Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

CipherTrust Manager Administration

Certificate Authority

search

Please Note:

Certificate Authority

A Certificate Authority (CA) acts as the initially trusted shared entity between peers and issues signed certificates to make it possible for each party to trust the other. The CA issues and installs digital certificates and issues certificate signing requests (CSR).

A certificate generally acts as the identity of a server or client and certificate authorities can be used to issue server and client certificates for setting up trusted communication channels to the CipherTrust Manager system.

CipherTrust Manager distinguishes between local CAs and external CAs. A local CA can issue signed certificates since the private signing key is stored inside the CipherTrust Manager system. An external CA does not store the private key. Instead an external CA is used as a trusted entity for various interfaces and services inside the system. In this case certificates are issued externally. It is fine to have a mix of both.

The first time a CipherTrust Manager is started, a new local CipherTrust Manager Root CA is automatically generated. This CA is used to issue initial server certificates for the interfaces available in the system.

An easy way to inspect the certificate chain is to view the certificates in your browser when you connect to the web interface. All interfaces and services will by default trust this CA, meaning that for interfaces that support client authentication, a client certificate, issued from this initial CipherTrust Manager Root CA, will automatically be trusted by the system. If preferred, it is possible to create new local CAs and/or external CAs and use these instead for the internal interfaces and services.

Creating a Local CA in the Web Console UI

To create a new Local CA, you first generate a CSR, which is then listed a pending CA. The CSR can then be self-signed, signed by another Local CA, or signed by an External CA. Self-signed certificates become Root CAs, and certificates signed by other CAs become intermediate CAs.

  1. Login as an Application Administrator in the Admins group, such as admin.

  2. Navigate to CA > Local.

  3. Click + Add Local CA.

  4. Provide a Common Name.

  5. Examine the Algorithm and Size that determine the private key, and use the dropdown to change values if desired. The available values are:

    • ECDSA 384 (default)

    • ECDSA 256

    • ECDSA 521

    • RSA 1024

      Caution

      We strongly discourage using RSA 1024, as this algorithm and key length is no longer considered secure enough for this purpose, as outlined in NIST Special Publication 800-131A Revision 2. This key size is only present for backward compatibility.

    • RSA 2048

    • RSA 3072

    • RSA 4096

  6. Provide the following optional values:

    • Display Name

    • DNS Names (comma separated)

    • IP Addresses (comma separated)

    • Email Addresses (comma separated)

    • Name (comma separated)

  7. Click Add Local CA.

    The CSR is visible in the Pending CAs table. The CipherTrust Manager internally stores the private key associated with the CSR.

  8. Sign the CSR to make the new Local CA active. You can self-sign the certificate, sign with another local CA, or sign with an external CA. Self-signed certificates become Root CAs, and certificates signed by other CAs become intermediate CAs.

    1. Find the desired CSR in the Pending CAs table.

    2. Click the corresponding overflow icon (ellipsis) and select Self-sign.

      A confirmation pop-up dialog displays.

    3. Select a Duration(days) before the CA will expire. The default value is 365.

      Caution

      Whenever a CA expires, all certificates it has issued also expire. This means that if you create a Local CA and use it to issue multiple client and server certificates for access to CipherTrust Manager, when the Local CA is at or near expiry, your organization will need to replace the certificate chain in multiple interfaces and clients to ensure continued communication. Consider how frequently your organization would like to perform this maintenance when setting a CA duration.

    4. Click Save.

      The new Local CA is now visible in the Local Certificate Authorities table.

    1. Find the desired CSR in the Pending CAs table.

    2. Click the corresponding overflow icon (ellipsis) and select either Copy CSR to copy the CSR contents to the clipboard, or Download CSR to download the CSR as a file.

    3. In the Local Certificate Authorities table, find the existing local CA you wish to sign the CSR. Click the local CA's name.

      The certificates issued by the existing local CA are displayed.

    4. Click Upload CSR.

      A pop-up dialog displays to upload and sign the certificate.

    5. Enter the Display name you would like for the new CA.

    6. In the CSR text field, paste in the text of the CSR.

    7. In the Certificate Purpose drop-down, select CA.

    8. Select a Duration in days before the new CA will expire.

      Caution

      Whenever a CA expires, all certificates it has issued also expire. This means that if you create a Local CA and use it to issue multiple client and server certificates for access to CipherTrust Manager, when the Local CA is at or near expiry, your organization will need to replace the certificate chain in multiple interfaces and clients to ensure continued communication. Consider how frequently your organization would like to perform this maintenance when setting a CA duration.

    9. Click Issue Certificate to issue the CA certificate.

    10. Find the new CA certificate in the Certificates issued by table. Click the corresponding overflow icon (ellipsis) and select either Copy to copy the CA certificate contents to the clipboard, or Download to download the CA certificate as a file.

    11. Navigate back to CA > Local and find the desired CSR in the Pending CAs table. Click the corresponding overflow icon (ellipsis) and select Install.

      A pop-up dialog displays to input the signed CA certificate.

    12. For Parent CA Type, select Local CA from the drop-down.

    13. In the Select Local Parent CA drop-down, select the local CA which signed the CA certificate.

    14. In the Certificate text field, paste the text of the signed CA certificate.

    15. Click Save.

      The new local CA is now created and visible in the Local Certificate Authorities table.

    1. Make sure the desired external CA is known to to the CipherTrust Manager. Navigate to CA > External to see if the external CA is on the page. If it is not, add the External CA.

    2. Navigate back to CA > Local and find the desired CSR in the Pending CAs table. Click the corresponding overflow icon (ellipsis) and select either Copy CSR to copy the CSR contents to the clipboard, or Download CSR to download the CSR as a file.

    3. Outside CipherTrust Manager, have the External CA sign the certificate. Retain the signed CA certificate.

      Caution

      Whenever a CA expires, all certificates it has issued also expire. This means that if you create a Local CA and use it to issue multiple client and server certificates for access to CipherTrust Manager, when the Local CA is at or near expiry, your organization will need to replace the certificate chain in multiple interfaces and clients to ensure continued communication. Consider how frequently your organization would like to perform this maintenance when setting a CA duration during CSR signing.

    4. Navigate back to CA > Local and find the desired CSR in the Pending CAs table. Click the corresponding overflow icon (ellipsis) and select Install.

      A pop-up dialog displays to input the signed CA certificate.

    5. For Parent CA Type, select External CA from the drop-down.

    6. In the Select External Parent CA drop-down, select the external CA which signed the CA certificate.

    7. In the Certificate text field, paste the text of the signed CA certificate.

    8. Click Save.

      The new local CA is now created and visible in the Local Certificate Authorities table.

Creating a Local CA in ksctl CLI

When creating a new local CA, it remains pending until signed:

ksctl ca locals create --cn "Test CA" --csr-outfile csrfile

This returns a CSR. The key remains with the CipherTrust Manager. This CSR can be self-signed or signed by another local CA or an external CA.

