Authentication Settings for NAE, KMIP, Web, and Preboot Interfaces
The Web, KMIP, and NAE interfaces have several options to control authentication to those interfaces.
Note
Refer to Basic Interface Configuration for the following operations:
Viewing interfaces
Enabling/disabling interfaces
Adding/removing interfaces
Changing an interface web port
Effect of updating interface settings
Warning
If you have active NAE, KMIP, or web connections, we recommend that you plan for connection downtime before updating interface settings, especially for updates to the initial default interfaces.
Note
When you update the port of the default interface of NAE, KMIP, and WEB, all nodes in the cluster restart. However, if you update any other setting apart from the port, no node in the cluster restarts.
If you update any setting on the non-default interfaces of NAE, KMIP, and WEB, no node in the cluster restarts.
There are some interface changes that are applied immediately and trigger an automatic services restart. This restart can disrupt running NAE, KMIP, and web connections and cause an immediate downtime of a few minutes. If your CipherTrust Manager is part of a cluster, the interface settings change can also replicate to other nodes, and disrupt running NAE, KMIP, and web connections to those nodes. Therefore, plan for some downtime before updating interfaces.
Interface settings changes that are known to cause an immediate loss of connection are:
Changing the interface mode
Changing any TLS-related setting, including updating minimum/maximum TLS version, trusted CAs, enabled cipher suites, uploading a new server certificate, changing any option for auto-generating the server certificate.
Changing the interface default connection between LDAP or local accounts.
Note
For CCKM DKE TLS connection to work, a dedicated prefix
dke.for hostname is introduced. This hostname communicates with the server without verifying the SSL client certificate. All hostnames mentioned in the SANs of the server certificate start withdke. will not verify the client certificates, that is, thessl_verify_clientwill be disabled. With this setting disabled, the certificate-based authentication will not work.
Other interface changes require a manual Services Restart.
SSL/TLS supported protocols and cipher suites
CipherTrust Manager allows the customers to customize the cipher suites for TLS handshake for the following interfaces:
NAE
KMIP
Web
A cipher suite is a set of algorithms that help secure a network connection that uses Transport Layer Security (TLS). The set of algorithms that cipher suites usually contain include: a key exchange algorithm, an authentication algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm.
When you add an Interface, it is added with the default recommended list of cipher suites. You can customize them by updating an interface.
Note
The protocol has a higher priority than the cipher suites. In other words, if certain protocol is disabled and its respective cipher suites are enabled, then the cipher suites will not be used for communication.
You can not add/remove any cipher suite, however, they can be enabled/disabled from the given list of cipher suites.
Following table details the priority list of cipher suites for the respective Interfaces in the descending order.
| Interface | Cipher Suites Priority List |
|---|---|
| NAE/KMIP | • TLS_AES_256_GCM_SHA384 (TLSv1.3) • TLS_CHACHA20_POLY1305_SHA256 (TLSv1.3) • TLS_AES_128_GCM_SHA256 (TLSv1.3) • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (disabled) • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (disabled) • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (disabled) • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (disabled) • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (disabled) • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (disabled) • TLS_RSA_WITH_AES_128_CBC_SHA256 (disabled) • TLS_RSA_WITH_AES_256_CBC_SHA (disabled) • TLS_RSA_WITH_AES_128_CBC_SHA (disabled) |
| Web | • TLS_AES_256_GCM_SHA384 (TLSv1.3) • TLS_CHACHA20_POLY1305_SHA256 (TLSv1.3) • TLS_AES_128_GCM_SHA256 (TLSv1.3) • ECDHE-ECDSA-AES256-GCM-SHA384 • ECDHE-RSA-AES256-GCM-SHA384 • ECDHE-ECDSA-AES128-GCM-SHA256 • ECDHE-RSA-AES128-GCM-SHA256 • ECDHE-ECDSA-AES256-SHA384 (disabled) • ECDHE-ECDSA-AES128-SHA256 (disabled) • ECDHE-RSA-AES256-SHA384 (disabled) • ECDHE-RSA-AES128-SHA256 (disabled) • ECDHE-ECDSA-AES256-SHA (disabled) • ECDHE-ECDSA-AES128-SHA (disabled) • ECDHE-RSA-AES256-SHA (disabled) • ECDHE-RSA-AES128-SHA (disabled) |
Note
TLS 1.3 ciphers suites are not configurable that is, they cannot be disabled. However, you can disable the TLS protocol as a whole.
The CipherTrust Manager uses an in-built order for TLS ciphers, therefore the order of TLS ciphers cannot be changed to set the preference order.
The cipher suites marked as disabled remain disabled by default as they are considered weak. If required, user can explicitly enable them for use.
If you update the minimum and maximum TLS versions, the cipher suite also gets updated based on the TLS versions. Consider a scenario for a cipher suite where the minimum TLS version is 1.1 and maximum version is 1.3 and the cipher is enabled for TLS 1.1, 1.2, and 1.3. Now, if you update the minimum TLS version to 1.2, ciphers corresponding to TLS 1.1 will be disabled and rest will remain the same.
Following table details the recommended and supported versions of the TLS protocol for the respective Interfaces. The recommended versions are enabled by default.
| Interface | Recommended Version | Supported Version |
|---|---|---|
| NAE/KMIP | • TLSv1.2 • TLSv1.3 | • TLSv1.0 • TLSv1.1 • TLSv1.2 • TLSv1.3 |
| Web | • TLSv1.2 • TLSv1.3 | • TLSv1.2 • TLSv1.3 |
Updating cipher suites using ksctl
To update cipher suite list in an Interface, run:
For Web interface-Syntax
ksctl interfaces modify --name web --tls-ciphers-file <json-file>
Example Request
ksctl interfaces modify --name web --tls-ciphers-file tls-ciphers.json
For NAE interface-Syntax
ksctl interfaces modify --name nae --tls-ciphers-file <json-file>
Example Request
ksctl interfaces modify --name nae --tls-ciphers-file tls-ciphers.json
For KMIP interface-Syntax
ksctl interfaces modify --name kmip --tls-ciphers-file <json-file>
Example Request
ksctl interfaces modify --name kmip --tls-ciphers-file tls-ciphers.json
Format of the JSON File
{
"tls_ciphers": [
{
"cipher_suite": "TLS_AES_256_GCM_SHA384",
"enabled": true
},
{
"cipher_suite": "TLS_CHACHA20_POLY1305_SHA256",
"enabled": true
},
{
"cipher_suite": "TLS_AES_128_GCM_SHA256",
"enabled": true
},
{
"cipher_suite": "ECDHE-ECDSA-AES256-GCM-SHA384",
"enabled": true
},
{
"cipher_suite": "ECDHE-RSA-AES256-GCM-SHA384",
"enabled": true
},
{
"cipher_suite": "ECDHE-ECDSA-AES128-GCM-SHA256",
"enabled": true
},
{
"cipher_suite": "ECDHE-RSA-AES128-GCM-SHA256",
"enabled": true
}
{
"cipher_suite": "ECDHE-ECDSA-AES256-SHA384",
"enabled": false
},
{
"cipher_suite": "ECDHE-ECDSA-AES128-SHA256",
"enabled": false
},
{
"cipher_suite": "ECDHE-RSA-AES256-SHA384",
"enabled": false
},
{
"cipher_suite": "ECDHE-RSA-AES128-SHA256",
"enabled": false
},
{
"cipher_suite": "ECDHE-ECDSA-AES256-SHA",
"enabled": false
},
{
"cipher_suite": "ECDHE-ECDSA-AES128-SHA",
"enabled": false
},
{
"cipher_suite": "ECDHE-RSA-AES256-SHA",
"enabled": false
},
{
"cipher_suite": "ECDHE-RSA-AES128-SHA",
"enabled": false
}
]
}
Example modify TLS version of an interface
Note
The CipherTrust Manager supports TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3.
TLS 1.0 and TLS 1.1 are deprecated and will be discontinued in a future release.
Note
The TLS 1.3 version is supported from CipherTrust Manager 2.3 onward.
ksctl interfaces modify -n <interface name> -e <minimum tls version> -i <maximum tls version>
Here:
<interface name>can be NAE, KMIP, or WEB interface name.<minimum tls version>can betls_1.0,tls_1_1,tls_1_2, ortls_1_3. Support fortls_1_0andtls_1_1will be discontinued in a future release.<maximum tls version>can betls_1.0,tls_1_1,tls_1_2, ortls_1_3. Support fortls_1_0andtls_1_1will be discontinued in a future release.
Example
ksctl interfaces modify -n kmip_all_5697 -e tls_1_2 -i tls_1_3
Response
{
"id": "6199c8d1-f59a-4bd1-8dfd-cf4d43900264",
"name": "kmip_all_5697",
"mode": "tls-cert-and-pw",
"cert_user_field": "CN",
"auto_gen_ca_id": "kylo:kylo:naboo:localca:afdebde8-a5ff-4cbd-9bb2-6dc5186e4c03",
"trusted_cas": {
"local": [
"kylo:kylo:naboo:localca:0a4bf97b-1294-41d2-93cd-d19e6290cfa3",
"kylo:kylo:naboo:localca:b7860db1-b7d1-4163-996e-22b14090d55a",
"kylo:kylo:naboo:localca:afdebde8-a5ff-4cbd-9bb2-6dc5186e4c03"
]
},
"createdAt": "2019-08-28T05:21:05.36768Z",
"updatedAt": "2019-08-28T07:41:38.62511Z",
"default_connection": "local_account",
"port": 5697,
"network_interface": "all",
"interface_type": "kmip",
"kmip_enable_hard_delete": 0,
"minimum_tls_version": "tls_1_2"
"maximum_tls_version": "tls_1_3"
}
Restoring to default TLS cipher suite using ksctl
To restore to the default TLS Cipher suite of an Interface, run:
Example Request
ksctl interfaces restore-default-tls-ciphers --name nae_all_9009
Interface default connection (NAE and KMIP)
NAE and KMIP interfaces may be configured to use a default connection other than local_account for username/password authentication and client certificate authentication. Typically this setting is modified to simplify authentication because the username does not need to provide the connection name. For example, when a user presents their username for authentication without a connection, e.g. jdoe, then the CipherTrust Manager uses the default connection of the interface to authenticate the user. If the default connection is configured as local_account then the user is authenticated as if local_account|jdoe was presented. However, if configured as myldapdomain then the user is authenticated as if myldapdomain|jdoe was presented.
