificates (and the private key) can be uploaded in PEM or base64 encoded PKCS12 format. The PKCS12 files are encrypted, therefore the --private-key-password field is required to use them.

The common name (CN) in the certificate must have a valid value.

Note

Currently, we do not support encrypted PKCS8 keys embedded within a PEM file.

To use an externally generated server certificate for an interface

1. Create the necessary external certificate chain, and combine them into a single PEM or PKCS12 file. The file should include the following certificates and key in the indicated order:

   1. The server certificate.

   2. Any intermediate certificate authorities that sign the server certificate. Start with the intermediate CA that issued the server certificate. Next, add the issuer of the intermediate CA, if any. Continue adding any intermediate CAs higher up the hierarchy, each time adding the issuer of the last certificate you uploaded.

   3. The external root CA that signs any intermediate CAs. If there are no intermediate CAs, add the root CA that issued the server certificate.

   4. The server certificate's private key.

2. Add the PEM file for the server certificate's issuer to CipherTrust Manager's list of external CAs.

   ksctl ca externals upload –-cert-infile mycert.pem

   Copy

3. View the identifier for the uploaded external CA.

   ksctl ca externals list --cert-infile <ca-file-name>

   Copy

4. Look for the id field and copy this value. It is the <external-CA-identifier> in the next step.

5. Change the Trusted CA for the desired CipherTrust Manager interface (nae in this example).

   ksctl interfaces modify --name nae --trusted-external-cas <external-CA-identifier>

   Copy

6. Disable auto-generation of the server certificate for the desired CipherTrust Manager interface (nae in this example). This command sets the auto-generation local CA to an empty string, indicating no autogeneration.

   ksctl interfaces modify --name nae --auto-gen-ca-id ""

   Copy

7. Upload the certificate chain file to the desired interface (nae interface is shown in the example)

   ksctl interfaces certificate modify --name=nae --format=pem --file=certchainfile.pem --private-key-password password

   Copy

Interface modes (NAE, KMIP, and WEB)

The "mode interface" configuration parameter specifies the Interface mode, and must be one of the following:

• no-tls-pw-opt: No TLS, allow anonymous logins.

• no-tls-pw-req: No TLS, user must supply password.

• unauth-tls-pw-opt: TLS, allow anonymous logins, ignore client cert.

• unauth-tls-pw-req: TLS, user must supply password, ignore client cert.

• tls-pw-opt: TLS, allow anonymous logins, verify client cert.

• tls-pw-req: TLS, user must supply password, verify client cert.

• tls-cert-pw-opt: Verify client cert, user name taken from client cert, auth request is optional.

• tls-cert-and-pw: Verify client cert, password is needed, user name in cert must match user name in authentication request.

The following interface modes verify that the TLS client certificate is signed by one of the trusted CAs:

• tls-pw-opt

• tls-pw-req

• tls-cert-pw-opt

• tls-cert-and-pw-req

These interface modes extract the user name from the certificate:

• tls-cert-pw-opt

• tls-cert-and-pw-req

The interface mode can be changed using the API or the CLI "ksctl interfaces modify" command.

Interface modes for each interface type

• nae: All modes are allowed. Default is unauth-tls-pw-opt.

  tls-pw-req and tls-cert-and-pw are recommended for user delegation flows.

  tls-cert-pw-opt is recommended for user impersonation flows.

  

  Warning

  The client validation will be mandatory for all NAE clients in the future release leading to deprecation of the following interface modes:

  • TLS, ignore client cert, allow anonymous logins

  • TLS, ignore client cert, user must supply password

  Therefore, it is recommended not to use the above mentioned modes.

• web: The only allowed mode is tls-cert-opt-pw-opt.

• kmip: Only following modes are allowed:

  • tls-cert-pw-opt - This setting is recommended for user impersonation flows

  • tls-cert-and-pw - recommended for user delegation flows

  • tls-pw-opt

Username location in certificate (NAE, KMIP, and WEB)

The cert_user_field parameter specifies how the user name is extracted from the client certificate. The default value is CN. This parameter must be one of the following:

• CN: Common Name

• OU: Organizational Unit

• SN: Surname

• E: Email address

• E_ND: Email without domain; the data to the left of the @ sign in the email address is taken as the user name

• UID: User ID

For KMIP, the cert_user_field parameter options are only available when Auto Registration is enabled on the interface.

Note

For WEB, only CN is supported.

Certificate signing requests (CSR for NAE, KMIP, and WEB)

CSR provides you the ability to not expose private key for certificates created on the CipherTrust Manager for the Interfaces.

Adding a CSR

To add a CSR, run:

Syntax

ksctl interfaces csr add --name <interface-name> --common-name <common-name> --dns-name <dns-names-comma-separated> --email-address <email-addresses-comma-separated> --ip-address <ip-addresses-comma-separated> --csr-name <names-comma-separated> --csr-out-file <csr-file>