To just self-sign the CA with a one year duration, use the id returned in the call above:

ksctl ca locals self-sign --id 3593c53b-fbeb-4edb-b84d-c85526ae2f83 -x 365

Issuing Certificate Signed by Local CA

CipherTrust Manager's local CA can issue certificates for external clients, servers and CAs.

To create a certificate, you must have a CSR available with you. CSR can be created within CipherTrust Manager or obtained externally.

Tip

For the highest level of security, it is recommended to get CSR external to the CipherTrust Manager, so that the private key is never exposed. However, you can also Download CSR from the pending CA on the CipherTrust Manager GUI as this will not include the private key. This CSR can only be used to issue certificate for external CAs.

Issue Client Certificate Using ksctl CLI

To issue certificate for clients you must have a CSR available.

Use the following ksctl command to create a CSR and private key within CipherTrust Manager:

ksctl ca csr -cn "My Client" --csr-outfile csrfile --key-outfile keyfile

Additionally, you can use the --dns option to add Subject Alternative Names (SAN) values. If multiple values are specified, separate them with comma (optional).

ksctl ca csr -cn "My Client" --csr-outfile csrfile --key-outfile keyfile --dns "thalesgroup.com,thalesgroup2.com" --ips 1.1.1.1

Note

You cannot add SAN in a default web server certificate post-deployment.
Instead, perform the following steps:
1. Generate a new CSR with the SAN fields. Refer to the above command.
2. Issue a new certificate using the generated CSR. Refer to the below command.
3. Update the web interface by uploading this issued certificate and restart the system.

Once you have a CSR, use the following ksctl command to issue a certificate:

ksctl ca locals certs issue --ca-id 3593c53b-fbeb-4edb-b84d-c85526ae2f83 --csr-infile csrfile -x 700 -o client

The example above issues certificate for client purpose. Change the argument for -o flag to server or cas to issue certificates for server or external CAs purpose. For complete list of flags (options) available for this command, refer to CipherTrust Manager CLI guide.

Note

  • When signing the local CA and certificate, duration is set a day (24 hours) before the current date; therefore the notBefore flag also reflects the same date. This is done to handle the multiple time zone differences.

  • The certificate duration shouldn't be more than the CA duration. However, if the certificate duration exceeds the CA duration, the certificate duration is automatically set to CA's duration.

  • It is also possible to create the CSR and the private key using any other software, as this API is stateless and doesn't store anything within CipherTrust Manager.

Issue Server Certificate using GUI

This procedure describes how to issue a server certificate having the IP SAN field used for caBundle. Similar approach can be used to issue certificate for client and external CAs.

  1. Log on to the CipherTrust Manager GUI.

  2. Navigate to CA > CSR Generator.

  3. Select Generic CSR radio button and provide the following details:

    • Common name

    • Algorithm as RSA

    • IP address of the CipherTrust Manager machine.

    You may skip the remaining parameters as they are optional.

  4. Click Generate CSR and download Private Key.

    Make sure to save the generated CSR and private key.

  5. Navigate to CA > Local. The list of available Local CAs is displayed.

  6. Click the name of the any local CA displayed on the page. The Certificate issued screen by that CA is displayed.

  7. Click Upload CSR.

  8. Provide the Display name and CSR.

  9. Select server for Certificate Purpose to issue certificate for server.

    Use the client or ca option to issue certificate for clients or external CAs, respectively.

  10. Click Issue Certificate.

  11. Click the ellipsis icon corresponding to the newly generated certificate and select download.

    Save the downloaded certificate.

Use this certificate to authenticate respective server. See Upload renewal server certificate to learn how to upload server certificate for interface renewal.

Certificate expiration check

The CipherTrust Manager inspects the expiration date of the following types of certificates every day, at a preset system time to log the record:

  • Local CA certificates available on CipherTrust Manager

  • Certificate issued by Local CA and available on CipherTrust Manager

  • External CA certificates uploaded to CipherTrust Manager

The CipherTrust Manager then creates list a of certificates based on their expiration date:

  • Certificates whose expiration dates are within 91 days

    This list is logged in the Records section once every week

  • Certificates whose expiration dates are within 7 days

    This list is logged in the Records section once every day

  • Certificates that are already expired

    This list is logged in the Records section once every day

Note

Interface setting such as NAE allows you to upload certificates directly. The CipherTrust Manager does not check the expiration dates of these certificates.

You can also create alarm triggers for these records. For more details, go to Creating Alarm Trigger for Certificate Expiration.

Revoke/resume Certificate Signed by the Local CA

The CipherTrust Manager allows you to revoke/resume the client/server certificates signed by the local CA. You can also revoke/resume the certificates of intermediate CAs.

In addition, you can:

  • Publish and maintain the Certificate Revocation List (CRL) for the certificates revoked by the local CA.

  • Migrate the revocation status of the certificates from KeySecure Classic to CipherTrust Manager.

  • Resume the revoked certificates.

    Note

    • Revocation of local CA is not supported, only local CA signed certificates can be revoked.

    • You can only resume the certificates revoked with the reason "certificateHold" or "Certificate Hold"

Valid Revocation Reasons

You must provide a reason to revoke a certificate. Allowed revocation reasons are defined by RFC5280.

Reason Value in Web Console GUIReason Value in ksctl CLI, REST API
AA CompromiseaAcompromise
Affiliation ChangedaffiliationChanged
CA CompromisecAcompromise
Certificate HoldcertificateHold
Cessation of OperationcessationOfOperation
Key CompromisekeyCompromise
Privilege WithdrawnprivilegeWithdrawn
Remove from CRLremoveFromCRL
Supersededsuperseded
Unspecifiedunspecified

Revoke a Certificate Signed by a Local CA in Web Console UI

  1. Login to the root domain as an Application Administrator in the Admins group, such as admin.

  2. Navigate to CA > Local.

  3. In the Local Certificate Authorities table, find the Local CA that issued the certificate that you wish to revoke and click on its name.

    The certificates issued by the existing local CA are displayed.

  4. Find the certificate to revoke. Click the corresponding overflow icon (ellipsis) and select Revoke.

    A pop-up dialog to complete revocation displays.

  5. Select a reason for the revocation from the drop-down. Valid reasons are:

    • AA Compromise

    • Affiliation Changed

    • CA Compromise

    • Certificate Hold

    • Cessation of Operation

    • Key Compromise

    • Privilege Withdrawn

    • Remove from CRL

    • Superseded

    • Unspecified

  6. Click Revoke to confirm.

    The State of the certificate in the table is a red x, to indicate it is revoked.

Resume a Certificate Signed by a Local CA in Web Console UI

Certificates revoked with the reason "certificateHold" or "Certificate Hold" can be resumed.