Example - Interface configuration update for KMIP to use a new default connection
ksctl interfaces modify -n kmip -d myldapdomain
Response
{
"id": "476618b4-7310-4783-819f-517c387d2281",
"name": "kmip",
"mode": "tls-cert-pw-opt",
"cert_user_field": "CN",
"auto_gen_ca_id": "kylo:kylo:naboo:localca:0d29d15d-0ddd-444d-8cc5-ffcc85d0928a",
"trusted_cas": {
"local": [
"kylo:kylo:naboo:localca:0d29d15d-0ddd-444d-8cc5-ffcc85d0928a"
],
"external": []
},
"createdAt": "2018-07-09T14:49:43.316319Z",
"updatedAt": "2018-07-09T14:49:50.136975Z",
"default_connection": "myldapdomain"
}
SSL/TLS server certificate (NAE, KMIP, and WEB)
During initial bootstrapping of a new CipherTrust Manager, a new local KeySecure Root CA is automatically generated. This CA is later used to issue a server certificate for the interfaces available in the system. All interfaces and services trust this CA by default, meaning that a client certificate issued from this initial KeySecure Root CA is automatically trusted by the system.
Note
The certificate duration shouldn't be more than the CA duration. However, if the certificate duration exceeds the CA duration, the certificate duration is automatically set to CA's duration.
Trusting the default server certificate
Clients connecting to an interface examine the presented server certificate and match the signing CA against their trust stores. If the server certificate doesn't match, the client might present an error or close the connection. To avoid this mismatch, you can either add the KeySecure Root CA to the client truststore, so that the default server certificate is trusted, or you can upload an external, already trusted server certificate to the CipherTrust Manager interface.
Using an externally generated server certificate for an interface
The CLI tool (ksctl) can be used to upload an external server certificate for a given interface. You can upload a certificate (full chain including server certificate, intermediate CA, and external root CA) and private key or regenerate a self-signed certificate. The certificates (and the private key) can be uploaded in PEM or base64 encoded PKCS12 format. The PKCS12 files are encrypted, therefore the --private-key-password field is required to use them.
The common name (CN) in the certificate must have a valid value.
Note
Currently, we do not support encrypted PKCS8 keys embedded within a PEM file.
To use an externally generated server certificate for an interface
Create the necessary external certificate chain, and combine them into a single PEM or PKCS12 file. The file should include the following certificates and key in the indicated order:
The server certificate.
Any intermediate certificate authorities that sign the server certificate. Start with the intermediate CA that issued the server certificate. Next, add the issuer of the intermediate CA, if any. Continue adding any intermediate CAs higher up the hierarchy, each time adding the issuer of the last certificate you uploaded.
The external root CA that signs any intermediate CAs. If there are no intermediate CAs, add the root CA that issued the server certificate.
The server certificate's private key.
Note
In the PEM format, the server certificate's private key should be included first, and in the PKCS12 format, it should be included last.
It is optional to include the private key in the PEM file if the user has previously generated a CSR. Creating a CSR allows the user to generate the key pair on the CipherTrust Manager and prevents exposing the private key outside of the CipherTrust Manager.
Add the PEM file for the server certificate's issuer to CipherTrust Manager's list of external CAs.
ksctl ca externals upload –-cert-infile mycert.pemView the identifier for the uploaded external CA.
ksctl ca externals list --cert-infile <ca-file-name>Look for the
idfield and copy this value. It is the<external-CA-identifier>in the next step.Change the Trusted CA for the desired CipherTrust Manager interface (nae in this example).
ksctl interfaces modify --name nae --trusted-external-cas <external-CA-identifier>Disable auto-generation of the server certificate for the desired CipherTrust Manager interface (nae in this example). This command sets the auto-generation local CA to an empty string, indicating no autogeneration.
ksctl interfaces modify --name nae --auto-gen-ca-id ""Upload the certificate chain file to the desired interface (nae interface is shown in the example)
ksctl interfaces certificate modify --name=nae --format=pem --file=certchainfile.pem --private-key-password password
Managing the preboot interface server certificate
The preboot interface can have a dynamically generated self-signed certificate or an external certificate. REST API and ksctl communicate with the preboot interface while the disk is encrypted and locked in the preboot state. This interface is only present if disk encryption has been enabled.
If an external certificate is not uploaded, CipherTrust Manager dynamically generates a self-signed certificate for the preboot interface with the default server name preboot.ciphertrustmanager.local.
The preboot interface uses an external certificate if a user uploads one.
View the preboot interface server certificate
Use
ksctl interfaces certificate get --name prebootto return the preboot interface certificate in the CLI.In the web UI:
Navigate to Admin Settings > Interfaces.
Next to the preboot interface, click the corresponding overflow icon (
) and select Certificate Options.Select View Certificate click Ok.
Upload an external server certificate
CipherTrust Manager supports PEM or base64-encoded PKCS#12 format certificates. The private key algorithm must be RSA-2048 or RSA-4096. The certificate file must include the private key. You can include a chain of certificates, in ascending order from server certificate to root certificate authority (CA).
We recommend that you convert a copy of this certificate to DER format, and then provide the DER encoded certificate file to anyone unlocking the disk, to compare the fingerprint with the presented preboot interface certificate.
Use
ksctl interfaces certificate modify --name preboot --file <certificate_file> --format <pem_or_pkcs12>in the CLI.In the web UI:
Navigate to Admin Settings > Interfaces.
Next to the preboot interface, click the corresponding overflow icon (
) and select Certificate Options.Select Upload New Certificate and click Ok.
Select a method to provide the external certificate, File Upload, Text, or Certificate Chain.
Click Choose Certificate File and select the certificate file in your local file system.
This file must include the full certificate chain. The file format must be PEM or PKCS12. The file contents in order must be:
the server certificate
any intermediate CAs starting with the intermediate CA that issued the server certificate,
the root CA
For PEM format, the server certificate's private key is included first, and for PKCS12 the server certificate's private key is included last.
Paste the full text of the certificate into the text box.
This text must include the full certificate chain. The format must be PEM or PKCS12. The text contents in order must be:
the server certificate
any intermediate CAs starting with the intermediate CA that issued the server certificate,
the root CA
For PEM format, the server certificate's private key is included first, and for PKCS12 the server certificate's private key is included last.
Click Build Certificate Chain.
The Add Certificate Chain dialog displays.
Provide the Server Certificate as a File Upload or Text.
Click Next.
Add any Intermediate CAs which sign the server certificate. Skip this step if there are no intermediate CAs.
You can provide an intermediate CA as a File Upload or Text. Click Add Another to add each additional intermediate CA.
Click Next.
Provide the Root CA as a File Upload or Text.
Click Next.
Provide the server certificate's Private Key as a File Upload or Text.
Click Add Certificate Chain.
Select the Format as PEM or PCKS12.
(Optional) Provide a Password for the private key.
Click Upload Certificate.
Download the preboot interface server certificate in the Web UI
Navigate to Admin Settings > Interfaces.
Next to the preboot interface, click the corresponding overflow icon (
) and select Certificate Options.Select Download Certificate click Ok.
Click Download Certificate to download the certificate to a file or Copy to Clipboard to copy the certificate contents.
Click Close.
Interface modes (NAE, KMIP, and WEB)
The "mode interface" configuration parameter specifies the Interface mode, and must be one of the following:
no-tls-pw-opt: No TLS, allow anonymous logins.
no-tls-pw-req: No TLS, user must supply password.
unauth-tls-pw-opt: TLS, allow anonymous logins, ignore client cert.
unauth-tls-pw-req: TLS, user must supply password, ignore client cert.
tls-pw-opt: TLS, allow anonymous logins, verify client cert.
tls-pw-req: TLS, user must supply password, verify client cert.
tls-cert-pw-opt: Verify client cert, user name taken from client cert, auth request is optional.
tls-cert-and-pw: Verify client cert, password is needed, user name in cert must match user name in authentication request.
The following interface modes verify that the TLS client certificate is signed by one of the trusted CAs:
tls-pw-opt
tls-pw-req
tls-cert-pw-opt
tls-cert-and-pw-req
These interface modes extract the user name from the certificate:
tls-cert-pw-opt
tls-cert-and-pw-req
The interface mode can be changed using the API or the CLI "ksctl interfaces modify" command.