Example Request

ksctl interfaces csr add --name kmip --common-name admin

Example Response

{
    "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIEVTCCAj0CAQAwEDEOMAwGA1UEAxMFYWRtaW4wggIiMA0GCSqGSIb3DQEBAQUA\nA4ICDwAwggIKAoICAQDMo2aufRd1vB3F1tiGnQdRokmsXGc4nTMYVkYrNn1zqTqK\nJxLy1KY0/I07V+yWsZnbkXoieggBEo48FjqD2HDsr3K4BCSJOLkfW6velFGU+7+8\n6ei8eXZNJcBND6/RGRpe2Dz3xr17I4dbW4uoJhoPZeai3It2yPhWlvIDc7sah59l\nXTzKzuaAH24d6sJSD1OU0PN5SvGNw/v1D7VJoqsRrcytnhgCVav160ZWH24Pu4ty\nhBK2wi+ElhRlQSScA7h8s2BTFD/EG+TR2IinjAqNgCo4UspVJnADOGYkMJnSQlzl\nJFf1VIMEAJQ2lnRYzpDOdbit/6jSZgqlXUmt1PZE5LOxWCQ0yXNEUJtP/++K6CSl\nspVHGVwhWpD81tTwSYHq3Sx/aVvA/LSkfuOKgDFyclmxSM4o6qmKMYfanYyqaD9k\nTI/Xuf2aWrDWBRB3KqeKuVYj99tcTdcYbeYl4BeseAA8RJj5DOjLhnEAkgQWZN5O\nulT+uvBhCgVJaXPOJfIeGDnJkCeeAx1oa9RXztZItncUAvEWvS9Lvfl0YXnH9axf\n7ofqHhdocMX6w0yE42dGaqQQFWZCKsb+vUb2DaJrZCLQqoMitmHdMY+eOQacnxhN\niGzN43oEspGBaIxKFRFm/ZTvZc6hHCfhe6Uk6xqGUPgsIyzofoVsdarOq563MwID\nAQABoAAwDQYJKoZIhvcNAQENBQADggIBAGWhiUGy1TywCnScen8P1AkS+qUVKksR\niWP313J+3YW26aNfCtdsHdEzRCD/p/um8K6q5gEStdQRwMb0KaMdDYJTRR+1Wfi9\nT3xio6rVQbkBSgl6amCF36yuCX2QiHI2PfpBhTnV5Q16YOtjqLg+M2rxYMIKUpuB\nCsAmBbV2lRkl4M2vdP6GIjUuY/mAIRCh23cPeKaMi6vQthoMDRvBnybuZoh8YbEn\nbQ7tJbj0R/33zHRBUAUvNuN4qFSdOTB0icOnomFvOHGTe1ebDoR+jABCeS+ndePn\nIqf9hDi59NJQeR5huvbQa5gJMu1KMz1Hx4gQ2zTvHxS4K8VYFE4SMfpd8gNNKbJF\nVh2j+Mv3m5HPvwiGawEZAxZyRipyQ4GHc9pTCDdpfdyAfqOd3ogwEElnf2DfBb5x\n7mfiruOrcqQ9Kz6xYx2Xb0B3pSxTo5UamtL+ct5cabd+xQrhM7y2m5n8vvOkSne3\n+JH9wh7oMx3qRGzxS/aO9Fm6lGkE24f4QyO5KUHniD6Cl0E+mloMSIwb0hpX+zZf\nXs5v9JUAyaoiEeNsFsf01MDeIXuYYeY7x52qBNj8XsKbDeEnS9Fzf+qIX5Z2Lldb\ng0M6p/vXTZ+7YCFqphVnnx10E1BXnWBKDcOCDFXDxZ9clV+uxkVVJHgZFl1rNvyI\n1ATjjOZSmouN\n-----END CERTIFICATE REQUEST-----\n"
}

Note

If CSR parameters are not provided, it will use the default values.

Getting CSRs of an interface

To get the CSR of an Interface, run:

Syntax

ksctl interfaces csr get --name <interface-name> --csr-infile <csr-file>

Example Request

ksctl interfaces csr get --name kmip

Example Response

{
    "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIEVTCCAj0CAQAwEDEOMAwGA1UEAxMFYWRtaW4wggIiMA0GCSqGSIb3DQEBAQUA\nA4ICDwAwggIKAoICAQDMo2aufRd1vB3F1tiGnQdRokmsXGc4nTMYVkYrNn1zqTqK\nJxLy1KY0/I07V+yWsZnbkXoieggBEo48FjqD2HDsr3K4BCSJOLkfW6velFGU+7+8\n6ei8eXZNJcBND6/RGRpe2Dz3xr17I4dbW4uoJhoPZeai3It2yPhWlvIDc7sah59l\nXTzKzuaAH24d6sJSD1OU0PN5SvGNw/v1D7VJoqsRrcytnhgCVav160ZWH24Pu4ty\nhBK2wi+ElhRlQSScA7h8s2BTFD/EG+TR2IinjAqNgCo4UspVJnADOGYkMJnSQlzl\nJFf1VIMEAJQ2lnRYzpDOdbit/6jSZgqlXUmt1PZE5LOxWCQ0yXNEUJtP/++K6CSl\nspVHGVwhWpD81tTwSYHq3Sx/aVvA/LSkfuOKgDFyclmxSM4o6qmKMYfanYyqaD9k\nTI/Xuf2aWrDWBRB3KqeKuVYj99tcTdcYbeYl4BeseAA8RJj5DOjLhnEAkgQWZN5O\nulT+uvBhCgVJaXPOJfIeGDnJkCeeAx1oa9RXztZItncUAvEWvS9Lvfl0YXnH9axf\n7ofqHhdocMX6w0yE42dGaqQQFWZCKsb+vUb2DaJrZCLQqoMitmHdMY+eOQacnxhN\niGzN43oEspGBaIxKFRFm/ZTvZc6hHCfhe6Uk6xqGUPgsIyzofoVsdarOq563MwID\nAQABoAAwDQYJKoZIhvcNAQENBQADggIBAGWhiUGy1TywCnScen8P1AkS+qUVKksR\niWP313J+3YW26aNfCtdsHdEzRCD/p/um8K6q5gEStdQRwMb0KaMdDYJTRR+1Wfi9\nT3xio6rVQbkBSgl6amCF36yuCX2QiHI2PfpBhTnV5Q16YOtjqLg+M2rxYMIKUpuB\nCsAmBbV2lRkl4M2vdP6GIjUuY/mAIRCh23cPeKaMi6vQthoMDRvBnybuZoh8YbEn\nbQ7tJbj0R/33zHRBUAUvNuN4qFSdOTB0icOnomFvOHGTe1ebDoR+jABCeS+ndePn\nIqf9hDi59NJQeR5huvbQa5gJMu1KMz1Hx4gQ2zTvHxS4K8VYFE4SMfpd8gNNKbJF\nVh2j+Mv3m5HPvwiGawEZAxZyRipyQ4GHc9pTCDdpfdyAfqOd3ogwEElnf2DfBb5x\n7mfiruOrcqQ9Kz6xYx2Xb0B3pSxTo5UamtL+ct5cabd+xQrhM7y2m5n8vvOkSne3\n+JH9wh7oMx3qRGzxS/aO9Fm6lGkE24f4QyO5KUHniD6Cl0E+mloMSIwb0hpX+zZf\nXs5v9JUAyaoiEeNsFsf01MDeIXuYYeY7x52qBNj8XsKbDeEnS9Fzf+qIX5Z2Lldb\ng0M6p/vXTZ+7YCFqphVnnx10E1BXnWBKDcOCDFXDxZ9clV+uxkVVJHgZFl1rNvyI\n1ATjjOZSmouN\n-----END CERTIFICATE REQUEST-----\n"
}