  1. Login to the root domain as an Application Administrator in the Admins group, such as admin.

  2. Navigate to CA > Local.

  3. In the Local Certificate Authorities table, find the Local CA that issued the certificate that you wish to revoke and click on its name.

    The certificates issued by the existing local CA are displayed.

  4. Find the certificate to resume. Click the corresponding overflow icon (ellipsis) and select Resume.

    Tip

    Revoked certificates have a State of a red x icon in the table.

    The State of the certificate in the table changes to a green checkmark, to indicate it is resumed.

Revoke a Certificate Signed by a Local CA in ksctl CLI

Syntax


ksctl ca locals certs revoke --ca-id <ca-identifier> --id <cert-identifier> --reason <revocation-reason>

Example request


ksctl ca locals certs revoke --ca-id localca-f8aabd4f-6459-4cb0-a26a-dfd88129bd5e --id cert-2526ebf8-8ac2-4e3b-8c2c-9752c3da536d --reason certificateHold

Example response


{
"id": "2526ebf8-8ac2-4e3b-8c2c-9752c3da536d",
"uri": "kylo:kylo:naboo:certs:2526ebf8-8ac2-4e3b-8c2c-9752c3da536d",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-05-10T15:13:08.429514Z",
"updatedAt": "2021-05-12T06:45:05.421753856Z",
"cert": "-----BEGIN CERTIFICATE-----\nMIIEuDCCAqCgAwIBAgIQOivQNtvy1bsD+ZtTiktSbjANBgkqhkiG9w0BAQsFADBa\nMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUQxEDAOBgNVBAcTB0JlbGNhbXAxEDAO\nBgNVBAoTB0dlbWFsdG8xGjAYBgNVBAMTEUtleVNlY3VyZSBSb290IENBMB4XDTIx\nMDUwOTE1MTMwOFoXDTIzMDUwOTE1MTMwOFowJTEOMAwGA1UEAxMFYWRtaW4xEzAR\nBgoJkiaJk/IsZAEBEwMxMjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQDf0/l5sDKlmZ940mc3YAmpdEHmAPf6kDZgtqpuN9ftXji65WIHywZ5VN/5YYVD\nREdbs96kAdNMNyec8As0E0lbgirxaW2HFOzVcdfUyh8FnQWq4kAcGBdL19gvdEm6\noZOaX6XlKZq3REfvFXjPg3YkhOvmaiF/9WFoVafCplpgpib3kiijd3m1ZUHP+uxW\nkfJ6ddxMs3Qe3gltfmpnjoHY433rzh2CFr/W5wufRKZWmlu2OBwTKJsixJbcRJR1\n93+XVELt6r7UmrycZjmi3RIMkJ0WC+KpkL0ZetYtXL/7IykRkzlqAwKI4mpyJjAS\n/3yQgJKCdSBz80BzmbnDevQ9AgMBAAGjga4wgaswDgYDVR0PAQH/BAQDAgOIMBMG\nA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUl4YP\nF8V39/lnMb8i5iDOPtXjQ4owVQYDVR0fBE4wTDBKoEigRoZEaHR0cDovL2tleXNl\nY3VyZS5sb2NhbC9jcmxzL2Y4YWFiZDRmLTY0NTktNGNiMC1hMjZhLWRmZDg4MTI5\nYmQ1ZS5jcmwwDQYJKoZIhvcNAQELBQADggIBAAYsYXivy9vD+WMqs4ceC+W3O8Tx\nIW/jaCHfWZKXr4fk01n1Mh020T67wIKqQXUoTKgp9U7vmNMd/RKrj1NS19lEh8sm\nHxy7/bvcSDXajw2LpsmIRaWeqYgO0qOTluMQMMnSBiLbdgSAXKEAjRMQQvQfzqUV\neTSPWaWzyFbnfhSEfU0s46Xs61gWTfvwclvB40Xk7HKFTNUP/xPIfLlhT4H9J3Bx\nyrWz5bJY1z6Cx95/gXsQptccmYik+WGY7IJofvNJD8ugc1t6SeVG2aEl8fNiuS5a\np9O6ThUcM3MqHcL0cOlqm9+jzs5j8pUWbJ+7lsDS17Y+uFvHEJN8XGXQLhFf3p/4\nvNgyMAmB9uvC5rbqEsCKUgpxkNa0sm0WflVoIQ1h2ku01yqtG8krma9qr4zy+bML\nO6Zk37Vn1/8pUjGYWHIPhjX6e+/wlRIMufyqKg7M/OHlg0S6eOpaX13tXxYNnaVm\ngN2mKfvmN3W6sMdtCKifRNeTcuF5R7ZRWXKqHp00Y6N2Tk2FyZjgWAxUtg7VnLPW\nRfuQBQ/Jud7zVDWxtftv6nmrV1nlqErPPDnRt3D49AD5lj4+JhdzKz47F094T++8\n+rauAODq6i+FZe/05RwSCB1fqWJ8ja9gwAWaBVXfQpIDIY3KFTC2tZhjUUOii++d\nP6WaJc1NqTcWns8H\n-----END CERTIFICATE-----\n",
"ca": "kylo:kylo:naboo:localca:f8aabd4f-6459-4cb0-a26a-dfd88129bd5e",
"revoked_reason": "certificateHold",
"revoked_at": "2021-05-12T06:45:05.421580648Z",
"state": "revoked",
"sha1Fingerprint": "C5BF83559D11C81ED84D8F7CC15094DA365D775D",
"sha256Fingerprint": "11C91396CB62BA28EDAE07E79681C25276C7B93DBA033DF08DEB13D9FDBE353F",
"sha512Fingerprint": "28C66DAA4775F37B4294964D45BCC9DB8BAD26C24EB4D9370DE6AB3BEF32C4D156D5FC45D98F6201F97F0D5DEBB43BBC6E24A1FE3743F64E5D1F0B9B2B93FCEE",
"serialNumber": "77322715608031240047279766081599394414",
"subject": "/CN=admin",
"issuer": "/C=US/ST=MD/L=Belcamp/O=Gemalto/CN=KeySecure Root CA",
"notBefore": "2021-05-09T15:13:08Z",
"notAfter": "2023-05-09T15:13:08Z"
}

Resume a Certificate Signed by Local CA in ksctl CLI

Syntax


ksctl ca locals certs resume --ca-id <ca-identifier> --id <cert-identifier>

Example Request


ksctl ca locals certs resume --ca-id localca-f8aabd4f-6459-4cb0-a26a-dfd88129bd5e --id cert-2526ebf8-8ac2-4e3b-8c2c-9752c3da536d