Interface modes for each interface type
nae: All modes are allowed. Default is
unauth-tls-pw-opt.tls-pw-reqandtls-cert-and-pware recommended for user delegation flows.tls-cert-pw-optis recommended for user impersonation flows.Warning
The client validation will be mandatory for all NAE clients in the future release leading to deprecation of the following interface modes:
TLS, ignore client cert, allow anonymous logins
TLS, ignore client cert, user must supply password
Therefore, it is recommended not to use the above mentioned modes.
web: The only allowed mode is
tls-cert-opt-pw-opt.kmip: Only following modes are allowed:
tls-cert-pw-opt- This setting is recommended for user impersonation flowstls-cert-and-pw- recommended for user delegation flowstls-pw-opt
Username location in certificate (NAE, KMIP, and WEB)
The cert_user_field parameter specifies how the user name is extracted from the client certificate. The default value is CN. This parameter must be one of the following:
CN: Common Name
OU: Organizational Unit
SN: Surname
E: Email address
E_ND: Email without domain; the data to the left of the @ sign in the email address is taken as the user name
UID: User ID
For KMIP, the cert_user_field parameter options are only available when Auto Registration is enabled on the interface.
Note
For WEB, only CN is supported.
Certificate signing requests (CSR for NAE, KMIP, and WEB)
CSR provides you the ability to not expose private key for certificates created on the CipherTrust Manager for the Interfaces.
Adding a CSR
To add a CSR, run:
Syntax
ksctl interfaces csr add --name <interface-name> --common-name <common-name> --dns-name <dns-names-comma-separated> --email-address <email-addresses-comma-separated> --ip-address <ip-addresses-comma-separated> --csr-name <names-comma-separated> --csr-out-file <csr-file>
Example Request
ksctl interfaces csr add --name kmip --common-name admin
Example Response
{
"csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIEVTCCAj0CAQAwEDEOMAwGA1UEAxMFYWRtaW4wggIiMA0GCSqGSIb3DQEBAQUA\nA4ICDwAwggIKAoICAQDMo2aufRd1vB3F1tiGnQdRokmsXGc4nTMYVkYrNn1zqTqK\nJxLy1KY0/I07V+yWsZnbkXoieggBEo48FjqD2HDsr3K4BCSJOLkfW6velFGU+7+8\n6ei8eXZNJcBND6/RGRpe2Dz3xr17I4dbW4uoJhoPZeai3It2yPhWlvIDc7sah59l\nXTzKzuaAH24d6sJSD1OU0PN5SvGNw/v1D7VJoqsRrcytnhgCVav160ZWH24Pu4ty\nhBK2wi+ElhRlQSScA7h8s2BTFD/EG+TR2IinjAqNgCo4UspVJnADOGYkMJnSQlzl\nJFf1VIMEAJQ2lnRYzpDOdbit/6jSZgqlXUmt1PZE5LOxWCQ0yXNEUJtP/++K6CSl\nspVHGVwhWpD81tTwSYHq3Sx/aVvA/LSkfuOKgDFyclmxSM4o6qmKMYfanYyqaD9k\nTI/Xuf2aWrDWBRB3KqeKuVYj99tcTdcYbeYl4BeseAA8RJj5DOjLhnEAkgQWZN5O\nulT+uvBhCgVJaXPOJfIeGDnJkCeeAx1oa9RXztZItncUAvEWvS9Lvfl0YXnH9axf\n7ofqHhdocMX6w0yE42dGaqQQFWZCKsb+vUb2DaJrZCLQqoMitmHdMY+eOQacnxhN\niGzN43oEspGBaIxKFRFm/ZTvZc6hHCfhe6Uk6xqGUPgsIyzofoVsdarOq563MwID\nAQABoAAwDQYJKoZIhvcNAQENBQADggIBAGWhiUGy1TywCnScen8P1AkS+qUVKksR\niWP313J+3YW26aNfCtdsHdEzRCD/p/um8K6q5gEStdQRwMb0KaMdDYJTRR+1Wfi9\nT3xio6rVQbkBSgl6amCF36yuCX2QiHI2PfpBhTnV5Q16YOtjqLg+M2rxYMIKUpuB\nCsAmBbV2lRkl4M2vdP6GIjUuY/mAIRCh23cPeKaMi6vQthoMDRvBnybuZoh8YbEn\nbQ7tJbj0R/33zHRBUAUvNuN4qFSdOTB0icOnomFvOHGTe1ebDoR+jABCeS+ndePn\nIqf9hDi59NJQeR5huvbQa5gJMu1KMz1Hx4gQ2zTvHxS4K8VYFE4SMfpd8gNNKbJF\nVh2j+Mv3m5HPvwiGawEZAxZyRipyQ4GHc9pTCDdpfdyAfqOd3ogwEElnf2DfBb5x\n7mfiruOrcqQ9Kz6xYx2Xb0B3pSxTo5UamtL+ct5cabd+xQrhM7y2m5n8vvOkSne3\n+JH9wh7oMx3qRGzxS/aO9Fm6lGkE24f4QyO5KUHniD6Cl0E+mloMSIwb0hpX+zZf\nXs5v9JUAyaoiEeNsFsf01MDeIXuYYeY7x52qBNj8XsKbDeEnS9Fzf+qIX5Z2Lldb\ng0M6p/vXTZ+7YCFqphVnnx10E1BXnWBKDcOCDFXDxZ9clV+uxkVVJHgZFl1rNvyI\n1ATjjOZSmouN\n-----END CERTIFICATE REQUEST-----\n"
}
Note
If CSR parameters are not provided, it will use the default values.
Getting CSRs of an interface
To get the CSR of an Interface, run:
Syntax
ksctl interfaces csr get --name <interface-name> --csr-infile <csr-file>
Example Request
ksctl interfaces csr get --name kmip
Example Response
{
"csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIEVTCCAj0CAQAwEDEOMAwGA1UEAxMFYWRtaW4wggIiMA0GCSqGSIb3DQEBAQUA\nA4ICDwAwggIKAoICAQDMo2aufRd1vB3F1tiGnQdRokmsXGc4nTMYVkYrNn1zqTqK\nJxLy1KY0/I07V+yWsZnbkXoieggBEo48FjqD2HDsr3K4BCSJOLkfW6velFGU+7+8\n6ei8eXZNJcBND6/RGRpe2Dz3xr17I4dbW4uoJhoPZeai3It2yPhWlvIDc7sah59l\nXTzKzuaAH24d6sJSD1OU0PN5SvGNw/v1D7VJoqsRrcytnhgCVav160ZWH24Pu4ty\nhBK2wi+ElhRlQSScA7h8s2BTFD/EG+TR2IinjAqNgCo4UspVJnADOGYkMJnSQlzl\nJFf1VIMEAJQ2lnRYzpDOdbit/6jSZgqlXUmt1PZE5LOxWCQ0yXNEUJtP/++K6CSl\nspVHGVwhWpD81tTwSYHq3Sx/aVvA/LSkfuOKgDFyclmxSM4o6qmKMYfanYyqaD9k\nTI/Xuf2aWrDWBRB3KqeKuVYj99tcTdcYbeYl4BeseAA8RJj5DOjLhnEAkgQWZN5O\nulT+uvBhCgVJaXPOJfIeGDnJkCeeAx1oa9RXztZItncUAvEWvS9Lvfl0YXnH9axf\n7ofqHhdocMX6w0yE42dGaqQQFWZCKsb+vUb2DaJrZCLQqoMitmHdMY+eOQacnxhN\niGzN43oEspGBaIxKFRFm/ZTvZc6hHCfhe6Uk6xqGUPgsIyzofoVsdarOq563MwID\nAQABoAAwDQYJKoZIhvcNAQENBQADggIBAGWhiUGy1TywCnScen8P1AkS+qUVKksR\niWP313J+3YW26aNfCtdsHdEzRCD/p/um8K6q5gEStdQRwMb0KaMdDYJTRR+1Wfi9\nT3xio6rVQbkBSgl6amCF36yuCX2QiHI2PfpBhTnV5Q16YOtjqLg+M2rxYMIKUpuB\nCsAmBbV2lRkl4M2vdP6GIjUuY/mAIRCh23cPeKaMi6vQthoMDRvBnybuZoh8YbEn\nbQ7tJbj0R/33zHRBUAUvNuN4qFSdOTB0icOnomFvOHGTe1ebDoR+jABCeS+ndePn\nIqf9hDi59NJQeR5huvbQa5gJMu1KMz1Hx4gQ2zTvHxS4K8VYFE4SMfpd8gNNKbJF\nVh2j+Mv3m5HPvwiGawEZAxZyRipyQ4GHc9pTCDdpfdyAfqOd3ogwEElnf2DfBb5x\n7mfiruOrcqQ9Kz6xYx2Xb0B3pSxTo5UamtL+ct5cabd+xQrhM7y2m5n8vvOkSne3\n+JH9wh7oMx3qRGzxS/aO9Fm6lGkE24f4QyO5KUHniD6Cl0E+mloMSIwb0hpX+zZf\nXs5v9JUAyaoiEeNsFsf01MDeIXuYYeY7x52qBNj8XsKbDeEnS9Fzf+qIX5Z2Lldb\ng0M6p/vXTZ+7YCFqphVnnx10E1BXnWBKDcOCDFXDxZ9clV+uxkVVJHgZFl1rNvyI\n1ATjjOZSmouN\n-----END CERTIFICATE REQUEST-----\n"
}
Get Certificate for NAE, KMIP, and WEB Interfaces
To get the certificate for an Interface, run:
Syntax
ksctl interfaces certificate get --name <interface/port> --identifiertype <identfier type> --icertfile <cert-file>
name - specifies name or port number of the interface. The interface name can be "nae", "web", "kmip", or "ssh".
identifiertype - type of the interface identifier. It can be "name" or "port". If not specified, the default interface identifier type will be "name".
icertfile - pipes the certificate to the designated file.
