How to Configure the External CA for CTE
CipherTrust Transparent Encryption can now use an external certificate, available at a user-defined path, to communicate with CipherTrust Manager.
Prerequisites
The external certificate must be on the file system and in the PEM format.
A key pair must already exist for the client and:
Must have encryption type of either
sha256WithRSAEncryption
orecdsa-with-SHA384
Must be encrypted with a passphrase
Initial Setup
Obtain your external CA certificate.
Create a certificate using the external CA certificate and key.
CipherTrust Manager Setup
To setup CipherTrust Manager to communicate through an external certificate:
Import the CA certificate into the CipherTrust Manager:
Navigate to CA > External > Add External CA.
In the dialog, paste the content of
<ca_certificate_name>.pem
and provide a user-friendly name.
See Using an Externally Generated Server Certificate for an Interface for more information.
Add the CA certificate to trusted sources for the web interface. Go to Admin Settings > Interfaces > web > Edit > External Trusted CAs.
Restart the web server. Navigate to Admin Settings > Services > web > Restart.
Create a Registration Token for the CTE agent.
CTE Agent Setup
Create a directory on the system to hold required files, for example:
Linux/AIX: /root/cert_files
Windows: c:\temp\cert_files
Copy or create the following files in the directory:
client_cert.pem
client_key.pem
passphrase (plain text)
(Linux/AIX) Set the environment variable:
export EXTERNAL_CERT_DIR=/root/cert_files
Registering the Client
If the agent is installed but registration is pending:
Linux/AIX: Run
register_host
Windows: Run
c:\> register_host.exe -extcertdir=c:\temp\cert_files
If the agent is not yet installed, and you want to install it and register the client:
Linux/AIX: Run
./vee-fs-<release>-<build>-<system>.bin
Windows: Run
c:\> installer.exe -extcertdir=c:\temp\cert_files
Post Registration
During registration:
The certificate file is uploaded to the CipherTrust Manager.
The certificate and key files are imported into the CTE PEM store.
The key is decoded using the passphrase and re-encoded securely.
After successful registration, the input files should be removed.
Certificate Renewal
The certificate directory path is stored in
agent.conf
(viaEXTERNAL_CERT_DIR
or-extcertdir
).~60 days before expiration, CTE agent checks for updated certificate files in this directory.
If present, the new certificate is pushed to CipherTrust Manager and applied.
If not, a WARNING is logged (and/or uploaded to CipherTrust Manager per the logging settings) and retry occurs every 24 hours.
To manually update the certificate set, run the following command. Note that this command does not update the saved path in agent.conf
for future automatic renewals.
vmutil -a vmd -d <ext_cert_Dir> updatecerts
If you wish to permanently change the directory path for new certificates, you must update the EXTERNAL_CERT_DIR
entry in the agent.conf
file and then restart the vmd
service.
Note
If certificate is not updated before expiry, communication may fail and re-registration will be required.
The renewed certificate must have exactly the same common name as the original, or CipherTrust Manager will reject it.
Reference: Using external certificates for communication between CTE Agent and CipherTrust Manager