Example Response


{
"id": "2526ebf8-8ac2-4e3b-8c2c-9752c3da536d",
"uri": "kylo:kylo:naboo:certs:2526ebf8-8ac2-4e3b-8c2c-9752c3da536d",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2021-05-10T15:13:08.429514Z",
"updatedAt": "2021-05-12T06:44:54.401005002Z",
"cert": "-----BEGIN CERTIFICATE-----\nMIIEuDCCAqCgAwIBAgIQOivQNtvy1bsD+ZtTiktSbjANBgkqhkiG9w0BAQsFADBa\nMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUQxEDAOBgNVBAcTB0JlbGNhbXAxEDAO\nBgNVBAoTB0dlbWFsdG8xGjAYBgNVBAMTEUtleVNlY3VyZSBSb290IENBMB4XDTIx\nMDUwOTE1MTMwOFoXDTIzMDUwOTE1MTMwOFowJTEOMAwGA1UEAxMFYWRtaW4xEzAR\nBgoJkiaJk/IsZAEBEwMxMjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQDf0/l5sDKlmZ940mc3YAmpdEHmAPf6kDZgtqpuN9ftXji65WIHywZ5VN/5YYVD\nREdbs96kAdNMNyec8As0E0lbgirxaW2HFOzVcdfUyh8FnQWq4kAcGBdL19gvdEm6\noZOaX6XlKZq3REfvFXjPg3YkhOvmaiF/9WFoVafCplpgpib3kiijd3m1ZUHP+uxW\nkfJ6ddxMs3Qe3gltfmpnjoHY433rzh2CFr/W5wufRKZWmlu2OBwTKJsixJbcRJR1\n93+XVELt6r7UmrycZjmi3RIMkJ0WC+KpkL0ZetYtXL/7IykRkzlqAwKI4mpyJjAS\n/3yQgJKCdSBz80BzmbnDevQ9AgMBAAGjga4wgaswDgYDVR0PAQH/BAQDAgOIMBMG\nA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUl4YP\nF8V39/lnMb8i5iDOPtXjQ4owVQYDVR0fBE4wTDBKoEigRoZEaHR0cDovL2tleXNl\nY3VyZS5sb2NhbC9jcmxzL2Y4YWFiZDRmLTY0NTktNGNiMC1hMjZhLWRmZDg4MTI5\nYmQ1ZS5jcmwwDQYJKoZIhvcNAQELBQADggIBAAYsYXivy9vD+WMqs4ceC+W3O8Tx\nIW/jaCHfWZKXr4fk01n1Mh020T67wIKqQXUoTKgp9U7vmNMd/RKrj1NS19lEh8sm\nHxy7/bvcSDXajw2LpsmIRaWeqYgO0qOTluMQMMnSBiLbdgSAXKEAjRMQQvQfzqUV\neTSPWaWzyFbnfhSEfU0s46Xs61gWTfvwclvB40Xk7HKFTNUP/xPIfLlhT4H9J3Bx\nyrWz5bJY1z6Cx95/gXsQptccmYik+WGY7IJofvNJD8ugc1t6SeVG2aEl8fNiuS5a\np9O6ThUcM3MqHcL0cOlqm9+jzs5j8pUWbJ+7lsDS17Y+uFvHEJN8XGXQLhFf3p/4\nvNgyMAmB9uvC5rbqEsCKUgpxkNa0sm0WflVoIQ1h2ku01yqtG8krma9qr4zy+bML\nO6Zk37Vn1/8pUjGYWHIPhjX6e+/wlRIMufyqKg7M/OHlg0S6eOpaX13tXxYNnaVm\ngN2mKfvmN3W6sMdtCKifRNeTcuF5R7ZRWXKqHp00Y6N2Tk2FyZjgWAxUtg7VnLPW\nRfuQBQ/Jud7zVDWxtftv6nmrV1nlqErPPDnRt3D49AD5lj4+JhdzKz47F094T++8\n+rauAODq6i+FZe/05RwSCB1fqWJ8ja9gwAWaBVXfQpIDIY3KFTC2tZhjUUOii++d\nP6WaJc1NqTcWns8H\n-----END CERTIFICATE-----\n",
"ca": "kylo:kylo:naboo:localca:f8aabd4f-6459-4cb0-a26a-dfd88129bd5e",
"revoked_at": "0001-01-01T00:00:00Z",
"state": "active",
"sha1Fingerprint": "C5BF83559D11C81ED84D8F7CC15094DA365D775D",
"sha256Fingerprint": "11C91396CB62BA28EDAE07E79681C25276C7B93DBA033DF08DEB13D9FDBE353F",
"sha512Fingerprint": "28C66DAA4775F37B4294964D45BCC9DB8BAD26C24EB4D9370DE6AB3BEF32C4D156D5FC45D98F6201F97F0D5DEBB43BBC6E24A1FE3743F64E5D1F0B9B2B93FCEE",
"serialNumber": "77322715608031240047279766081599394414",
"subject": "/CN=admin",
"issuer": "/C=US/ST=MD/L=Belcamp/O=Gemalto/CN=KeySecure Root CA",
"notBefore": "2021-05-09T15:13:08Z",
"notAfter": "2023-05-09T15:13:08Z"
}

Certificate revocation list (CRL)

CRL is a list of certificates that have been revoked by the CA before their scheduled expiration date and should no longer be trusted.

  • On CipherTrust Manager, when you create a local root CA, one CRL file is created for the CA with the name <local_ca_id>.crl.

  • It is mandatory to pass the valid DNS names while creating local root CA to ensure that the CRL URL is accessible. If DNS names are not provided, the default name keysecure.local is used.

  • When a new certificate is issued by the local root ca, the certificate contains the URL of the CRL. You can check the URL of the CRL in the certificate under CRL Distribution Points by decoding it and can download the CRL file from the URL.

  • The CRL can only be decoded and accessed through the command line.

    Example: OpenSSL command to decode and check the URL of the CRL:

    
openssl x509 -in intermediate/certs/bob2@example.com.cert.pem -noout -text
X509v3 CRL Distribution Points:
Full Name:
URI:http://keysecure.local/1d073d93-b156-49ee-8533-e338953fc6d9.crl

Steps to download and decode the CRL

  1. Download the CRL from the URL and decode it to check the revocation list.

    
openssl crl -in 1d073d93-b156-49ee-8533-e338953fc6d9.crl.crl -noout -text

  2. After decode, you can see the list of revoked certificates. It contains serial numbers of the revoked certificates. The serial numbers are in hex format; whereas CipherTrust Manager stores the serial numbers in decimal format.
    Therefore, to convert the serial number to decimal format, run:

    echo "ibase=16; <hex_serial_number>" | bc

Renewing Local CA certificate

The CipherTrust Manager allows you to renew the local CA certificates in the certificate chain when they are about to expire.

When a local CA in the certificate chain expires, the entire certificate chain validation fails.

In such scenarios, the user has to create a new CA and renew the client/server certificates or both using the new CA.

When to renew

To avoid any service downtime, it is recommended to prepare the new Local CA certificate chain in advance before the CA expiration. During the overlapping period, the new server certificate chain as described in the below section should be downloaded and added to the trust store in the client's setup.