**Example request 1 **
ksctl interfaces certificate get --name nae
Example response 1
{
"certificates": "-----BEGIN CERTIFICATE-----\nMIICajCCAg+gAwIBAgIQX8CTju31Jry7vZyOCoIq+TAKBggqhkjOPQQDAjCBijEL\nMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xNjA0BgNV\nBAkTLTk0NDIgQ2FwaXRhbCBvZiBUZXhhcyBIaWdod2F5IE5vcnRoIFN1aXRlIDQw\nMDEPMA0GA1UEChMGVGhhbGVzMRQwEgYDVQQDEwtDaXBoZXJUcnVzdDAeFw0yMzA0\nMTMwNzEwNTRaFw0yNDA0MTMwNzEwNTRaMIGKMQswCQYDVQQGEwJVUzELMAkGA1UE\nCBMCVFgxDzANBgNVBAcTBkF1c3RpbjE2MDQGA1UECRMtOTQ0MiBDYXBpdGFsIG9m\nIFRleGFzIEhpZ2h3YXkgTm9ydGggU3VpdGUgNDAwMQ8wDQYDVQQKEwZUaGFsZXMx\nFDASBgNVBAMTC0NpcGhlclRydXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nxP1SETV3zzuYodXPWGaIT46oJStDQj1dnp8QHTVSZjY6+dNZ/U6ZiOpR+yPlNXFs\nQmDfn/EtC0ViaAqbszQAF6NVMFMwDgYDVR0PAQH/BAQDAgKkMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMCwGA1UdEQQlMCOBIXRlY2huaWNhbC5zdXBwb3J0QHRoYWxlc2dy\nb3VwLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAmCR6dDLlPoAykXqmSCIbypFFq276\nFKcKRh1QLTrX8ncCIQCblJYOuV+PqLqg+7gwZ5+R6Y1LFsA4PqyPdnTLC6xz6g==\n-----END CERTIFICATE-----\n"
}
It returns the public portion of the certificate in the PEM format.
Example request 2 (identifiertype is set as port)
ksctl interfaces renewal-cert get --name 9000 --identifiertype port
Example response 2
{
"certificates": "-----BEGIN CERTIFICATE-----\nMIICajCCAg+gAwIBAgIQX8CTju31Jry7vZyOCoIq+TAKBggqhkjOPQQDAjCBijEL\nMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xNjA0BgNV\nBAkTLTk0NDIgQ2FwaXRhbCBvZiBUZXhhcyBIaWdod2F5IE5vcnRoIFN1aXRlIDQw\nMDEPMA0GA1UEChMGVGhhbGVzMRQwEgYDVQQDEwtDaXBoZXJUcnVzdDAeFw0yMzA0\nMTMwNzEwNTRaFw0yNDA0MTMwNzEwNTRaMIGKMQswCQYDVQQGEwJVUzELMAkGA1UE\nCBMCVFgxDzANBgNVBAcTBkF1c3RpbjE2MDQGA1UECRMtOTQ0MiBDYXBpdGFsIG9m\nIFRleGFzIEhpZ2h3YXkgTm9ydGgffgfgU3VpdGUgNDAwMQ8wDQYDVQQKEwZUaGFsZXMx\nFDASBgNVBAMTC0NpcGhlclRydXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nxP1SETV3zzuYodXPWGaIT46oJStDQj1dnp8QHTVSZjY6+dNZ/U6ZiOpR+yPlNXFs\nQmDfn/EtC0ViaAqbszQAF6NVMFMwDgYDVR0PAQH/BAQDAgKkMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMCwGA1UdEQQlMCOBIXRlY2huaWNhbC5zdXBwb3J0QHRoYWxlc2dy\nb3VwLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAmCR6dDLlPoAykXqmSCIbypFFq276\nFKcKRh1QLTrX8ncCIQCblJYOuV+PqLqg+7gwZ5+R6Y1LFsA4PqyPdnTLC6xz6g==\n-----END CERTIFICATE-----\n"
}
It returns the public portion of the certificate in the PEM format.
Example request 3 (identifiertype is set as name)
ksctl interfaces renewal-cert get --name nae --identifiertype name
Example response 3
{
"certificates": "-----BEGIN CERTIFICATE-----\nMIICajCCAg+gAwIBAgIQX8CTju31Jry7vZyOCoIq+TAKBggqhkjOPQQDAjCBijEL\nMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xNjA0BgNV\nBAkTLTk0NDIgQ2FwaXRhbCBvZiBUZXhhcyBIaWdod2F5IE5vcnRoIFN1aXRlIDQw\nMDEPMA0GA1UEChMGVGhhbGVzMRQwEgYDVQQDEwtDaXBoZXJUcnVzdDAeFw0ysdsdMzA0\nMTMwNzEwNTRaFw0yNDA0MTMwNzEwNTRaMIGKMQswCQYDVQQGEwJVUzELMAkGA1UE\nCBMCVFgxDzANBgNVBAcTBkF1c3RpbjE2MDQGA1UECRMtOTQ0MiBDYXBpdGFsIG9m\nIFRleGFzIEhpZ2h3YXkgTm9ydGggU3VpdGUgNDAwMQ8wDQYDVQQKEwZUaGFsZXMx\nFDASBgNVBAMTC0NpcGhlclRydXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nxP1SETV3zzuYodXPWGaIT46oJStDQj1dnp8QHTVSZjY6+dNZ/U6ZiOpR+yPlNXFs\nQmDfn/EtC0ViaAqbszQAF6NVMFMwDgYDVR0PAQH/BAQDAgKkMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMCwGA1UdEQQlMCOBIXRlY2huaWNhbC5zdXBwb3J0QHRoYWxlc2dy\nb3VwLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAmCR6dDLlPoAykXqmSCIbypFFq276\nFKcKRh1QLTrX8ncCIQCblJYOuV+PqLqg+7gwZ5+R6Y1LFsA4PqyPdnTLC6xz6g==\n-----END CERTIFICATE-----\n"
}
It returns the public portion of the certificate in the PEM format.
Auto-generation of server certificates (NAE, KMIP, and WEB)
By default, the CipherTrust Manager is configured to auto-generate a server certificate for each interface using the initial Local CA. The current certificate becomes the certificate issued by the Local CA. If the Local CA that is used to auto-generate is changed/updated, manually renew and apply the new certificate.
Note
Local CAs for interfaces are often updated when a backup is restored, necessitating manual renewal.
In case of cluster join, the existing Local CA of the new node is overwritten by the Local CAs from the cluster. Therefore, the current certificate of the new node issued by its Local CA becomes unknown to the cluster. As a result, auto-generation happens on the first restart of the new node after it joins the cluster.
Manually regenerating server certificates
To regenerate the server certificate manually for an interface, perform the following steps:
Set the CA ID on the interface for auto generation.
Syntax
ksctl interfaces modify --name <interface-name> --auto-gen-ca-id <ca-id>Example
ksctl interfaces modify --name nae_all_9090 --auto-gen-ca-id kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15aGenerate the server certificate.
Syntax
ksctl interfaces auto-gen-server-cert --name <interface-name> --pending-renewal <true/false>Example
ksctl interfaces auto-gen-server-cert --name nae_all_9090 --pending-renewal falseThe above command updates the interface with the newly generated server certificate using the CA present in the
auto-gen-ca-idfield.If
pending-renewalis set totrue, the certificate will be saved as an upcoming/renewed certificate to be applied later.
Ifpending-renewalis set tofalse(default behavior), the auto-generated server certificate will immediately apply on the server certificate resource and replace the currently active server certificate.
Changing the local CA used for auto-generation
If needed, the Local CA used for auto-generation of the server certificate can be changed. Run the following command:
Example
ksctl interfaces modify --name web --auto-gen-ca-id kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a
Response
{
"id": "3b85c5cf-6075-4555-a17c-2a12479081d4",
"name": "web",
"mode": "unauth-tls-opt-pw-opt",
"cert_user_field": "CN",
"auto_gen_ca_id": "kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a",
"trusted_cas": {
"local": [
"kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a"
],
"external": []
},
"createdAt": "2018-07-06T16:10:23.705291Z",
"updatedAt": "2018-07-06T17:15:38.285859Z"
}
Disabling auto-generation of server certificate
To disable the auto-generation feature, run the following command:
Syntax
ksctl interfaces modify --name web --auto-gen-ca-id ""
Response
{
"id": "3b85c5cf-6075-4555-a17c-2a12479081d4",
"name": "web",
"mode": "tls-cert-opt-pw-opt",
"cert_user_field": "CN",
"auto_gen_ca_id": "",
"trusted_cas": {
"local": [
"kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a"
],
"external": []
},
"createdAt": "2018-07-06T16:10:23.705291Z",
"updatedAt": "2018-07-06T17:16:41.119686Z"
}
Note
The auto-generation feature is automatically disabled if an external CA chain and server certificate are uploaded to the interface.
Customizing auto-generation of interface certificate
To supply custom fields for auto-generation of an interface certificate, specify --local-auto-gen-attributes-file in the ksctl interfaces modify command. For example, run:
ksctl interfaces modify --local-auto-gen-attributes-file <local-auto-gen-attributes-file-name>.json
The --local-auto-gen-attributes-file option specifies a file that contains attributes for auto-generation of a given interface. This provides an option to supply custom fields for automatic interface certification generation.
These parameters are for the local node only and have no effect on other nodes in a cluster. Without customization, the system default values are used, or taken from cloud-init, if applicable.
Content of a sample local auto-generation attributes file is:
{
"cn": "KeySecure Server on ks.eng.thalesgroup.com",
"dns_names": [
"ks.eng.thalesgroup.com",
"ks-ha.eng.thalesgroup.com"
],
"email_addresses": [
"admin1@eng.thalesgroup.com",
"admin2@eng.thalesgroup.com"
],
"ip_addresses": [
"10.3.111.11",
"10.3.111.22"
],
"names": [
{
"C": "US",
"ST": "CA",
"L": "San Jose",
"O": "Thales CPL",
"OU": "Engineering"
}
]
}
If fields for the auto-generation of an interface certificate are changed, on restart a new server certificate gets generated based on the new attributes and signed by the CA specified in the auto-gen-ca-id field.
