How to Change Local CA or External CA for CTE
How to Change Local CA
The CipherTrust Manager allows you to renew the local CA certificates in the certificate chain when they are about to expire.
When a local CA in the certificate chain expires, the entire certificate chain validation fails.
In such scenarios, the user has to create a new CA and renew the client/server certificates or both using the new CA.
When to Renew
To avoid any service downtime, it is recommended to prepare the new Local CA certificate chain in advance before the CA expiration. During the overlapping period, the new server certificate chain as described in the below section should be downloaded and added to the trust store in the client's setup.
How to Renew on the Web Console UI
The CA certificate chain renewal process contains the following steps:
Create a new local CA using the same attributes as an existing CA.
Renew server certificates issued by the original local CA.
Create a New Local CA Using the Same Attributes as Existing CA
Log on to CipherTrust Manager as a user in the Admins group, such as
admin
.Navigate to CA > Local.
In the Local Certificate Authorities table, find the local CA to copy attributes from. Click the corresponding overflow icon (ellipsis) and select Renew.
A CSR with the same attributes as the local CA is present in the Pending CAs table.
Sign the CSR to Make the New Local CA Active
Self-sign:
Find the desired CSR in the Pending CAs table.
Click the overflow icon and select Self-sign.
Set a Duration (days). Default is 365.
Caution
When a CA expires, all the certificates it has issued also expire. If you use a Local CA for client and server certificates that access CipherTrust Manager, you must replace the certificate chain across multiple interfaces and clients before the Local CA expires to maintain communication. When setting the CA duration, consider how often your organization is prepared to perform this maintenance.
Click Save. The new Local CA appears in the table.
Sign with an Existing Local CA:
Find the desired CSR in the Pending CAs table.
Copy or download the CSR.
Click the overflow icon.
Select either of the following:
Copy CSR to copy the CSR contents to the clipboard.
Download CSR to download the CSR as a file.
In the Local Certificate Authorities table, find the signing CA and click its name.
Click Upload CSR and:
Specify the Display name for the new CA.
In the CSR field, paste CSR text.
Choose CA as Certificate Purpose.
Set the Duration in days before the new CA will expire.
Caution
When a CA expires, all the certificates it has issued also expire. If you use a Local CA for client and server certificates that access CipherTrust Manager, you must replace the certificate chain across multiple interfaces and clients before the Local CA expires to maintain communication. When setting the CA duration, consider how often your organization is prepared to perform this maintenance.
Click Issue Certificate.
Copy or download the new CA certificate.
Find the new CA certificate in the Certificates issued by table.
Click the corresponding overflow icon.
Select either Copy to copy the CA certificate contents to the clipboard, or Download to download the CA certificate as a file.
Return to CA > Local, locate the CSR in the Pending CAs table, click the corresponding overflow icon, and select Install.
Choose Local CA as Parent CA Type.
From the Select Local Parent CA drop-down, select the local CA that signed the CA certificate.
Paste certificate text in the Certificate field.
Click Save.
Sign with an External CA:
Make sure the external CA is added via CA > External. An external CA must exist on this page. If no external CA exists, add one.
Navigate to CA > Local.
Find the desired CSR in the Pending CAs table.
Copy or download the CSR.
Click the overflow icon.
Select either of the following:
Copy CSR to copy the CSR contents to the clipboard.
Download CSR to download the CSR as a file.
Sign the CSR externally, then retain the signed certificate.
Caution
When a CA expires, all the certificates it has issued also expire. If you use a Local CA for client and server certificates that access CipherTrust Manager, you must replace the certificate chain across multiple interfaces and clients before the Local CA expires to maintain communication. When setting the CA duration, consider how often your organization is prepared to perform this maintenance.
Return to CA > Local, find the CSR in the Pending CAs table, click the corresponding overflow icon, and select Install.
Choose External CA as Parent CA Type.
From the Select External Parent CA drop-down, select the external CA that signed the CA certificate.
Paste certificate text in the Certificate field.
Click Save.
The new local CA is now created and visible in the Local Certificate Authorities table. Note down the CA's name for renewing certificates.
Renew Server Certificate Using New Local CA
Issue a new server certificate from the new CA. See Issuing Certificate Signed by Local CA for details.
Create a certificate chain in PEM or PKCS12 format with the following in the given order:
Server certificate
Intermediate CAs (in hierarchy order). Start with the intermediate CA that issued the server certificate. Next, add the issuer of the intermediate CA, if any. Continue adding any intermediate CAs higher up the hierarchy, each time adding the issuer of the last certificate you uploaded.
Intermediate CAs, ordered from the one that signed the server certificate up to the one signed by the root CA.
Root CA
Note
In PEM format, include the server certificate's private key first. In PKCS#12 format, include it last.
Upload the chain on CipherTrust Manager's interface associated with the clients.
Log on to CipherTrust Manager as a user in the Admins group, such as
admin
.Go to Admin Settings > Interfaces.
In the table, find the interface associated with the clients.
Most clients authenticate to the web interface.
NAE clients authenticate to the original nae interface, or additional NAE interfaces created later.
KMIP clients authenticate to the original kmip interface, or additional KMIP interfaces created later.
Upload the renewal certificate. See Upload renewal server certificate for details.
For clients, the uploaded certificate chain is available for download.
Add the downloaded certificate to the client trust store.
Now, the clients can use this new chain to set up their environment.
(Optional) After the clients have been updated with the new certificate chain, apply the new certificate chain on CipherTrust Manager. This immediately replaces the existing server certificates with the newly generated server certificates.
If not applied manually, the new certificate chain will auto-apply when the CA expires.
See Renewing Local CA certificate for details.
How to Change External CA
To use an external CA as a trusted entity:
Log on to CipherTrust Manager as a user in the Admins group, such as
admin
.Navigate to CA > External.
Click + Add External CA.
Specify a Display Name.
Specify a certificate (upload or paste).
Upload: Select File Upload > Upload Certificate to upload the certificate file.
Paste: Select Text and paste the certificate content in the text field.
Click Add External CA.
See Adding an External CA for details.
How to Renew the Client Certificates
Renewing the Local CA
Client certificates are automatically renewed starting 60 days before expiration. The agent retries daily until successful.
You can also renew the client certificates manually:
Linux:
./vmutil -a vmd renewcerts
Windows:
vmutil -a vmd renewcerts
(vmutil
is located at C:\Program Files\Vormetric\DataSecurityExpert\agent\vmd\bin)
Renewing the External CA
Client certificates from an external CA are not automatically renewed. To renew:
Place the new certificate and key files in the designated folder on the client.
Run the following command:
Linux:
./vmutil -a vmd updatecerts
Windows:
vmutil -a vmd updatecerts
(C:\Program Files\Vormetric\DataSecurityExpert\agent\vmd\bin)