How to renew in the web console UI

The CA certificate chain renewal process contains the following steps:

  1. Create a new local CA using the same attributes as an existing CA.

  2. Renew server certificates issued by the original local CA.

  3. Renew KMIP client certificates issued by the original local CA.

Note

Only KMIP client certificates can be renewed through the web console UI. Other client types must renew their certificate certificates through the ksctl CLI or REST API.

web console UI: create a new local CA using the same attributes as existing CA

  1. Login as an Application Administrator in the Admins group, such as admin.

  2. Navigate to CA > Local.

  3. In the Local Certificate Authorities table, find the local CA to copy attributes from. Click the corresponding overflow icon (ellipsis) and select Renew.

    A CSR with the same attributes as the local CA is present in the Pending CAs table.

  4. Sign the CSR to make the new Local CA active. You can self-sign the certificate, sign with another local CA, or sign with an external CA. Self-signed certificates become Root CAs, and certificates signed by other CAs become intermediate CAs.

    1. Find the desired CSR in the Pending CAs table.

    2. Click the corresponding overflow icon (ellipsis) and select Self-sign.

      A confirmation pop-up dialog displays.

    3. Select a Duration(days) before the CA will expire. The default value is 365.

      Caution

      Whenever a CA expires, all certificates it has issued also expire. This means that if you create a Local CA and use it to issue multiple client and server certificates for access to CipherTrust Manager, when the Local CA is at or near expiry, your organization will need to replace the certificate chain in multiple interfaces and clients to ensure continued communication. Consider how frequently your organization would like to perform this maintenance when setting a CA duration.

    4. Click Save.

      The new Local CA is now visible in the Local Certificate Authorities table.

    1. Find the desired CSR in the Pending CAs table.

    2. Click the corresponding overflow icon (ellipsis) and select either Copy CSR to copy the CSR contents to the clipboard, or Download CSR to download the CSR as a file.

    3. In the Local Certificate Authorities table, find the existing local CA you wish to sign the CSR. Click the local CA's name.

      The certificates issued by the existing local CA are displayed.

    4. Click Upload CSR.

      A pop-up dialog displays to upload and sign the certificate.

    5. Enter the Display name you would like for the new CA.

    6. In the CSR text field, paste in the text of the CSR.

    7. In the Certificate Purpose drop-down, select CA.

    8. Select a Duration in days before the new CA will expire.

      Caution

      Whenever a CA expires, all certificates it has issued also expire. This means that if you create a Local CA and use it to issue multiple client and server certificates for access to CipherTrust Manager, when the Local CA is at or near expiry, your organization will need to replace the certificate chain in multiple interfaces and clients to ensure continued communication. Consider how frequently your organization would like to perform this maintenance when setting a CA duration.

    9. Click Issue Certificate to issue the CA certificate.

    10. Find the new CA certificate in the Certificates issued by table. Click the corresponding overflow icon (ellipsis) and select either Copy to copy the CA certificate contents to the clipboard, or Download to download the CA certificate as a file.

    11. Navigate back to CA > Local and find the desired CSR in the Pending CAs table. Click the corresponding overflow icon (ellipsis) and select Install.

      A pop-up dialog displays to input the signed CA certificate.

    12. For Parent CA Type, select Local CA from the drop-down.

    13. In the Select Local Parent CA drop-down, select the local CA which signed the CA certificate.

    14. In the Certificate text field, paste the text of the signed CA certificate.

    15. Click Save.

      The new local CA is now created and visible in the Local Certificate Authorities table.

    1. Make sure the desired external CA is known to to the CipherTrust Manager. Navigate to CA > External to see if the external CA is on the page. If it is not, add the External CA.

    2. Navigate back to CA > Local and find the desired CSR in the Pending CAs table. Click the corresponding overflow icon (ellipsis) and select either Copy CSR to copy the CSR contents to the clipboard, or Download CSR to download the CSR as a file.

    3. Outside CipherTrust Manager, have the External CA sign the certificate. Retain the signed CA certificate.

      Caution

      Whenever a CA expires, all certificates it has issued also expire. This means that if you create a Local CA and use it to issue multiple client and server certificates for access to CipherTrust Manager, when the Local CA is at or near expiry, your organization will need to replace the certificate chain in multiple interfaces and clients to ensure continued communication. Consider how frequently your organization would like to perform this maintenance when setting a CA duration during CSR signing.

    4. Navigate back to CA > Local and find the desired CSR in the Pending CAs table. Click the corresponding overflow icon (ellipsis) and select Install.

      A pop-up dialog displays to input the signed CA certificate.

    5. For Parent CA Type, select External CA from the drop-down.

    6. In the Select External Parent CA drop-down, select the external CA which signed the CA certificate.

    7. In the Certificate text field, paste the text of the signed CA certificate.

    8. Click Save.

      The new local CA is now created and visible in the Local Certificate Authorities table.

  5. Take a note of the local CA's name for renewing certificates.

web console UI: renew server certificate using new local CA

To renew the server certificate using the new local CA, perform the following steps:

  1. Issue a new server certificate from the new CA.

  2. Create a certificate chain and combine them into a single PEM or PKCS12 file. The file should include the following in the indicated order:

    a. Server certificate

    b. Any intermediate certificate authorities that sign the server certificate. Start with the intermediate CA that issued the server certificate. Next, add the issuer of the intermediate CA, if any. Continue adding any intermediate CAs higher up the hierarchy, each time adding the issuer of the last certificate you uploaded.

    c. The root CA that signs any intermediate CAs. If there are no intermediate CAs, add the root CA that issued the server certificate.

    d. The server certificate's private key.

    Note

    • In the PEM format, the server certificate's private key should be included first, and in the PKCS12 format, it should be included last.

    • It is optional to include the private key in the PEM file if the user has previously generated a CSR. Creating a CSR allows the user to generate the key pair on the CipherTrust Manager and prevents exposing the private key outside of the CipherTrust Manager.

  3. Upload the certificate chain to the CipherTrust Manager interface associated with the clients.

    1. Login to the root domain as an Application Administrator in the Admins group, such as admin.

    2. Navigate to Admin Settings > Intefaces.

    3. In the table, find the interface associated with relevant clients.

      Most clients authenticate to the web interface. NAE clients authenticate to the original nae interface, or additional NAE interfaces created later. KMIP clients authenticate to the original kmip interface, or additional KMIP interfaces created later.

    4. Upload the renewal certificate.

  4. For clients, the chain uploaded in the previous step is available to download.

  5. Add the downloaded certificate to the client trust store.

    Now, the clients can use this new chain to setup their environment.

  6. (Optional) After the clients have been updated with the new certificate chain, apply the new certificate chain on the CipherTrust Manager. This immediately replaces the existing server certificates with the newly generated server certificates.