Managing renewal server certificate
When a server certificate, or one of its signing CAs, is about to expire, we need to advertise to the service consumers (the clients) that a new replacement certificate chain will be coming soon. This allows the clients to prepare upfront to accept both old and new server CA chains in order to avoid any downtime when the server certificate actually switches to the new one.
Therefore, a mechanism is available to have an upcoming renewal server certificate for an interface. Each interface can have one upcoming server certificate chain. Clients can check for a renewal certificate, to have the chance to timely download and configure their local trust stores. As well, when the active server certificate expires for an interface, CipherTrust Manager automatically applies the upcoming renewal certificate.
The following operations can be performed:
Put or upload renewal certificate
Get renewal certificate
Delete renewal certificate
Immediately apply renewal certificate
An upcoming renewal certificate must be uploaded to an interface for the get, delete, and apply operations to be available.
Managing Renewal Server Certificate through Web Console UI
Upload renewal server certificate
Login to the root domain as an Application Administrator in the Admins group, such as
admin.Navigate to Admin Settings > Interfaces.
Find relevant interface in the table. NAE clients use the
naeinterface type, KMIP clients use thekmipinterface type, and all other clients use thewebinterface type.Click the ellipsis icon (
) corresponding to the interface you want to retrieve the upcoming certificate.Click Renewal Certificate Options....
Click Upload/Generate.
Click Ok.
Select a method to provide the renewal certificate, File Upload, Text, or Certificate Chain. File Upload and Text are suitable for a server certificate signed by CAs already known to both the CipherTrust Manager and the clients. Certificate Chain is needed if one or more signing CA is not yet known by the CipherTrust Manager or the clients.
Click Choose Certificate File and select the certificate file in your local file system.
This file must full include the full certificate chain. The file format must be PEM or PKCS12. The file contents in order must be:
the server certificate
any intermediate CAs starting with the intermediate CA that issued the server certificate,
the root CA
the server certificate's private key
Note
In the PEM format, the server certificate's private key should be included first, and in the PKCS12 format, it should be included last.
It is optional to include the private key in the PEM file if the user has previously generated a CSR. Creating a CSR allows the user to generate the key pair on the CipherTrust Manager and prevents exposing the private key outside of the CipherTrust Manager.
Paste the full text of the certificate into the text box.
This text must full include the full certificate chain. The format must be PEM or PKCS12. The text contents in order must be:
the server certificate
any intermediate CAs starting with the intermediate CA that issued the server certificate,
the root CA
the server certificate's private key
Note
In the PEM format, the server certificate's private key should be included first, and in the PKCS12 format, it should be included last.
It is optional to include the private key in the PEM file if the user has previously generated a CSR. Creating a CSR allows the user to generate the key pair on the CipherTrust Manager and prevents exposing the private key outside of the CipherTrust Manager.
Click Build Certificate Chain.
The Add Certificate Chain dialog displays.
Provide the Server Certificate as a File Upload or Text.
Click Next.
Add any Intermediate CAs which sign the server certificate. Skip this step if there are no intermediate CAs.
You can provide an intermediate CA as a File Upload or Text. Click Add Another to add each additional intermediate CA.
Click Next.
Provide the Root CA as a File Upload or Text.
Click Next.
Provide the server certificate's Private Key as a File Upload or Text.
Click Add Certificate Chain.
Confirm that the Format dropdown correctly specifies the server certificate as PEM or PKCS12.
Click Upload Certificate.
Get renewal server certificate
Login to the root domain as an Application Administrator in the Admins group, such as
admin.Navigate to Admin Settings > Interfaces.
Find relevant interface in the table. NAE clients use the
naeinterface type, KMIP clients use thekmipinterface type, and all other clients use thewebinterface type.Click the ellipsis icon (
) corresponding to the interface you want to retrieve the upcoming certificate.Click Renewal Certificate Options....
Click Download.
Click Ok.
A dialog pops up displaying the certificate text.
Click Download Certificate to download the certificate as a file or Copy to Clipboard to copy the certificate text.
After you have saved the certificate, click Close.
Delete renewal server certificate
Login to the root domain as an Application Administrator in the Admins group, such as
admin.Navigate to Admin Settings > Interfaces.
Find relevant interface in the table. NAE clients use the
naeinterface type, KMIP clients use thekmipinterface type, and all other clients use thewebinterface type.Click the ellipsis icon (
) corresponding to the interface you want to retrieve the upcoming certificate.Click Renewal Certificate Options....
Click Delete.
Click Ok.
You are prompted with a pop-up to confirm deletion.
Click Delete to confirm.
Apply renewal server certificate
Login to the root domain as an Application Administrator in the Admins group, such as
admin.Navigate to Admin Settings > Interfaces.
Find relevant interface in the table. NAE clients use the
naeinterface type, KMIP clients use thekmipinterface type, and all other clients use thewebinterface type.Click the ellipsis icon (
) corresponding to the interface you want to retrieve the upcoming certificate.Click Renewal Certificate Options....
Click Apply.
Click Ok.
You are prompted with a dialog to confirm that you want to apply the upcoming renewal certificate.
Click Apply.
View renewal server certificate properties
Login to the root domain as an Application Administrator in the Admins group, such as
admin.Navigate to Admin Settings > Interfaces.
Find relevant interface in the table. NAE clients use the
naeinterface type, KMIP clients use thekmipinterface type, and all other clients use thewebinterface type.Click the ellipsis icon (
) corresponding to the interface you want to retrieve the upcoming certificate.Click Renewal Certificate Options....
Click View.
Click Ok.
A pop-up dialog displays the following properties:
issuer
subject
serialNumber
notAfter
notBefore
subjectAlternativeNames
After you have read the properties, click Close.
Managing Renewal Server Certificate through ksctl CLI
All the responses in the sub-sequent sections will contain the certificate chain including the CA.
Upload renewal certificate
To upload a new renewal certificate server and its CA chain:
Example request
ksctl interfaces renewal-cert upload --name nae --file ./serverCertKey.pem --format pem
Make sure not to activate it yet for the interface.
The certificate and its associated key data must be in PEM format or base64 encoded PKCS12 format. The certificate can also include a chain of certificates. For the certificate chain, maintain this order - <server CA> <root CA>.
Example response
{
"certificates": "-----BEGIN CERTIFICATE-----\nMIIEqjCCApKgAwIBAgIQZkQE+oYbUzqL+bmYF2f3VjANBgkqhkiG9w0BAQsFADBa\nMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxDzANBgNVBAcTBkF1c3RpbjEPMA0G\nA1UEChMGVGhhbGVzMRwwGgYDVQQDExNDaXBoZXJUcnVzdCBSb290IENBMB4XDTIz\nMDMyMjA2MTExOVoXDTMzMDMxODA5MzM1OFowDjEMMAoGA1UEAxMDbmFlMIIBIjAN\nBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuB2UJMu2lMYSx181SaLKXxuOrz39\nDFd6yae+fzFYXzyZxudRDeHMSt0knPoV2L3Wsfp8PibtAKHyUK6b8Ego9Ccah16X\nYeOmeehBcYk/IwbUcp0LAW4/4lB/a++Gkd9HPmUmOezbVMOyjk4LoerSLiqfbXIU\nHpbrFcxuTNKjve1ymMMT2LubguXWu6xPB6faZtspn3ZB22FgqT4KPULUrDuiTTJ3\nwXJyKCIEb5kpEIk56u6aE2N+IGQ2gFWN9tHWr6SwjQNm7QhdV63y5+JLMXyHuINf\nLr24fHEBUoSptbu4yhTu5t7hlO5TTKIV/PBjjvbYtt0uYIcQhw3U5qhQWQIDAQAB\no4G3MIG0MA4GA1UdDwEB/wQEAwIDiDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNV\nHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDEexvfPs6aqKYwDCCc6r7dQUEhKMF4GA1Ud\nHwRXMFUwU6BRoE+GTWh0dHA6Ly9jaXBoZXJ0cnVzdG1hbmFnZXIubG9jYWwvY3Js\ncy9iMTk2M2U4NS0wMmUxLTQ2MmQtYTQzNi1hNWUxMWNlY2NhMDEuY3JsMA0GCSqG\nSIb3DQEBCwUAA4ICAQA+4SrI4C42l4C8Aw5CAlbPdLFpOMoABwaCg2p0DqR0Su7E\nXZSZexDxod8w/5aNZAJ2rrHCJqwaDoKehNfaa/fQ/wDhVPkw6Nn2gjn6IEVNpxgU\nBQbE+i0vmU0NnsHF6VEMh3299sf94K9IxHqZbDgogBeBLxtqjvLSsECeoHmMfL2V\n/GfzMXKsiHp97gNwK8Mt6vWA4uJ/ojhK5mUlfRoEp4MyH6IuauLoWMNDGQ9xEmj9\nRYKzZgZsEraS3sOLj3ZWDkpF/tGMAiadqRav9Zyb7/mMJ014RZdpRKMtLFQ/xqnM\nZPsKYj0g+Q9BfK2vRKmTX2phTnjqeoVTy3qB6XxIHItmViURCT0t40tva7Ici89U\nxYanshAtFyCzq+1aMKbt+SeDD6jo2Q4LBNnMTK8liZqMhNUs3A0rz1mTlpUbiLBi\nd4Nz8d55iJxwOMSkbdQvWpoXHJnDEQW9d/9KFgnJu4nR8192Yta5BuxvuZHY57HL\nriA3FJ+VFzZeZpEJOdUIpaAfGcsMBWd+irH+uPA70bcrkIlF+9YCr81LOcv7gY7l\n8cIMrAIkMjY3YMOgXmqxzHq1WeooHKFrtrjYJDL9gVeKn2EmMWCSYY1lKXzZ1pgG\nmdEOyrSYjCYgMyj5vp/Irfl57KwVVUo5DHzVx9fBLWAosKdeXNgyrXwhEUzx9A==\n-----END CERTIFICATE-----\n"
}
Get renewal certificate
To fetch the renewal server certificate:
Syntax
ksctl interfaces renewal-cert get --name <Interface-name> --identifiertype <type of interface identifier>
name - specifies name or port number of the interface. The interface name can be "nae", "web", "kmip", or "ssh".
identifiertype - type of the interface identifier. It can be "name" or "port". If not specified, the default interface identifier type will be "name".