Get Certificate for NAE, KMIP, and WEB Interfaces

To get the certificate for an Interface, run:

Syntax

ksctl interfaces certificate get --name <interface/port> --identifiertype <identfier type> --icertfile <cert-file>

• name - specifies name or port number of the interface. The interface name can be "nae", "web", "kmip", or "ssh".

• identifiertype - type of the interface identifier. It can be "name" or "port". If not specified, the default interface identifier type will be "name".

• icertfile - pipes the certificate to the designated file.

**Example request 1 **

ksctl interfaces certificate get --name nae

Example response 1

{
    "certificates": "-----BEGIN CERTIFICATE-----\nMIICajCCAg+gAwIBAgIQX8CTju31Jry7vZyOCoIq+TAKBggqhkjOPQQDAjCBijEL\nMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xNjA0BgNV\nBAkTLTk0NDIgQ2FwaXRhbCBvZiBUZXhhcyBIaWdod2F5IE5vcnRoIFN1aXRlIDQw\nMDEPMA0GA1UEChMGVGhhbGVzMRQwEgYDVQQDEwtDaXBoZXJUcnVzdDAeFw0yMzA0\nMTMwNzEwNTRaFw0yNDA0MTMwNzEwNTRaMIGKMQswCQYDVQQGEwJVUzELMAkGA1UE\nCBMCVFgxDzANBgNVBAcTBkF1c3RpbjE2MDQGA1UECRMtOTQ0MiBDYXBpdGFsIG9m\nIFRleGFzIEhpZ2h3YXkgTm9ydGggU3VpdGUgNDAwMQ8wDQYDVQQKEwZUaGFsZXMx\nFDASBgNVBAMTC0NpcGhlclRydXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nxP1SETV3zzuYodXPWGaIT46oJStDQj1dnp8QHTVSZjY6+dNZ/U6ZiOpR+yPlNXFs\nQmDfn/EtC0ViaAqbszQAF6NVMFMwDgYDVR0PAQH/BAQDAgKkMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMCwGA1UdEQQlMCOBIXRlY2huaWNhbC5zdXBwb3J0QHRoYWxlc2dy\nb3VwLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAmCR6dDLlPoAykXqmSCIbypFFq276\nFKcKRh1QLTrX8ncCIQCblJYOuV+PqLqg+7gwZ5+R6Y1LFsA4PqyPdnTLC6xz6g==\n-----END CERTIFICATE-----\n"
}

It returns the public portion of the certificate in the PEM format.

Example request 2 (identifiertype is set as port)

ksctl interfaces renewal-cert get --name 9000 --identifiertype port

Example response 2

{
    "certificates": "-----BEGIN CERTIFICATE-----\nMIICajCCAg+gAwIBAgIQX8CTju31Jry7vZyOCoIq+TAKBggqhkjOPQQDAjCBijEL\nMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xNjA0BgNV\nBAkTLTk0NDIgQ2FwaXRhbCBvZiBUZXhhcyBIaWdod2F5IE5vcnRoIFN1aXRlIDQw\nMDEPMA0GA1UEChMGVGhhbGVzMRQwEgYDVQQDEwtDaXBoZXJUcnVzdDAeFw0yMzA0\nMTMwNzEwNTRaFw0yNDA0MTMwNzEwNTRaMIGKMQswCQYDVQQGEwJVUzELMAkGA1UE\nCBMCVFgxDzANBgNVBAcTBkF1c3RpbjE2MDQGA1UECRMtOTQ0MiBDYXBpdGFsIG9m\nIFRleGFzIEhpZ2h3YXkgTm9ydGgffgfgU3VpdGUgNDAwMQ8wDQYDVQQKEwZUaGFsZXMx\nFDASBgNVBAMTC0NpcGhlclRydXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nxP1SETV3zzuYodXPWGaIT46oJStDQj1dnp8QHTVSZjY6+dNZ/U6ZiOpR+yPlNXFs\nQmDfn/EtC0ViaAqbszQAF6NVMFMwDgYDVR0PAQH/BAQDAgKkMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMCwGA1UdEQQlMCOBIXRlY2huaWNhbC5zdXBwb3J0QHRoYWxlc2dy\nb3VwLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAmCR6dDLlPoAykXqmSCIbypFFq276\nFKcKRh1QLTrX8ncCIQCblJYOuV+PqLqg+7gwZ5+R6Y1LFsA4PqyPdnTLC6xz6g==\n-----END CERTIFICATE-----\n"
}

It returns the public portion of the certificate in the PEM format.