    If you don't immediately apply the new certificate chain manually on the CipherTrust Manager, the auto-apply option is triggered when the CA expires.

web console UI: renew KMIP client certificate using new local CA

Note

Only KMIP client certificates can be renewed through the web console UI. Other client types must renew their certificate certificates through the ksctl CLI or REST API.

  1. Generate a Certificate Signing Request (CSR) for a new client certificate. For the highest level of security, it is usually best for the CSR to be generated externally to CipherTrust Manager so the private key is never exposed. However, an internal CSR utility is available in CA > CSR Generator. The new CSR must have the same subject name as the existing client certificate.

  2. Login to the root domain as an Application Administrator in the Client Admins group, such as admin.

  3. Update the client profile associated with the KMIP client to use the new local CA.

    1. Navigate to Access Management > Client Profiles.

    2. Find the name of the client profile. Click the corresponding overflow icon (ellipsis) and select View/Edit.

    3. In the Select Local CA dropdown, select the ID of the new local CA.

    4. Click Update.

  4. Navigate to Access Management > Client Hub.

  5. Find the name of the applicable KMIP client in the table. Click the corresponding overflow icon (ellipsis) and select Renew Certificate.

    A dialog Renew KMIP Client Certificate displays.

  6. Provide details to re-issue the client certificate with the new local CA.

    1. Select Client CSR for the Renewal Type.

    2. Expand the Certificate details section.

    3. Provide the CSR from step 1, either as a file upload or by pasting the CSR contents as text.

    4. Click Renew Certificate.

How to renew in the ksctl CLI

The CA certificate chain renewal process contains the following steps:

  1. Create a new local CA using the same attributes as an existing CA.

  2. Renew client certificates issued by the original local CA.

  3. Renew server certificates issued by the original local CA.

ksctl CLI: create a new local CA using similar attributes as existing CA

The CipherTrust Manager provides a utility that copies the CSR attributes of the old CA while creating a new local CA. Only key-pair and validity/expiration date are altered. To copy the CSR attributes of the old CA, use the copy_from_ca: <old_ca_id> field.

Example request

ksctl ca locals create --cn example.com --copy-from-ca b1963e85-02e1-462d-a436-a5e11cecca01

Example response

{
    "id": "305c1af0-e087-4004-aeba-d59f275ac477",
    "uri": "kylo:kylo:naboo:localca:305c1af0-e087-4004-aeba-d59f275ac477",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2023-03-22T07:04:18.33905Z",
    "updatedAt": "2023-03-22T07:04:18.33905Z",
    "name": "example-CA",
    "state": "pending",
    "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIE1jCCAr4CAQAwUjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMQ8wDQYDVQQH\nEwZBdXN0aW4xDzANBgNVBAoTBlRoYWxlczEUMBIGA1UEAxMLZXhhbXBsZS5jb20w\nggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDR4xfGAJcGT3eg432YHXF7\nm+5Vtm5lDATk6sdDL8oEJFrHNVFtZG8hNdw8hK2pNmbFoKk2DRF8sAPc8t/3KumP\nKZLdzKdhi5V088dOr4crz/pj/zd0r7X3E77WSNr5R+O5kIa/UC9txQBi5TtxsJeo\n45clpIvcNfADVrYdZUtnW/60zuNEreTvKTztlcYaV30aYsDe6qAKR/5jQKlpXWwZ\n4jSrIwE0PRZIoGDhgVPn62dx3Ii3cSaZresr56sfFtVgyn8IQKNqDCGQi+a2c5TC\nTdi5MV/JCi2aPM7I5Tx3bunb1dkYye/tLtP6awT66FUgGTFcGZrg5USkpCLM/GC8\n7GekiL4AY1SyXOWrO98uu8Xkm16iMwGSmAbModr2rNqSKmzSkuZER6JCQ4GstKZS\n13NGUlz9qFivE24QM7eh+acz23eOFVGowAq+gA9atQyrkhVOBu/sT3MpHsOCUB/+\nSBofYFpSzROUQ9rSr/H/dSR/wGKFeNr6NnuR+otESQNe6GwzNWqGdkIyTxq6H47v\n/j1UwYaEWQolj6YtX0MUVR6HNWv5GNXkAGvPbBAP7e6k4+tDJQ3J0Zv8HjN1YUhe\nKo9KhKcVTOMSfd0PCTnD/JIGTlR2KBwmue5QvBRulfozlOPKX07py6NPHgmcdnjQ\n5Fdwia0orliOLD8nj8OGCQIDAQABoD8wPQYJKoZIhvcNAQkOMTAwLjAsBgNVHREE\nJTAjgSF0ZWNobmljYWwuc3VwcG9ydEB0aGFsZXNncm91cC5jb20wDQYJKoZIhvcN\nAQENBQADggIBALy6p5tjaDzg7WJzF5K2eOZ4LNS7Nm71qRNc68wHCU1YViobF8WF\npUAXK/IZ7apKLGIwPT8Sz39r3JDtN00UIAWVxSrnR6PVmiPEjuDICj1wWswSYCoA\nrW8hlUR8Ph5dzzto88vSxJpc2TvfaW6h46/+Day/iKbAjlGrGMiqFA6Prha7aJo6\nGphMfQx7EQWXSqeo3EIDfbZVKwn5zd676yKiyKGSowtR5B6pgftfwbLY6iVldjpX\nxbYjJvbFZk6G1T1LTOZC5YxS4foDj0WyKn7XK6QkJ+VDaHWX76Z9zfnPosHZmWqD\nFFVvnlP0afRi0vKyuLBV6pbQEVrEtgG/uaaxUm1ItYksIVSgjuPLgrLrj46lYUxc\nAbwxJRvtwZNWPfxgrqQeJrN/+5gGU/div4oO8py5Yq75G8o2fBzXbjK9/pYNe0Mo\n5Y01vP3Id5hWHZDNaND1TjxqgzoGGU2vgxN6GTesgsOxjwzunOO6YQTzbHMQ6ZHe\n10xncYrMSiiiLVE6ZvG8SZipODtPvUF2C/EcZmG7VSTqNYw9szc6vu20RlkeBds2\nUuvwv9t069IRfLv6OuSQJNQQuGJhzvFWv068q0spDuAdxPTWYnXnBhKaPC6YNDGE\n6/tjV1ldCwtbfhKesGs16A61u1hkOXbJVZvKFczrZmg0TmcYcG+B2ARs\n-----END CERTIFICATE REQUEST-----\n",
    "subject": "/C=US/ST=TX/L=Austin/O=Thales/CN=example.com",
    "notBefore": "0001-01-01T00:00:00Z",
    "notAfter": "0001-01-01T00:00:00Z",
    "sha1Fingerprint": "7666371994B5A8EB88F25925108EEE381629F20A",
    "sha256Fingerprint": "48D3918E611D51FB37643146461FBB78B582AF528766C4E76FF2350F6011152F",
    "sha512Fingerprint": "491913CB31D2567BFE7EE85B9F01B4D0E63A1B64C06E145EB111002FA6C649F28D4A9C52C307ECF554BC35CF906A1E1EFBB1FD29A9CF193E99144B37CD86E1FE"
}

This operation returns a CSR that either can be self-signed or signed by another CA.

ksctl CLI: renew client certificate using new local CA

After the new local CA is created, renew the client certificate using the new local CA.