Example request 1
ksctl interfaces renewal-cert get --name nae
Example response 1
{
"certificates": "-----BEGIN CERTIFICATE-----\nMIICajCCAg+gAwIBAgIQX8CTju31Jry7vZyOCoIq+TAKBggqhkjOPQQDAjCBijEL\nMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xNjA0BgNV\nBAkTLTk0NDIgQ2FwaXRhbCBvZiBUZXhhcyBIaWdod2F5IE5vcnRoIFN1aXRlIDQw\nMDEPMA0GA1UEChMGVGhhbGVzMRQwEgYDVQQDEwtDaXBoZXJUcnVzdDAeFw0yMzA0\nMTMwNzEwNTRaFw0yNDA0MTMwNzEwNTRaMIGKMQswCQYDVQQGEwJVUzELMAkGA1UE\nCBMCVFgxDzANBgNVBAcTBkF1c3RpbjE2MDQGA1UECRMtOTQ0MiBDYXBpdGFsIG9m\nIFRleGFzIEhpZ2h3YXkgTm9ydGggU3VpdGUgNDAwMQ8wDQYDVQQKEwZUaGFsZXMx\nFDASBgNVBAMTC0NpcGhlclRydXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nxP1SETV3zzuYodXPWGaIT46oJStDQj1dnp8QHTVSZjY6+dNZ/U6ZiOpR+yPlNXFs\nQmDfn/EtC0ViaAqbszQAF6NVMFMwDgYDVR0PAQH/BAQDAgKkMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMCwGA1UdEQQlMCOBIXRlY2huaWNhbC5zdXBwb3J0QHRoYWxlc2dy\nb3VwLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAmCR6dDLlPoAykXqmSCIbypFFq276\nFKcKRh1QLTrX8ncCIQCblJYOuV+PqLqg+7gwZ5+R6Y1LFsA4PqyPdnTLC6xz6g==\n-----END CERTIFICATE-----\n"
}
It returns the public portion (only public key and CA chain) of the upcoming renewal certificate in the PEM format.
Example request 2 (identifiertype is set as port)
ksctl interfaces renewal-cert get --name 9000 --identifiertype port
Example response 2
{
"certificates": "-----BEGIN CERTIFICATE-----\nMIICajCCAg+gAwIBAgIQX8CTju31Jry7vZyOCoIq+TAKBggqhkjOPQQDAjCBijEL\nMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xNjA0BgNV\nBAkTLTk0NDIgQ2FwaXRhbCBvZiBUZXhhcyBIaWdod2F5IE5vcnRoIFN1aXRlIDQw\nMDEPMA0GA1UEChMGVGhhbGVzMRQwEgYDVQQDEwtDaXBoZXJUcnVzdDAeFw0yMzA0\nMTMwNzEwNTRaFw0yNDA0MTMwNzEwNTRaMIGKMQswCQYDVQQGEwJVUzELMAkGA1UE\nCBMCVFgxDzANBgNVBAcTBkF1c3RpbjE2MDQGA1UECRMtOTQ0MiBDYXBpdGFsIG9m\nIFRleGFzIEhpZ2h3YXkgTm9ydGgffgfgU3VpdGUgNDAwMQ8wDQYDVQQKEwZUaGFsZXMx\nFDASBgNVBAMTC0NpcGhlclRydXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nxP1SETV3zzuYodXPWGaIT46oJStDQj1dnp8QHTVSZjY6+dNZ/U6ZiOpR+yPlNXFs\nQmDfn/EtC0ViaAqbszQAF6NVMFMwDgYDVR0PAQH/BAQDAgKkMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMCwGA1UdEQQlMCOBIXRlY2huaWNhbC5zdXBwb3J0QHRoYWxlc2dy\nb3VwLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAmCR6dDLlPoAykXqmSCIbypFFq276\nFKcKRh1QLTrX8ncCIQCblJYOuV+PqLqg+7gwZ5+R6Y1LFsA4PqyPdnTLC6xz6g==\n-----END CERTIFICATE-----\n"
}
It returns the public portion (only public key and CA chain) of the upcoming renewal certificate in the PEM format.
Example request 3 (identifiertype is set as name)
ksctl interfaces renewal-cert get --name nae --identifiertype name
Example response 3
{
"certificates": "-----BEGIN CERTIFICATE-----\nMIICajCCAg+gAwIBAgIQX8CTju31Jry7vZyOCoIq+TAKBggqhkjOPQQDAjCBijEL\nMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xNjA0BgNV\nBAkTLTk0NDIgQ2FwaXRhbCBvZiBUZXhhcyBIaWdod2F5IE5vcnRoIFN1aXRlIDQw\nMDEPMA0GA1UEChMGVGhhbGVzMRQwEgYDVQQDEwtDaXBoZXJUcnVzdDAeFw0ysdsdMzA0\nMTMwNzEwNTRaFw0yNDA0MTMwNzEwNTRaMIGKMQswCQYDVQQGEwJVUzELMAkGA1UE\nCBMCVFgxDzANBgNVBAcTBkF1c3RpbjE2MDQGA1UECRMtOTQ0MiBDYXBpdGFsIG9m\nIFRleGFzIEhpZ2h3YXkgTm9ydGggU3VpdGUgNDAwMQ8wDQYDVQQKEwZUaGFsZXMx\nFDASBgNVBAMTC0NpcGhlclRydXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE\nxP1SETV3zzuYodXPWGaIT46oJStDQj1dnp8QHTVSZjY6+dNZ/U6ZiOpR+yPlNXFs\nQmDfn/EtC0ViaAqbszQAF6NVMFMwDgYDVR0PAQH/BAQDAgKkMBMGA1UdJQQMMAoG\nCCsGAQUFBwMBMCwGA1UdEQQlMCOBIXRlY2huaWNhbC5zdXBwb3J0QHRoYWxlc2dy\nb3VwLmNvbTAKBggqhkjOPQQDAgNJADBGAiEAmCR6dDLlPoAykXqmSCIbypFFq276\nFKcKRh1QLTrX8ncCIQCblJYOuV+PqLqg+7gwZ5+R6Y1LFsA4PqyPdnTLC6xz6g==\n-----END CERTIFICATE-----\n"
}
It returns the public portion (only public key and CA chain) of the upcoming renewal certificate in the PEM format.
Delete renewal certificate
To delete the previously uploaded upcoming renewal certificate for the specified interface:
Example request
ksctl interfaces renewal-cert delete --name nae
There will be no response if the certificate deleted successfully.
Apply renewal certificate
To immediately replace the existing or in-use certificate of the specified interface with the upcoming renewal certificate:
Example request
ksctl interfaces renewal-cert apply -n nae
There will be no response if the renewal certificate applies successfully.
Trusted CAs (NAE, KMIP, and WEB)
Each interface can have a set of either local and/or external trusted CAs for client authentication. By default each interface trusts the initial Local CA for client authentication but it can be modified by updating the interface. Please note that the concept of trusted CAs is only relevant when client authentication is used by updating the interface mode.
If the client provides a complete chain of certificates in the TLS call, the CipherTrust Manager interface must be configured to trust the root CA of the issued certificate. If the request does not contain the CA chain, the server needs to trust the intermediate CAs that issued the client certificate. For example, if the client is registered in the sub-domain "dom1" and tries to connect to the interface using only the client certificate, the connection will not be successful. To establish a connection:
Export the issuer CA of the client certificate from the "dom1".
Add the issuer CA to an external CA in the root domain.
Add the external CA in the interface trusted CAs list explicitly to establish the trust.
Example - configuration update for web interface to trust the set of two local CAs
Example
ksctl interfaces modify --name web --trusted-local-cas kylo:kylo:naboo:localca:d21584bd-7d8e-44a0-9eac-693f2fa32504,kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a
Response
{
"id": "3b85c5cf-6075-4555-a17c-2a12479081d4",
"name": "web",
"mode": "tls-cert-opt-pw-opt",
"cert_user_field": "CN",
"auto_gen_ca_id": "kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a",
"trusted_cas": {
"local": [
"kylo:kylo:naboo:localca:d21584bd-7d8e-44a0-9eac-693f2fa32504",
"kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a"
],
"external": []
},
"createdAt": "2018-07-06T16:10:23.705291Z",
"updatedAt": "2018-07-06T17:35:29.053809Z"
}
Example - configuration update for web interface to trust the set of two external CAs
Example
ksctl interfaces modify --name web --trusted-external-cas kylo:kylo:naboo:localca:d21584bd-7d8e-44a0-9eac-693f2fa32504,kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a
Response
{
"id": "3b85c5cf-6075-4555-a17c-2a12479081d4",
"name": "web",
"mode": "tls-cert-opt-pw-opt",
"cert_user_field": "CN",
"auto_gen_ca_id": "kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a",
"trusted_cas": {
"local": [],
"external": [
"kylo:kylo:naboo:localca:d21584bd-7d8e-44a0-9eac-693f2fa32504",
"kylo:kylo:naboo:localca:cf648c6d-2a0b-4427-a0b6-8f0e9157d15a"
]
},
"createdAt": "2018-07-06T16:10:23.705291Z",
"updatedAt": "2018-07-06T17:35:29.053809Z"
}
Enforcing Client Validation on NAE Interface
The allow_unregistered flag is added to prohibit the unregistered clients to access the CipherTrust Manager. For new NAE interfaces, the default value of this flag is set to false, however, you can change the value of this flag to true (allowing unregistered clients to access the CipherTrust Manager).