Example request 3 (identifiertype is set as name)

ksctl interfaces renewal-cert get --name nae --identifiertype name

Example response 3

{
    "certificates": "-----BEGIN CERTIFICATE-----\nMIICajCCAg+gAwIBAgIQX8CTju31Jry7vZyOCoIq+TAKBggqhkjOPQQDAjCBijEL\nMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xNjA0BgNV\nBAkTLTk0NDIgQ2FwaXRhbCBvZiBUZXhhcyBIaWdod2F5IE5vcnRoIFN1aXRlIDQw\nMDEPMA0GA1UEChMGVGhhbGVzMRQwEgYDVQQDEwtDaXBoZXJUcnVzdDAeFw0ysdsdMzA0\nMTMwNzEwNTRaFw0yNDA0MTMwNzEwNTRaMIGKMQswCQYDVQQGEwJVUzELMAkGA1UE\nCBMCVFgxDzANBgNVBAcTBkF1c3RpbjE2MDQGA1UECRMtOTQ0MiBDYXBpdGFsIG9m\nIFRleGFzIEhpZ2h3YXkgTm9ydGggU3VpdGUgNDAwMQ8wDQYDVQQKEwZUaGFsZXMx\nFDASBgNVBAMTC0NpcGhlclRydXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nxP1SETV3zzuYodXPWGaIT46oJStDQj1dnp8QHTVSZjY6+dNZ/U6ZiOpR+yPlNXFs\nQmDfn/EtC0ViaAqbszQAF6NVMFMwDgYDVR0PAQH/BAQDAgKkMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMCwGA1UdEQQlMCOBIXRlY2huaWNhbC5zdXBwb3J0QHRoYWxlc2dy\nb3VwLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAmCR6dDLlPoAykXqmSCIbypFFq276\nFKcKRh1QLTrX8ncCIQCblJYOuV+PqLqg+7gwZ5+R6Y1LFsA4PqyPdnTLC6xz6g==\n-----END CERTIFICATE-----\n"
}

It returns the public portion of the certificate in the PEM format.

Auto-generation of server certificates (NAE, KMIP, and WEB)

By default, the CipherTrust Manager is configured to auto-generate a server certificate for each interface using the initial Local CA. The current certificate becomes the certificate issued by the Local CA. If the Local CA that is used to auto-generate is changed or updated, manually renew and apply the new certificate.

Note

Local CAs for interfaces are often updated when a backup is restored, necessitating manual renewal.

In case of cluster join, the existing Local CA of the new node is overwritten by the Local CAs from the cluster. Therefore, the current certficate of the new node issued by its Local CA becomes unknown to the cluster. As a result, auto-generation happens on the first restart of the new node after it joins the cluster.

Manually regenerating server certificates

To regenerate the server certificate manually for an interface, perform the following steps:

1. Set the CA ID on the interface for auto generation. 

   Syntax

   ksctl interfaces modify --name <interface-name> --auto-gen-ca-id <ca-id>

   Copy

   Example

   ksctl interfaces modify --name nae_all_9090 --auto-gen-ca-id kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a

   Copy

2. Generate the server certificate.

   Syntax

   ksctl interfaces auto-gen-server-cert --name <interface-name> --pending-renewal <true/false>

   Copy

   Example

   ksctl interfaces auto-gen-server-cert --name nae_all_9090 --pending-renewal false

   Copy

   The above command updates the interface with the newly generated server certificate using the CA present in the auto-gen-ca-id field.

   If pending-renewal is set to true, the certificate will be saved as an upcoming/renewed certificate to be applied later.
   If pending-renewal is set to false (default behavior), the auto-generated server certificate will immediately apply on the server certificate resource and replace the currently active server certificate.

Changing the local CA used for auto-generation

If needed, the Local CA used for auto-generation of the server certificate can be changed. Run the following command:

Example

ksctl interfaces modify --name web --auto-gen-ca-id kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a

Response

{
  "id": "3b85c5cf-6075-4555-a17c-2a12479081d4",
  "name": "web",
  "mode": "unauth-tls-opt-pw-opt",
  "cert_user_field": "CN",
  "auto_gen_ca_id": "kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a",
  "trusted_cas": {
    "local": [
      "kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a"
    ],
    "external": []
  },
  "createdAt": "2018-07-06T16:10:23.705291Z",
  "updatedAt": "2018-07-06T17:15:38.285859Z"
}

Disabling auto-generation of server certificate

To disable the auto-generation feature, run the following command:

Syntax

ksctl interfaces modify --name web --auto-gen-ca-id ""

Response

{
  "id": "3b85c5cf-6075-4555-a17c-2a12479081d4",
  "name": "web",
  "mode": "tls-cert-opt-pw-opt",
  "cert_user_field": "CN",
  "auto_gen_ca_id": "",
  "trusted_cas": {
    "local": [
      "kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a"
    ],
    "external": []
  },
  "createdAt": "2018-07-06T16:10:23.705291Z",
  "updatedAt": "2018-07-06T17:16:41.119686Z"
}

Note

The auto-generation feature is automatically disabled if an external CA chain and server certificate are uploaded to the interface.

Customizing auto-generation of interface certificate

To supply custom fields for auto-generation of an interface certificate, specify --local-auto-gen-attributes-file in the ksctl interfaces modify command. For example, run:

ksctl interfaces modify --local-auto-gen-attributes-file <local-auto-gen-attributes-file-name>.json

The --local-auto-gen-attributes-file option specifies a file that contains attributes for auto-generation of a given interface. This provides an option to supply custom fields for automatic interface certification generation.

