Certificate Renewal
If the CA that signed the client certificate or the web interface certificate is modified, the CTE client is notified about this change. The CTE client can now generate or install a new certificate and update the truststore for uninterrupted connections.
Refer to CA Certificates Renewal Notification for compatiblity information.
Client Certificate Renewal
CTE Agents with the CA_RENEWAL
capability support the CA renewal feature. When the CA (local or external) is updated in a client management profile, the Client Profile updated
message is logged on the CipherTrust Manager. Also, all the clients linked with the updated client management profile are notified of the CA update. A message RenewCerts - Renewal has been scheduled - OK
is generated in the VMD logs (client logs) on the linked clients.
Note
Client certificate renewal is applicable to all the CA_RENEWAL
capable CTE clients in all the domains of the CipherTrust Manager.
Possible Scenarios
Client with the CA_RENEWAL Capability is Active
A CTE client with the CA_RENEWAL
capability is active. After the CA is updated in a client management profile:
The active client with the
CA_RENEWAL
capability linked with the updated profile receive the certificate renewal notification.The CTE Agent generates a log of CA renewal,
RenewCerts: Renewal has been scheduled - OK
, in the client logs. The client continues to work properly after the CA renewal.
All the active and CA_RENEWAL
capable CTE clients linked with the updated client management profile reflect the same behavior.
Client with the CA_RENEWAL Capability is Inactive
A CTE client with the CA_RENEWAL
capability is inactive, that is, unable to communicate with the CipherTrust Manager it is registered with. In this case, if the CipherTrust Manager administrator updates the CA in the linked client management profile, the following message is generated in the CipherTrust Manager logs. This shows that the client can't be notified of the CA update.
Client cert updated. LONGPOLL connection is not available for client
The CA Renewal Notification ERROR message is also logged in the audit records on the CipherTrust Manager (Records > Loki Audit Records > Server Records).
Now, if the connection between the client and the CipherTrust Manager is restored:
The CipherTrust Manager log shows that a
LONGPOLL
command ofRenewCertificates
is sent to the clients. This indicates that the communication between the CipherTrust Manager and the client is enabled. The client is notified of the CA update.The client log shows
RenewCerts: OK - Renewal has been scheduled
.
Note
If a client with the CA_RENEWAL
capability is inactive (disabled or unreachable), the CipherTrust Manager can't notify the client of the certificate update. The CipherTrust Manager will retry notifying the client when it is active again.
Client with the CA_RENEWAL Capability is Registered with an Unsupported CipherTrust Manager Version
A CTE client with the CA_RENEWAL
capability is registered with a CipherTrust Manager version that does not support certificate renewal notification. In this case, if the CA is updated in the linked client management profile, the CipherTrust Manager can't notify the linked clients of any CA updates.
Client Doesn't have the CA_RENEWAL Capability
A CTE Agent doesn't have the CA_RENEWAL
capability. In this case, if the CA is updated in the linked client management profile, the CipherTrust Manager doesn't send CA update notifications to the client. An audit record is logged on the CipherTrust Manager.
When the CA in the linked client management profile is updated:
A message
Client Profile updated
is displayed on the CipherTrust Manager GUI.A message
Client Cert updated. Cert renewal notification are not supported for the CTE Client
is logged on the CipherTrust Manager. The CA Renewal Notification ERROR message is also logged in the audit records on the CipherTrust Manager (Records > Loki Audit Records > Server Records).
Web Interface Certificate Renewal
When the CipherTrust Manager's web interface certificate is updated (or renewed), all the CA_RENEWAL
capable CTE clients from all the domains of the CipherTrust Manager are notified of the changes in the web interface certificate.
Click the desired tab to view instructions to update the web interface certificate through the API or GUI.
