Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CipherTrust Transparent Encryption (CTE)

How to Configure the External CA for CTE

search

Please Note:

How to Configure the External CA for CTE

CipherTrust Transparent Encryption can now use an external certificate, available at a user-defined path, to communicate with CipherTrust Manager.

Prerequisites

  • The external certificate must be on the file system and in the PEM format.

  • A key pair must already exist for the client and:

    • Must have encryption type of either sha256WithRSAEncryption or ecdsa-with-SHA384

    • Must be encrypted with a passphrase

Initial Setup

  1. Obtain your external CA certificate.

  2. Create a certificate using the external CA certificate and key.

CipherTrust Manager Setup

To setup CipherTrust Manager to communicate through an external certificate:

  1. Import the CA certificate into the CipherTrust Manager:

    • Navigate to CA > External > Add External CA.

    • In the dialog, paste the content of <ca_certificate_name>.pem and provide a user-friendly name.

    See Using an Externally Generated Server Certificate for an Interface for more information.

  2. Add the CA certificate to trusted sources for the web interface. Go to Admin Settings > Interfaces > web > Edit > External Trusted CAs.

  3. Restart the web server. Navigate to Admin Settings > Services > web > Restart.

  4. Create a Registration Token for the CTE agent.

CTE Agent Setup

  1. Create a directory on the system to hold required files, for example:

    • Linux/AIX: /root/cert_files

    • Windows: c:\temp\cert_files

  2. Copy or create the following files in the directory:

    • client_cert.pem

    • client_key.pem

    • passphrase (plain text)

  3. (Linux/AIX) Set the environment variable:

    export EXTERNAL_CERT_DIR=/root/cert_files

Registering the Client

  • If the agent is installed but registration is pending:

    • Linux/AIX: Run register_host

    • Windows: Run c:\> register_host.exe -extcertdir=c:\temp\cert_files

  • If the agent is not yet installed, and you want to install it and register the client:

    • Linux/AIX: Run ./vee-fs-<release>-<build>-<system>.bin

    • Windows: Run c:\> installer.exe -extcertdir=c:\temp\cert_files

Post Registration

During registration:

  1. The certificate file is uploaded to the CipherTrust Manager.

  2. The certificate and key files are imported into the CTE PEM store.

  3. The key is decoded using the passphrase and re-encoded securely.

After successful registration, the input files should be removed.

Certificate Renewal

  • The certificate directory path is stored in agent.conf (via EXTERNAL_CERT_DIR or -extcertdir).

  • ~60 days before expiration, CTE agent checks for updated certificate files in this directory.

    • If present, the new certificate is pushed to CipherTrust Manager and applied.

    • If not, a WARNING is logged (and/or uploaded to CipherTrust Manager per the logging settings) and retry occurs every 24 hours.

To manually update the certificate set, run the following command. Note that this command does not update the saved path in agent.conf for future automatic renewals.

vmutil -a vmd -d <ext_cert_Dir> updatecerts

If you wish to permanently change the directory path for new certificates, you must update the EXTERNAL_CERT_DIR entry in the agent.conf file and then restart the vmd service.

Note

  • If certificate is not updated before expiry, communication may fail and re-registration will be required.

  • The renewed certificate must have exactly the same common name as the original, or CipherTrust Manager will reject it.

Reference: Using external certificates for communication between CTE Agent and CipherTrust Manager

On this page