These parameters are for the local node only and have no effect on other nodes in a cluster. Without customization, the system default values are used, or taken from cloud-init, if applicable.

Content of a sample local auto-generation attributes file is:

{
  "cn": "KeySecure Server on ks.eng.thalesgroup.com",
  "dns_names": [
    "ks.eng.thalesgroup.com",
    "ks-ha.eng.thalesgroup.com"
  ],
  "email_addresses": [
    "admin1@eng.thalesgroup.com",
    "admin2@eng.thalesgroup.com"
  ],
  "ip_addresses": [
    "10.3.111.11",
    "10.3.111.22"
  ],
  "names": [
    {
      "C": "US",
      "ST": "CA",
      "L": "San Jose",
      "O": "Thales CPL",
      "OU": "Engineering"
    }
  ]
}

If fields for the auto-generation of an interface certificate are changed, on restart a new server certificate gets generated based on the new attributes and signed by the CA specified in the auto-gen-ca-id field.

Trusted CAs (NAE, KMIP, and WEB)

Each interface can have a set of either local and/or external trusted CAs for client authentication. By default each interface trusts the initial Local CA for client authentication but it can be modified by updating the interface. Please note that the concept of trusted CAs is only relevant when client authentication is used by updating the interface mode.

Example - configuration update for web interface to trust the set of two local CAs

Example

ksctl interfaces modify --name web --trusted-local-cas kylo:kylo:naboo:localca:d21584bd-7d8e-44a0-9eac-693f2fa32504,kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a

Response

{
  "id": "3b85c5cf-6075-4555-a17c-2a12479081d4",
  "name": "web",
  "mode": "tls-cert-opt-pw-opt",
  "cert_user_field": "CN",
  "auto_gen_ca_id": "kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a",
  "trusted_cas": {
    "local": [
      "kylo:kylo:naboo:localca:d21584bd-7d8e-44a0-9eac-693f2fa32504",
      "kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a"
    ],
    "external": []
  },
  "createdAt": "2018-07-06T16:10:23.705291Z",
  "updatedAt": "2018-07-06T17:35:29.053809Z"
}

Example - configuration update for web interface to trust the set of two external CAs

Example

ksctl interfaces modify --name web --trusted-external-cas kylo:kylo:naboo:localca:d21584bd-7d8e-44a0-9eac-693f2fa32504,kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a

Response

{
    "id": "3b85c5cf-6075-4555-a17c-2a12479081d4",
    "name": "web",
    "mode": "tls-cert-opt-pw-opt",
    "cert_user_field": "CN",
    "auto_gen_ca_id": "kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a",
    "trusted_cas": {
        "local": [],
        "external": [
            "kylo:kylo:naboo:localca:d21584bd-7d8e-44a0-9eac-693f2fa32504",
            "kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a"
        ]
    },
    "createdAt": "2018-07-06T16:10:23.705291Z",
    "updatedAt": "2018-07-06T17:35:29.053809Z"
}

Enforcing Client Validation on NAE Interface

The allow_unregistered flag is added to prohibit the unregistered clients to access the CipherTrust Manager. For new NAE interfaces, the default value of this flag is set to false, however, you can change the value of this flag to true (allowing unregistered clients to access the CipherTrust Manager).

Note

Although the allow_unregistered flag is configurable, but it is recommended not to change the value of the flag from false (default) to true for the new NAE interfaces, or else an alarm will be triggered. This flag is applicable only for NAE interfaces.

For old (legacy), already existing interfaces, the allow_unregistered flag is set to true for backward compatibility. For such interfaces, whenever a connection is established with the CipherTrust Manager, a record gets generated with the following message "Unregistered client found, please register a client. System may go out of compliance." and the connection continues to work.

When allow_unregistered flag is set to false and an unregistered client tries to connect, a record gets generated with the following message "Client registration enforcement enabled. Unregistered client found, please register a new client manually or enable auto registration."

Creating NAE Interface

To create an NAE interface, run:

Syntax

ksctl interfaces create --type <Interface-type> --port <Port> --allow-unregistered <true/false>