To update the web interface certificate:
Add the new certificate to the list of upcoming interface certificates.
put /v1/configs/interfaces/web/renewal-certificate
In the
certificate
parameter, specify the certificate chain having the primary certificate, the CA, and its private key. Also, specify theformat
parameter.After the upcoming certificate is updated successfully
The active
CA_RENEWAL
capable clients receive notification of this update.The CipherTrust Manager logs show that a
LONGPOLL
command ofRenewCertificates
is sent to the active clients. The clients are notified of the web interface certificate update.The client log shows
RenewCerts: OK - CA trust store updated
.
The CTE Agent updates the truststore with the new certificate chain. Both the old and the updated certificates are stored on the client at:
/opt/vormetric/DataSecurityExpert/agent/secfs/.sec/pem
Fetch the upcoming renewal certificate.
get /v1/configs/interfaces/web/renewal-certificate
The command returns the public portion (only public key and CA chain) of the upcoming renewal certificate in the PEM format.
When the current interface certificate is about to expire, apply the new certificate.
post /v1/configs/interfaces/{interface}/renewal-certificate/apply
Note
If the new certificate is not applied before the current certificate expires, the new certificate will be automatically applied when the current certificate expires.
To renew the web certificate:
Upload the updated web certificate
Go to Admin Settings > Interfaces.
Click the Overflow Icon () next to the web interface.
Click Renewal Certificate Options... The Interface Renewal Certificate Options on 'web' dialog box is displayed.
Click Upload/Generate to upload a new server certificate.
Click OK. The Upload/Generate Upcoming Certificate dialog box is displayed.
Select a certificate upload option. You can either upload the certificate using the File Upload option or paste the signed certificate and its private key content in the Text field.
Select PEM as Format.
Click Upload Certificate. The certificate is uploaded successfully.
Apply the new certificate
When the current interface certificate is about to expire, you need to apply the newly uploaded certificate.
Click the Overflow Icon () next to the web interface.
Click Renewal Certificate Options... The Interface Renewal Certificate Options on 'web' dialog box is displayed.
Click Apply to apply the upcoming renewal server certificate. The existing server certificate is replaced with the newly generated server certificate.
Note
If the new certificate is not applied before the current certificate expires, the new certificate will be automatically applied when the current certificate expires.
Refer to managing upcoming server certificate for details on upcoming server certificates.
After the CTE Agent has successfully updated the truststore and the updated web interface certificate is applied successfully, the CA_RENEWAL
capable clients start communicating with the CipherTrust Manager over the renewed certificate.
Important Notes
The CipherTrust Manager doesn't notify the clients that don't have the
CA_RENEWAL
capability. The following message is displayed in the CipherTrust Manager logs for such clients.Web interface CA is updated but Auto-CA Renewal is not supported for the CTE Client
The CA Renewal Notification ERROR message is also logged in the audit records on the CipherTrust Manager (Records > Loki Audit Records > Server Records).
The CipherTrust Manager retries notifying all the
CA_RENEWAL
capable clients whether they are active or inactive.If a client with the
CA_RENEWAL
capability is inactive (disabled or unreachable), the CipherTrust Manager can't notify the client of the certificate update (until it is active). The following message is displayed in the CipherTrust Manager logs.Failed to notify the CTE client
The CA Renewal Notification ERROR message is also logged in the audit records on the CipherTrust Manager (Records > Loki Audit Records > Server Records).
The CipherTrust Manager retries notifying the client of the update when the client is active again (the connection is re-established). A
LONGPOLL
messageSending pending event to CTE client
is displayed in the CipherTrust Manager logs.After the client is notified of the update, the Agent updates the truststore. A message
RenewCerts: OK - CA trust store updated
is logged in the client logs.
Caution
Restore the connectivity of inactive clients with the
CA_RENEWAL
capability before applying the updated web interface certificate. If the certificate is applied when a client is inactive, the client needs to be reregistered.In a clustered environment, all the CipherTrust Manager nodes must have the same certificate active. If the web interface certificate is renewed (updated and applied) at one node, the same certificate chain must be renewed on all nodes of the CipherTrust Manager cluster. Failure to do so can break the connectivity and the CTE clients need to be reregistered.