Note
Although the allow_unregistered flag is configurable, but it is recommended not to change the value of the flag from false (default) to true for the new NAE interfaces, or else an alarm will be triggered. This flag is applicable only for NAE interfaces.
For old (legacy), already existing interfaces, the allow_unregistered flag is set to true for backward compatibility. For such interfaces, whenever a connection is established with the CipherTrust Manager, a record gets generated with the following message "Unregistered client found, please register a client. System may go out of compliance." and the connection continues to work.
When allow_unregistered flag is set to false and an unregistered client tries to connect, a record gets generated with the following message "Client registration enforcement enabled. Unregistered client found, please register a new client manually or enable auto registration."
Creating NAE Interface
To create an NAE interface, run:
Syntax
ksctl interfaces create --type <Interface-type> --port <Port> --allow-unregistered <true/false>
Request
ksctl interfaces create --type nae --port 9002 --allow-unregistered true
Response
{
"id": "4540efac-8180-4265-bc81-75d3e1ce26d5",
"name": "nae_all_9002",
"mode": "unauth-tls-pw-req",
"cert_user_field": "CN",
"auto_gen_ca_id": "kylo:kylo:naboo:localca:1804704e-029c-4bd7-9d47-3c947c6d08fd",
"trusted_cas": {
"local": [
"kylo:kylo:naboo:localca:1804704e-029c-4bd7-9d47-3c947c6d08fd"
]
},
"createdAt": "2022-12-01T05:07:46.972399Z",
"updatedAt": "2022-12-01T05:07:46.972399Z",
"default_connection": "local_account",
"port": 9002,
"network_interface": "all",
"interface_type": "nae",
"minimum_tls_version": "tls_1_2",
"maximum_tls_version": "tls_1_3",
"local_auto_gen_attributes": {
"cn": "nae_all_9002.ciphertrustmanager.local",
"dns_names": [
"nae_all_9002.ciphertrustmanager.local"
],
"email_addresses": [
"technical.support@thalesgroup.com"
],
"names": [
{
"C": "US",
"ST": "TX",
"L": "Austin",
"O": "Thales",
"OU": ""
}
],
"generated": false
},
"enabled": true,
"meta": {},
"tls_ciphers": [
{
"cipher_suite": "TLS_AES_256_GCM_SHA384",
"enabled": true,
"configurable": false
},
{
"cipher_suite": "TLS_CHACHA20_POLY1305_SHA256",
"enabled": true,
"configurable": false
},
{
"cipher_suite": "TLS_AES_128_GCM_SHA256",
"enabled": true,
"configurable": false
},
{
"cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"enabled": true,
"configurable": true
},
{
"cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"enabled": true,
"configurable": true
},
{
"cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"enabled": true,
"configurable": true
},
{
"cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"enabled": true,
"configurable": true
},
{
"cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"enabled": false,
"configurable": true
},
{
"cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"enabled": false,
"configurable": true
},
{
"cipher_suite": "TLS_RSA_WITH_AES_128_CBC_SHA256",
"enabled": false,
"configurable": true
},
{
"cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"enabled": false,
"configurable": false
},
{
"cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"enabled": false,
"configurable": false
},
{
"cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"enabled": false,
"configurable": false
},
{
"cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"enabled": false,
"configurable": false
},
{
"cipher_suite": "TLS_RSA_WITH_AES_256_CBC_SHA",
"enabled": false,
"configurable": false
},
{
"cipher_suite": "TLS_RSA_WITH_AES_128_CBC_SHA",
"enabled": false,
"configurable": false
}
],
"allow_unregistered": true
}
Updating NAE Interface
To modify an NAE interface, run:
Syntax
ksctl interfaces modify --type <Interface-type> --port <Port> --allow-unregistered <true/false>
Request
ksctl interfaces modify --type nae --port 9002 --allow-unregistered false
Response
{
"id": "4540efac-8180-4265-bc81-75d3e1ce26d5",
"name": "nae_all_9002",
"mode": "unauth-tls-pw-req",
"cert_user_field": "CN",
"auto_gen_ca_id": "kylo:kylo:naboo:localca:1804704e-029c-4bd7-9d47-3c947c6d08fd",
"trusted_cas": {
"local": [
"kylo:kylo:naboo:localca:1804704e-029c-4bd7-9d47-3c947c6d08fd"
]
},
"createdAt": "2022-12-01T05:07:46.972399Z",
"updatedAt": "2022-12-01T05:08:50.697664Z",
"default_connection": "local_account",
"port": 9002,
"network_interface": "all",
"interface_type": "nae",
"minimum_tls_version": "tls_1_2",
"maximum_tls_version": "tls_1_3",
"local_auto_gen_attributes": {
"cn": "nae_all_9002.ciphertrustmanager.local",
"dns_names": [
"nae_all_9002.ciphertrustmanager.local"
],
"email_addresses": [
"technical.support@thalesgroup.com"
],
"names": [
{
"C": "US",
"ST": "TX",
"L": "Austin",
"O": "Thales",
"OU": ""
}
],
"generated": false
},
"enabled": true,
"meta": {},
"tls_ciphers": [
{
"cipher_suite": "TLS_AES_256_GCM_SHA384",
"enabled": true,
"configurable": false
},
{
"cipher_suite": "TLS_CHACHA20_POLY1305_SHA256",
"enabled": true,
"configurable": false
},
{
"cipher_suite": "TLS_AES_128_GCM_SHA256",
"enabled": true,
"configurable": false
},
{
"cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"enabled": true,
"configurable": true
},
{
"cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"enabled": true,
"configurable": true
},
{
"cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"enabled": true,
"configurable": true
},
{
"cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"enabled": true,
"configurable": true
},
{
"cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"enabled": false,
"configurable": true
},
{
"cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"enabled": false,
"configurable": true
},
{
"cipher_suite": "TLS_RSA_WITH_AES_128_CBC_SHA256",
"enabled": false,
"configurable": true
},
{
"cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"enabled": false,
"configurable": false
},
{
"cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"enabled": false,
"configurable": false
},
{
"cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"enabled": false,
"configurable": false
},
{
"cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"enabled": false,
"configurable": false
},
{
"cipher_suite": "TLS_RSA_WITH_AES_256_CBC_SHA",
"enabled": false,
"configurable": false
},
{
"cipher_suite": "TLS_RSA_WITH_AES_128_CBC_SHA",
"enabled": false,
"configurable": false
}
],
"allow_unregistered": false
}
Interface Certificate Expiration Check
The CipherTrust Manager inspects the expiration date of interface server certificates everyday, at a preset system time to log the record for the following interfaces:
WEB
NAE
KMIP
The CipherTrust Manager then creates list of certificates based on their expiration date:
Certificates whose expiration dates are within 91 days.
This list is logged in the Records section once every week.
Certificates whose expiration dates are within 7 days.
This list is logged in the Records section once every day.
Certificates that are already expired.
This list is logged in the Records section once every day.
You can also create alarm triggers for these records. For more details, go to Creating Alarm Trigger for Interface Certificate Expiration.
Create/modify the NAE interface to mask system groups from NAE requests
Syntax
ksctl interfaces create --type nae --port <port number> --mask-system-groups <bool>
ksctl interfaces modify -n <interface-name> --mask-system-groups <bool>
Here:
<interface name> : It is the name of the interface.
<bool> : It can be either true or false.
<port number> : It can be any positive number for which port is not allocated.