Request

ksctl interfaces create --type nae --port 9002 --allow-unregistered true

Response

{
    "id": "4540efac-8180-4265-bc81-75d3e1ce26d5",
    "name": "nae_all_9002",
    "mode": "unauth-tls-pw-req",
    "cert_user_field": "CN",
    "auto_gen_ca_id": "kylo:kylo:naboo:localca:1804704e-029c-4bd7-9d47-3c947c6d08fd",
    "trusted_cas": {
            "local": [
                    "kylo:kylo:naboo:localca:1804704e-029c-4bd7-9d47-3c947c6d08fd"
            ]
    },
    "createdAt": "2022-12-01T05:07:46.972399Z",
    "updatedAt": "2022-12-01T05:07:46.972399Z",
    "default_connection": "local_account",
    "port": 9002,
    "network_interface": "all",
    "interface_type": "nae",
    "minimum_tls_version": "tls_1_2",
    "maximum_tls_version": "tls_1_3",
    "local_auto_gen_attributes": {
            "cn": "nae_all_9002.ciphertrustmanager.local",
            "dns_names": [
                    "nae_all_9002.ciphertrustmanager.local"
            ],
            "email_addresses": [
                    "technical.support@thalesgroup.com"
            ],
            "names": [
                    {
                            "C": "US",
                            "ST": "TX",
                            "L": "Austin",
                            "O": "Thales",
                            "OU": ""
                    }
            ],
            "generated": false
    },
    "enabled": true,
    "meta": {},
    "tls_ciphers": [
            {
                    "cipher_suite": "TLS_AES_256_GCM_SHA384",
                    "enabled": true,
                    "configurable": false
            },
            {
                    "cipher_suite": "TLS_CHACHA20_POLY1305_SHA256",
                    "enabled": true,
                    "configurable": false
            },
            {
                    "cipher_suite": "TLS_AES_128_GCM_SHA256",
                    "enabled": true,
                    "configurable": false
            },
            {
                    "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
                    "enabled": true,
                    "configurable": true
            },
            {
                    "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
                    "enabled": true,
                    "configurable": true
            },
            {
                    "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
                    "enabled": true,
                    "configurable": true
            },
            {
                    "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
                    "enabled": true,
                    "configurable": true
            },
            {
                    "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
                    "enabled": false,
                    "configurable": true
            },
            {
                    "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
                    "enabled": false,
                    "configurable": true
            },
            {
                    "cipher_suite": "TLS_RSA_WITH_AES_128_CBC_SHA256",
                    "enabled": false,
                    "configurable": true
            },
            {
                    "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
                    "enabled": false,
                    "configurable": false
            },
            {
                    "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
                    "enabled": false,
                    "configurable": false
            },
            {
                    "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
                    "enabled": false,
                    "configurable": false
            },
            {
                    "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
                    "enabled": false,
                    "configurable": false
            },
            {
                    "cipher_suite": "TLS_RSA_WITH_AES_256_CBC_SHA",
                    "enabled": false,
                    "configurable": false
            },
            {
                    "cipher_suite": "TLS_RSA_WITH_AES_128_CBC_SHA",
                    "enabled": false,
                    "configurable": false
            }
    ],
    "allow_unregistered": true
}

Updating NAE Interface

To modify an NAE interface, run:

Syntax

ksctl interfaces modify --type <Interface-type> --port <Port> --allow-unregistered <true/false>

Request

ksctl interfaces modify --type nae --port 9002 --allow-unregistered false

Response

{
    "id": "4540efac-8180-4265-bc81-75d3e1ce26d5",
    "name": "nae_all_9002",
    "mode": "unauth-tls-pw-req",
    "cert_user_field": "CN",
    "auto_gen_ca_id": "kylo:kylo:naboo:localca:1804704e-029c-4bd7-9d47-3c947c6d08fd",
    "trusted_cas": {
        "local": [
            "kylo:kylo:naboo:localca:1804704e-029c-4bd7-9d47-3c947c6d08fd"
        ]
    },
    "createdAt": "2022-12-01T05:07:46.972399Z",
    "updatedAt": "2022-12-01T05:08:50.697664Z",
    "default_connection": "local_account",
    "port": 9002,
    "network_interface": "all",
    "interface_type": "nae",
    "minimum_tls_version": "tls_1_2",
    "maximum_tls_version": "tls_1_3",
    "local_auto_gen_attributes": {
        "cn": "nae_all_9002.ciphertrustmanager.local",
        "dns_names": [
            "nae_all_9002.ciphertrustmanager.local"
        ],
        "email_addresses": [
            "technical.support@thalesgroup.com"
        ],
        "names": [
            {
                "C": "US",
                "ST": "TX",
                "L": "Austin",
                "O": "Thales",
                "OU": ""
            }
        ],
        "generated": false
    },
    "enabled": true,
    "meta": {},
    "tls_ciphers": [
        {
            "cipher_suite": "TLS_AES_256_GCM_SHA384",
            "enabled": true,
            "configurable": false
        },
        {
            "cipher_suite": "TLS_CHACHA20_POLY1305_SHA256",
            "enabled": true,
            "configurable": false
        },
        {
            "cipher_suite": "TLS_AES_128_GCM_SHA256",
            "enabled": true,
            "configurable": false
        },
        {
            "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "enabled": true,
            "configurable": true
        },
        {
            "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "enabled": true,
            "configurable": true
        },
        {
            "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "enabled": true,
            "configurable": true
        },
        {
            "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "enabled": true,
            "configurable": true
        },
        {
            "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "enabled": false,
            "configurable": true
        },
        {
            "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "enabled": false,
            "configurable": true
        },
        {
            "cipher_suite": "TLS_RSA_WITH_AES_128_CBC_SHA256",
            "enabled": false,
            "configurable": true
        },
        {
            "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
            "enabled": false,
            "configurable": false
        },
        {
            "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
            "enabled": false,
            "configurable": false
        },
        {
            "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
            "enabled": false,
            "configurable": false
        },
        {
            "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
            "enabled": false,
            "configurable": false
        },
        {
            "cipher_suite": "TLS_RSA_WITH_AES_256_CBC_SHA",
            "enabled": false,
            "configurable": false
        },
        {
            "cipher_suite": "TLS_RSA_WITH_AES_128_CBC_SHA",
            "enabled": false,
            "configurable": false
        }
    ],
    "allow_unregistered": false
}

Interface Certificate Expiration Check

The CipherTrust Manager inspects the expiration date of interface server certificates everyday, at a preset system time to log the record for the following interfaces:

• WEB

• NAE

• KMIP

The CipherTrust Manager then creates list of certificates based on their expiration date:

• Certificates whose expiration dates are within 91 days.

  This list is logged in the Records section once every week.

• Certificates whose expiration dates are within 7 days.

  This list is logged in the Records section once every day.

• Certificates that are already expired.

  This list is logged in the Records section once every day.

You can also create alarm triggers for these records. For more details, go to Creating Alarm Trigger for Interface Certificate Expiration.