  1. For clients that have a profile associated, use the following steps to renew the client certificate: 

    1. Update the client profile with the new CA using the ca_id.

      Example request

      ksctl clientmgmt profiles update --profile-id 2fa716db-2264-473f-86a6-1c0d31c69fdc --ca_id localca-b1963e85-02e1-462d-a436-a5e11cecca01

      Example response

      {
    "id": "2fa716db-2264-473f-86a6-1c0d31c69fdc",
    "uri": "kylo:kylo:client-management:generic-client-profiles:ceb226b8-8151-4e26-ab6c-038b4ae797e8",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2023-01-12T17:33:11.690693Z",
    "updatedAt": "2023-01-12T23:27:06.275532Z",
    "ca_id": "localca-b1963e85-02e1-462d-a436-a5e11cecca01",
    "csr_params": {
        "csr_city": "example-city",
        "csr_cn": "example.com",
        "csr_country": "example",
        "csr_email": "john.doe@example.com",
        "csr_org_name": "example",
        "csr_org_unit": "example tech",
        "csr_state": "example-state",
        "csr_uid": ""
    }
}

    2. Renew the client certificate.

      Example request

      ksctl clientmgmt clients renew --client-id 1e33456b-8782-43a2-9efe-b415dc76ce52 --cert-duration 730

      Example response

      {
    "client_id": "1e33456b-8782-43a2-9efe-b415dc76ce52",
    "cert": "-----BEGIN CERTIFICATE----- MIIDfTCCAWWgAwIBAgIRAPvsR8igXyZzpMAnmkgldAwwDQYJKoZIhvcNAQELBQAw WjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1EMRAwDgYDVQQHEwdCZWxjYW1wMRAw DgYDVQQKEwdHZW1hbHRvMRowGAYDVQQDExFLZXlTZWN1cmUgUm9vdCBDQTAeFw0x ODEyMTgwMDE2MjZaFw0yMDEyMTcwMDE2MjZaMBExDzANBgNVBAMTBnRlc3RlcjB2 MBAGByqGSM49AgEGBSuBBAAiA2IABEvBmz1WRQmfiG2IGOjE7fpPyDTCNwvqSXsW HAhrVCRDOmPLuaiVn08/k7zRFum5UxcIWjwxJ5tnO7Z38Y3gKIyE42mHINqQHPOT cz9JLKqaGALwZtQCzB61M0ul7dGA5aM1MDMwDgYDVR0PAQH/BAQDAgOIMBMGA1Ud JQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIB AK7rTYW1+woOfHOLeYjs6jobO7kROm71ffdVwcHIMS3IE0B1eLdteKdG3yy2znAy VU7Jkwo2396Z9cPofrKt95wURAkSYvtz3IpTL9ibrpqJ47XxEXLHl+OycWdYoqAm YJe4A/mW3OxdR4kPbxnDXPNMZiId2xSyzkrEqaFTBBtlkdjuljEfQraKW7TiQovd dKb8xzAgozuZ4C200GlKbgjPkRF4iEXk6sihzYikmyE0s5VBEyAGvdv+s6rv6+4n mbaLkTF/ReXJryIRLDJ1uWN/PDKIqGyU1IrB26wYUWEG+4xcT1LqBxS2HL0ko1Cr 5yeWMEo952YyGeMwW0oWzhIDMxPVRXEfRu0nG35K2Gpz4KywhFVkQ1lrd7/FLwUH mrMtMwr5LG14I1NG3kEz+UVcdwfCeYxnIGW/u9CbUSmedlklZtuXjEN6bQdP+oZi f32u0mI4MSHYK55bdMWw7Rr4IlGdKRdUDOl71uZt8nztQuWVHTrii34gN5Hvz4EY g7jpDq9ZXpb1ZtLmEq2TM8XzyBzJkdIAT304L666826cle1kOgsZQw08W72ju02B 1qj/HtqGoRXPw1vk+y2XIYIwcPP3T6YctJA6TMaFZ1lIKoWWflT0uqFo19CadC8z PylaiQwwuJGV7MmJ7lC8LmYUP2Pj2v+S+5s8j0QgY0C5 -----END CERTIFICATE----- ",
    "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICVzCCAT8CAQAwEjEQMA4GA1UEAxMHa21pcDEyMjCCASIwDQYJKoZIhvcNAQEB\nBQADggEPADCCAQoCggEBAO93JWGgUtIJKoZNgpzYBrLQgPKxaKgn42Js9pxeIAEo\nTvDfPGk2bKgOO+7GsoKCIthRn6/4fkd5lTwR3tBK3Y2Xs9TIkBQ+gpzyAM1bIlTf\nXd8xVaHgsvNS58laY1FTqM+jlVIfAlpKJnboYkGc8n6aCt9kgWDt56lNc0AfVBj0\nTD8n5wTm7uJy1GufiwCuYbaVuEsHZbpNh3GJ1tvXpRxyp7IzdCc+244cvat2L5xZ\niDIV4BeoOG3gfddQ9WuqWY+6TVAdZNLa7JVMW+3qofib1uHyCHNw0Bec/IMA48qg\n7JNnSwDB6FXSeYr7nqFhORWOaQi7DT7F6JdY3cXXuNMCAwEAAaAAMA0GCSqGSIb3\nDQEBCwUAA4IBAQBpUtybSG6DG5J3LROkGj3/qcvu2Fdz6oCDq+B3Pnz06iJX2w4E\nFZGIGMYotq1m0DXv4xODFOMiLa8D8waef/+cN7dihPq1wKqw6Ml2I0/5nNY/51c4\ntuCRVDZ5zuBLVfw77yp93+VqwUHKP34398PcsYwtafm9jQM4lT7mLlaTjynVmyoF\nitocPLQLdXMbakAWPpu/+XJt4rGPCh35dv8ojPyChR0H43NMcXNX8sw2MzVwAHSE\nNJBcgC/6IIME8yNcljV3YTywe0VkVIJHgA5rJN9OwV3M3Hfji/9S/u3pD1Ixto48\nDJXbUwe5ubTKH9Eqo6TIu1sxdreKz1ONvlYV\n-----END CERTIFICATE REQUEST-----\n",
    "ca_cert": "-----BEGIN CERTIFICATE-----\nMIIFoDJlbGNhbXAxEDAO\nMTUxMFowWjELMAkGA1UEBhMCVVMxCzAJBgNV\nBAgTAk1EMRAwDgYDVQQHEwdCZWxjYW1wMRAwDgYDVQQKEwdHZW1hbHRvMRowGAYD\nVQQDExFLZXlTZWN1cmUgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC\nAgoCggIBAPgJPiSciHZcAPMnEv7dpP1/jc82V9a9pmOIU2jkE7xIvhc7wQ/xVYZX\npl0c/+9v4YEcle/GjkSl7v04hOg+klf10lpTTp2ctdUd83gECDVrwpUUMpFtdhiL\nAC/hXNGobnJxjEMZPV3/gZIkxR4jDoa8A3FiLL5xLoWc9YLn85JDlYRVE1rdcpgW\n0ElTNrOko1mUJ1g90mXBiE7TGHdHR6gtbloSNZOUBFlf0P17pQPLyzZxR3tlq3qo\n/l/+hdcYfLw/Jf323c30CbuVFFbYQzADmB6k0rZaajQMZJIhYO+EUt7HKrF/gU6E\nj0uq18yxQxsXnxs2n94fpeSWF/UfuIIkjJ8mA6yGgkgT3Nw/MoD+8eTnMeoaH04S\nbm3a1pi7nlVKYdRednFphxx9YmkIMy+2VQoWfVmKvJTxCtE7rzElZsqKQ6ZFvtPi\n71YPlt0gWwHMkWY4lFuUYPMcH7x7Zzb/adggES17DhmrqUivIEQgl4VYQSBkK/b3\nPQ64+iXhtnLDiiSneKErEvMqA81RIqWd3c6XG07+6YTFoL3peOEm5XWw0KvzDhUT\nomJkNTsh+Og4OXBtLXSCJzUVeY6yuxALb6GaSS0a90k34/iRP71BESO0EtngH3lr\nQhOVYibGMKfJDSMEEfCATbY4fBn1uj1RrAUhQ3GlauU/lLzZ8gjDAgMBAAGjYjBg\nMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/B0GA1UdDgQWBBTzcq97\nqHASsOatm3N+6Iq1TD0gIzAeBgNVHREEFzAVgRNzdXBwb3J0QGdlbWFsdG8uY29t\nMA0GCSqGSIb3DQEBCwUAA4ICAQBmwTdayCb9gBlAKJVhW5mBh+muajk53cXxaXJx/VwLe\ntyyNQZhV5r6AIgdSLuy8UPj9rWeVMeI4xWutdy/ANj6737pzr4WjNNBirVtkDhRh\nMZtV9Q==\n-----END CERTIFICATE-----\n"
}