Note
System-defined groups can be masked if the mask_system_groups flag is set to true for the NAE interface. The groups will be masked for:
UserInfoRequest
UserQueryRequest
UserGroupInfoRequest
UserGroupQueryRequest
Example
ksctl interfaces modify -n nae_all_9001 --mask-system-groups true
Response
{
"id": "513abafa-c22c-471f-a6b9-42762efab3dd",
"name": "nae_all_9001",
"mode": "no-tls-pw-opt",
"cert_user_field": "CN",
"default_connection": "local_account",
"port": 9001,
"network_interface": "all",
"interface_type": "nae",
"minimum_tls_version": "tls_1_2",
"maximum_tls_version": "tls_1_3",
"enabled": true,
"meta": {
"nae": {
"mask_system_groups": true
}
}
}
Copying server certificate using use-certificate
The use-certificate command copies the server certificate from one interface to another. To copy the server certificate from the source interface to destination interface, run:
Example
ksctl interfaces use-certificate --name <destination-interface-name> --copy-from <source-interface-name> --pending-renewal <true/false>
Example
ksctl interfaces use-certificate --name nae --copy-from kmip --pending-renewal false
Response
{
"certificates": "-----BEGIN CERTIFICATE-----\nMIIGTzCCBDegAwIBAgIQYJwg3iN+Se9KKqJwaP2cqzANBgkqhkiG9w0BAQsFADBa\nMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxDzANBgNVBAcTBkF1c3RpbjEPMA0G\nA1UEChMGVGhhbGVzMRwwGgYDVQQDExNDaXBoZXJUcnVzdCBSb290IENBMB4XDTIy\nMDgwNzE3MDYwNloXDTI0MTExMDE3MDYwNlowZDELMAkGA1UEBhMCVVMxCzAJBgNV\nBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xDzANBgNVBAoTBlRoYWxlczEmMCQGA1UE\nAxMda21pcC5jaXBoZXJ0cnVzdG1hbmFnZXIubG9jYWwwggIiMA0GCSqGSIb3DQEB\nAQUAA4ICDwAwggIKAoICAQCvzUlnb4VKX02bpXF68YCv4YY85INI5JxXA425lMcL\ntiArftMoP8tBe2uYVlKSPpqUp9X3DALRGNlIKiJfNU6D/E2CENjAbmlgFuE5sBfV\nhlY5QzG8b868gY9JbI+slZgcYUfhR0rcRqAb3TfEhrwKgDDudPIRXpQXBGg3cf+4\npyUU9tPFZaz/rqjHrYGC3wUVuVXFNTTRtjuXk5pmFDViDmzYkDNXwxH/Eu1QOHiX\nooQCUCvXSsDWYPKZ2cRRnc91R7vl63MaeSYO6BBRNMBj6pKQSrcPKWqhciluuGZ7\n/DI2gq6m5nnSnNwrtlQBMUvLM2MZ7bQpP+K2U4R4mJg7TORHY51BVIJ70MNrH+db\nD3A6xYN+v//YFsyXbLnbOgvNchf7cKh0EQy2AS2/78Cn5GVgs1vq/opWl+XvEwuH\noNiG6SDtNbprbdO0L8XiGf63huOMaRSLKgVpv9Toco3uTrjmCOG47/h88ducloIp\n8b8Dg38vboMNakiFy4Z1gOXhvMctWkUn6Pd5gSj+dj6ciVPeiQf6crmvrpreiKcb\nfTvwi23gmPTmiCP12ekJqEnvBXqUeMaFxQbSb542eo5kwA7jKB0vtwVM1FPJHVEm\nCGg0Ia8tS37C9MOq4uRWVc9qIRFghGhNpgDECi2WkRjArnJESXVtZ5u6NrM5uOeo\n7wIDAQABo4IBBTCCAQEwDgYDVR0PAQH/BAQDAgOIMBMGA1UdJQQMMAoGCCsGAQUF\nBwMBMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUWGMDcXupXn4XJ1u1b6qQFL4Y\nV9wwSwYDVR0RBEQwQoIda21pcC5jaXBoZXJ0cnVzdG1hbmFnZXIubG9jYWyBIXRl\nY2huaWNhbC5zdXBwb3J0QHRoYWxlc2dyb3VwLmNvbTBeBgNVHR8EVzBVMFOgUaBP\nhk1odHRwOi8vY2lwaGVydHJ1c3RtYW5hZ2VyLmxvY2FsL2NybHMvYzlhMTkyNDQt\nZDRjZS00NzdkLTg0ZjItZTQ1ZDVlNzQ4MGU1LmNybDANBgkqhkiG9w0BAQsFAAOC\nAgEAFXIxyjuFWovHp8oAtOvAOpFtV7Mt4suBcnubmGW17eonGH7SZaFiV+2JsCQz\nbPrk1hacY3ZAAJhQm1KcIO3GA6D9b8lqyC5QdvdOWehhSEW6GiHzPjoTtk1bpIAo\n39GNOByFkrn1Os5KJf8F86GTX8u4MqXtaSUaHp7ChRK5wrZFve+QJXd5bxe3oW72\ne8sUH13wDLHT80aHJS17S2sbYfwU1pdS8OMYi2wBQBw+G4HUac+qlK02Kd8wo118\nmAx//y8G36muuPBhSUI0QK+DMTrqExu4WHhBMyh0oqxdIzOao5pJe2KtOYky97Pq\nUHmUkM1pESVp/D2F3b42z60LBuhB41+vkHeoJLZtRzGpS7FbzUD7I/w4wV4d5Y34\n44lvi/WDk636ihNG84rnav0fBzxsDuVWwy4i6b+OUBi+69MB/7UsPINF+GOf0h1b\nD46hjKzBbNjJUF0YkikYAkkzhBgn7vh4rJaK/4/pn5rCyMV1s8kaI0cj/t9n4sWE\nHKX/+MzV4dRvHq49A8pFvFd1QQHhUGYvjI8Y2Xq+oKHvcTZi+6t5E4LsC6Mjv4Ml\njC68snW44W1NFyTs5EQ8UimOdahJ47/ixwhibFmqd9XR8EORI7OmkoErpzEAvECZ\n+teWtxaOrKYXRp/iJC8Xemo7d3R1cTvzeIUrQOT6j0GbD3o=\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIFrjCCA5agAwIBAgIQc5E0XlKTJUd/jzRQrApHRTANBgkqhkiG9w0BAQsFADBa\nMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxDzANBgNVBAcTBkF1c3RpbjEPMA0G\nA1UEChMGVGhhbGVzMRwwGgYDVQQDExNDaXBoZXJUcnVzdCBSb290IENBMB4XDTIy\nMDgwNzE3MDYwMFoXDTMyMDgwNTE3MDYwMFowWjELMAkGA1UEBhMCVVMxCzAJBgNV\nBAgTAlRYMQ8wDQYDVQQHEwZBdXN0aW4xDzANBgNVBAoTBlRoYWxlczEcMBoGA1UE\nAxMTQ2lwaGVyVHJ1c3QgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC\nAgoCggIBAMinbWVEuF/4aNLM9RqjdcTMFWuUonwU0CHHAOP5ID1nt+eAq6zY6RCo\n1/+YFymJJbikzABRtGoIfyJscHt8e5+5qyXRh+eImSBOxk1iWnj/EA9XSkVUqFBE\nlo1nDn/DTHOo+hnYSgnK7+BwP2EdPXdO9P0ne3QXeTm5ZXBvQQVTJgaBLEOmkwLn\npL1+twzRmdsGVQ9DTOOhFktl2e5HnYgNijluSqbEt1UbZxNsG6WsuywqNld28Jt7\nv+CGSzH8B9c8DVCPfxQro0VJzxOG4S2RzNTo3HzHBza+Ct+w9AwJk4tVlnOJ7HMt\nrw1j+rfBtHiL0ISFvYeLdL9TwVT0cYzPX9/kwqGrmKlWs7+CBYS7rYVo5PJ8qLd9\ndCZpWH1dS50ix6fF0X3/bNsEpAeGxhI9XZJ3ojP3h9PMtphGF4auBbybRfKoL7tj\nR7CMEANy+yIDMnEYTrwu3y6KdmAPpaOwIwk9dM6YGjS2a5tANcVTkoAsatfwUFA9\nNVP48Lu5fkHpCLdWvwpBQXHEHxwWFgys1+DYixj+ewl2d8vFzwBoY0gHQ11fgKIF\nF7h9NaLii2cvqpmFzRQP1eRtZ/I0kc/SyU1crpNwXSvdp31fWnxMTspGHAADbL4q\nK2KDdqr4zdiPA1BxinJcg1cpfLYRcPQP7tH45TjCxZNJsmZ0f4wLAgMBAAGjcDBu\nMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYYwNx\ne6lefhcnW7VvqpAUvhhX3DAsBgNVHREEJTAjgSF0ZWNobmljYWwuc3VwcG9ydEB0\naGFsZXNncm91cC5jb20wDQYJKoZIhvcNAQELBQADggIBAIyY4uYqW19SgyQf22A9\ncoDBiGmp97BPbL+jUM+rWhf9ytEOt0tU7e+bVi77l6ItZEl9JMf1U6XJnPX15R6r\nrCiWzKa9nSnZmSt+D62+dNYvvx3wP7zc8OlW2ckkP+8dXnGEWlDLa+BFCHbbth9C\nrB7kBCuydS1a+6QQxUS4ny5APPtwZs7gKhcOW9ExNOouuLWJ/1Zye46Z+4PCEFpn\nOFk9zFjcTuMO4l4gTLJwKvqRd/dlT1MnIc+xMUjyQ8M77zWJhC3iysssHNWRdNxU\nVJCyOezrbV/ZMQA2VVw9/6FfZfQXyynMSBduYXO7g7SVdYfNaTvpCyGHwOFQGuuy\nJzKnH6jG1u7qRF6JhKCPQwVNOmIyDENTGIhkxKnxZGNgssk7mpXnBmvK4wXOmC96\nm1Re5auo6hoorsk3JFPbgTT2zSZmwGf7CuzMuH+ZTvhlnJNdpqrkGffAdEe7rMPT\nBqVCS1iB9Isq1lJBPbGlfcIXBDpKUdLHmZ+CNlHOPMqeYUJO89yd/CV8LQbN++ns\nagicBOm8UF0kFZmihydenrw7hC5GKEO5r9rXv6YV9nC6RAREC5Ai7DPdsQG/eVaw\n7f/KKWtmTBYSSajo82xL/9C1E7NGqigfaq0Ly3dAjFzHKRZMEt/rAmL9oD9XNuSl\nRWO6+JZN7BEXo5Uiuajg7kyW\n-----END CERTIFICATE-----\n"
}
In the response above, you can see the copied server certificate from the kmip interface.
If pending-renewal is set to true, the certificate will be saved as an upcoming/renewed certificate to be applied later
If pending-renewal is set to false (default behavior), the auto-generated server certificate will immediately apply on the server certificate resource and replace the currently active server certificate.