Create/modify the NAE interface to mask system groups from NAE requests

Syntax

ksctl interfaces create --type nae --port <port number> --mask-system-groups <bool>
ksctl interfaces modify -n <interface-name> --mask-system-groups <bool>

Here:

• <interface name> : It is the name of the interface.

• <bool> : It can be either true or false.

• <port number> : It can be any positive number for which port is not allocated.

Note

System-defined groups can be masked if the mask_system_groups flag is set to true for the NAE interface. The groups will be masked for:

• UserInfoRequest

• UserQueryRequest

• UserGroupInfoRequest

• UserGroupQueryRequest

Example

ksctl interfaces modify -n nae_all_9001 --mask-system-groups true

Response

{
  "id": "513abafa-c22c-471f-a6b9-42762efab3dd",
  "name": "nae_all_9001",
  "mode": "no-tls-pw-opt",
  "cert_user_field": "CN",
  "default_connection": "local_account",
  "port": 9001,
  "network_interface": "all",
  "interface_type": "nae",
  "minimum_tls_version": "tls_1_2",
  "maximum_tls_version": "tls_1_3",
  "enabled": true,
  "meta": {
    "nae": {
      "mask_system_groups": true
    }
  }
}

Copying server certificate using use-certificate

The use-certificate command copies the server certificate from one interface to another. To copy the server certificate from the source interface to destination interface, run:

Example

ksctl interfaces use-certificate --name <destination-interface-name> --copy-from <source-interface-name> --pending-renewal <true/false>

Example

ksctl interfaces use-certificate --name nae --copy-from kmip --pending-renewal false

Response

{
    "certificates": "-----BEGIN CERTIFICATE-----\nMIIGTzCCBDegAwIBAgIQYJwg3iN+Se9KKqJwaP2cqzANBgkqhkiG9w0BAQsFADBa\nMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxDzANBgNVBAcTBkF1c3RpbjEPMA0G\nA1UEChMGVGhhbGVzMRwwGgYDVQQDExNDaXBoZXJUcnVzdCBSb290IENBMB4XDTIy\nMDgwNzE3MDYwNloXDTI0MTExMDE3MDYwNlowZDELMAkGA1UEBhMCVVMxCzAJBgNV\nBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xDzANBgNVBAoTBlRoYWxlczEmMCQGA1UE\nAxMda21pcC5jaXBoZXJ0cnVzdG1hbmFnZXIubG9jYWwwggIiMA0GCSqGSIb3DQEB\nAQUAA4ICDwAwggIKAoICAQCvzUlnb4VKX02bpXF68YCv4YY85INI5JxXA425lMcL\ntiArftMoP8tBe2uYVlKSPpqUp9X3DALRGNlIKiJfNU6D/E2CENjAbmlgFuE5sBfV\nhlY5QzG8b868gY9JbI+slZgcYUfhR0rcRqAb3TfEhrwKgDDudPIRXpQXBGg3cf+4\npyUU9tPFZaz/rqjHrYGC3wUVuVXFNTTRtjuXk5pmFDViDmzYkDNXwxH/Eu1QOHiX\nooQCUCvXSsDWYPKZ2cRRnc91R7vl63MaeSYO6BBRNMBj6pKQSrcPKWqhciluuGZ7\n/DI2gq6m5nnSnNwrtlQBMUvLM2MZ7bQpP+K2U4R4mJg7TORHY51BVIJ70MNrH+db\nD3A6xYN+v//YFsyXbLnbOgvNchf7cKh0EQy2AS2/78Cn5GVgs1vq/opWl+XvEwuH\noNiG6SDtNbprbdO0L8XiGf63huOMaRSLKgVpv9Toco3uTrjmCOG47/h88ducloIp\n8b8Dg38vboMNakiFy4Z1gOXhvMctWkUn6Pd5gSj+dj6ciVPeiQf6crmvrpreiKcb\nfTvwi23gmPTmiCP12ekJqEnvBXqUeMaFxQbSb542eo5kwA7jKB0vtwVM1FPJHVEm\nCGg0Ia8tS37C9MOq4uRWVc9qIRFghGhNpgDECi2WkRjArnJESXVtZ5u6NrM5uOeo\n7wIDAQABo4IBBTCCAQEwDgYDVR0PAQH/BAQDAgOIMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUWGMDcXupXn4XJ1u1b6qQFL4Y\nV9wwSwYDVR0RBEQwQoIda21pcC5jaXBoZXJ0cnVzdG1hbmFnZXIubG9jYWyBIXRl\nY2huaWNhbC5zdXBwb3J0QHRoYWxlc2dyb3VwLmNvbTBeBgNVHR8EVzBVMFOgUaBP\nhk1odHRwOi8vY2lwaGVydHJ1c3RtYW5hZ2VyLmxvY2FsL2NybHMvYzlhMTkyNDQt\nZDRjZS00NzdkLTg0ZjItZTQ1ZDVlNzQ4MGU1LmNybDANBgkqhkiG9w0BAQsFAAOC\nAgEAFXIxyjuFWovHp8oAtOvAOpFtV7Mt4suBcnubmGW17eonGH7SZaFiV+2JsCQz\nbPrk1hacY3ZAAJhQm1KcIO3GA6D9b8lqyC5QdvdOWehhSEW6GiHzPjoTtk1bpIAo\n39GNOByFkrn1Os5KJf8F86GTX8u4MqXtaSUaHp7ChRK5wrZFve+QJXd5bxe3oW72\ne8sUH13wDLHT80aHJS17S2sbYfwU1pdS8OMYi2wBQBw+G4HUac+qlK02Kd8wo118\nmAx//y8G36muuPBhSUI0QK+DMTrqExu4WHhBMyh0oqxdIzOao5pJe2KtOYky97Pq\nUHmUkM1pESVp/D2F3b42z60LBuhB41+vkHeoJLZtRzGpS7FbzUD7I/w4wV4d5Y34\n44lvi/WDk636ihNG84rnav0fBzxsDuVWwy4i6b+OUBi+69MB/7UsPINF+GOf0h1b\nD46hjKzBbNjJUF0YkikYAkkzhBgn7vh4rJaK/4/pn5rCyMV1s8kaI0cj/t9n4sWE\nHKX/+MzV4dRvHq49A8pFvFd1QQHhUGYvjI8Y2Xq+oKHvcTZi+6t5E4LsC6Mjv4Ml\njC68snW44W1NFyTs5EQ8UimOdahJ47/ixwhibFmqd9XR8EORI7OmkoErpzEAvECZ\n+teWtxaOrKYXRp/iJC8Xemo7d3R1cTvzeIUrQOT6j0GbD3o=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFrjCCA5agAwIBAgIQc5E0XlKTJUd/jzRQrApHRTANBgkqhkiG9w0BAQsFADBa\nMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxDzANBgNVBAcTBkF1c3RpbjEPMA0G\nA1UEChMGVGhhbGVzMRwwGgYDVQQDExNDaXBoZXJUcnVzdCBSb290IENBMB4XDTIy\nMDgwNzE3MDYwMFoXDTMyMDgwNTE3MDYwMFowWjELMAkGA1UEBhMCVVMxCzAJBgNV\nBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xDzANBgNVBAoTBlRoYWxlczEcMBoGA1UE\nAxMTQ2lwaGVyVHJ1c3QgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC\nAgoCggIBAMinbWVEuF/4aNLM9RqjdcTMFWuUonwU0CHHAOP5ID1nt+eAq6zY6RCo\n1/+YFymJJbikzABRtGoIfyJscHt8e5+5qyXRh+eImSBOxk1iWnj/EA9XSkVUqFBE\nlo1nDn/DTHOo+hnYSgnK7+BwP2EdPXdO9P0ne3QXeTm5ZXBvQQVTJgaBLEOmkwLn\npL1+twzRmdsGVQ9DTOOhFktl2e5HnYgNijluSqbEt1UbZxNsG6WsuywqNld28Jt7\nv+CGSzH8B9c8DVCPfxQro0VJzxOG4S2RzNTo3HzHBza+Ct+w9AwJk4tVlnOJ7HMt\nrw1j+rfBtHiL0ISFvYeLdL9TwVT0cYzPX9/kwqGrmKlWs7+CBYS7rYVo5PJ8qLd9\ndCZpWH1dS50ix6fF0X3/bNsEpAeGxhI9XZJ3ojP3h9PMtphGF4auBbybRfKoL7tj\nR7CMEANy+yIDMnEYTrwu3y6KdmAPpaOwIwk9dM6YGjS2a5tANcVTkoAsatfwUFA9\nNVP48Lu5fkHpCLdWvwpBQXHEHxwWFgys1+DYixj+ewl2d8vFzwBoY0gHQ11fgKIF\nF7h9NaLii2cvqpmFzRQP1eRtZ/I0kc/SyU1crpNwXSvdp31fWnxMTspGHAADbL4q\nK2KDdqr4zdiPA1BxinJcg1cpfLYRcPQP7tH45TjCxZNJsmZ0f4wLAgMBAAGjcDBu\nMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYYwNx\ne6lefhcnW7VvqpAUvhhX3DAsBgNVHREEJTAjgSF0ZWNobmljYWwuc3VwcG9ydEB0\naGFsZXNncm91cC5jb20wDQYJKoZIhvcNAQELBQADggIBAIyY4uYqW19SgyQf22A9\ncoDBiGmp97BPbL+jUM+rWhf9ytEOt0tU7e+bVi77l6ItZEl9JMf1U6XJnPX15R6r\nrCiWzKa9nSnZmSt+D62+dNYvvx3wP7zc8OlW2ckkP+8dXnGEWlDLa+BFCHbbth9C\nrB7kBCuydS1a+6QQxUS4ny5APPtwZs7gKhcOW9ExNOouuLWJ/1Zye46Z+4PCEFpn\nOFk9zFjcTuMO4l4gTLJwKvqRd/dlT1MnIc+xMUjyQ8M77zWJhC3iysssHNWRdNxU\nVJCyOezrbV/ZMQA2VVw9/6FfZfQXyynMSBduYXO7g7SVdYfNaTvpCyGHwOFQGuuy\nJzKnH6jG1u7qRF6JhKCPQwVNOmIyDENTGIhkxKnxZGNgssk7mpXnBmvK4wXOmC96\nm1Re5auo6hoorsk3JFPbgTT2zSZmwGf7CuzMuH+ZTvhlnJNdpqrkGffAdEe7rMPT\nBqVCS1iB9Isq1lJBPbGlfcIXBDpKUdLHmZ+CNlHOPMqeYUJO89yd/CV8LQbN++ns\nagicBOm8UF0kFZmihydenrw7hC5GKEO5r9rXv6YV9nC6RAREC5Ai7DPdsQG/eVaw\n7f/KKWtmTBYSSajo82xL/9C1E7NGqigfaq0Ly3dAjFzHKRZMEt/rAmL9oD9XNuSl\nRWO6+JZN7BEXo5Uiuajg7kyW\n-----END CERTIFICATE-----\n"
}

In the response above, you can see the copied server certificate from the kmip interface.

If pending-renewal is set to true, the certificate will be saved as an upcoming/renewed certificate to be applied later
If pending-renewal is set to false (default behavior), the auto-generated server certificate will immediately apply on the server certificate resource and replace the currently active server certificate.