  2. For clients that don't have any profile associated, run the following command and pass the ca_id in the request:

    Example request

    ksctl clientmgmt clients renew --client-id 72e24314-dc1e-4bfe-80c1-8127900cee9b --ca_id 911671ca-6c15-45cf-a0a8-bcde9e82f721 --cert-duration 730

ksctl CLI: renew server certificate using new local CA

To renew the server certificate using the new local CA, perform the following steps:

  1. Issue a new server certificate from the new CA. 

  2. Create a certificate chain and combine them into a single PEM or PKCS12 file. The file should include the following in the given order:

    a. Server certificate

    b. Any intermediate certificate authorities that sign the server certificate. Start with the intermediate CA that issued the server certificate. Next, add the issuer of the intermediate CA, if any. Continue adding any intermediate CAs higher up the hierarchy, each time adding the issuer of the last certificate you uploaded.

    c. The root CA that signs any intermediate CAs. If there are no intermediate CAs, add the root CA that issued the server certificate.

    d. The server certificate's private key.

    Note

    • In the PEM format, the server certificate's private key should be included first, and in the PKCS12 format, it should be inlcuded last.

    • It is optional to include the private key in the PEM file if the user has previously generated a CSR. Creating a CSR allows the user to generate the key pair on the CipherTrust Manager and prevents exposing the private key outside of the CipherTrust Manager.

  3. Upload the certificate chain to the CipherTrust Manager.

    Example request

    ksctl interfaces renewal-cert upload --name nae --file ./serverCertKey.pem --format pem

    serverCertKey.pem

    -----BEGIN CERTIFICATE-----
MIIEqjCCApKgAwIBAgIQZkQE+oYbUzqL+bmYF2f3VjANBgkqhkiG9w0BAQsFADBa
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxDzANBgNVBAcTBkF1c3RpbjEPMA0G
A1UEChMGVGhhbGVzMRwwGgYDVQQDExNDaXBoZXJUcnVzdCBSb290IENBMB4XDTIz
MDMyMjA2MTExOVoXDTMzMDMxODA5MzM1OFowDjEMMAoGA1UEAxMDbmFlMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuB2UJMu2lMYSx181SaLKXxuOrz39
DFd6yae+fzFYXzyZxudRDeHMSt0knPoV2L3Wsfp8PibtAKHyUK6b8Ego9Ccah16X
YeOmeehBcYk/IwbUcp0LAW4/4lB/a++Gkd9HPmUmOezbVMOyjk4LoerSLiqfbXIU
HpbrFcxuTNKjve1ymMMT2LubguXWu6xPB6faZtspn3ZB22FgqT4KPULUrDuiTTJ3
wXJyKCIEb5kpEIk56u6aE2N+IGQ2gFWN9tHWr6SwjQNm7QhdV63y5+JLMXyHuINf
Lr24fHEBUoSptbu4yhTu5t7hlO5TTKIV/PBjjvbYtt0uYIcQhw3U5qhQWQIDAQAB
o4G3MIG0MA4GA1UdDwEB/wQEAwIDiDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNV
HRMBAf8EAjAAMB8GA1UdIwQYMBaAFDEexvfPs6aqKYwDCCc6r7dQUEhKMF4GA1Ud
HwRXMFUwU6BRoE+GTWh0dHA6Ly9jaXBoZXJ0cnVzdG1hbmFnZXIubG9jYWwvY3Js
cy9iMTk2M2U4NS0wMmUxLTQ2MmQtYTQzNi1hNWUxMWNlY2NhMDEuY3JsMA0GCSqG
SIb3DQEBCwUAA4ICAQA+4SrI4C42l4C8Aw5CAlbPdLFpOMoABwaCg2p0DqR0Su7E
XZSZexDxod8w/5aNZAJ2rrHCJqwaDoKehNfaa/fQ/wDhVPkw6Nn2gjn6IEVNpxgU
BQbE+i0vmU0NnsHF6VEMh3299sf94K9IxHqZbDgogBeBLxtqjvLSsECeoHmMfL2V
/GfzMXKsiHp97gNwK8Mt6vWA4uJ/ojhK5mUlfRoEp4MyH6IuauLoWMNDGQ9xEmj9
RYKzZgZsEraS3sOLj3ZWDkpF/tGMAiadqRav9Zyb7/mMJ014RZdpRKMtLFQ/xqnM
ZPsKYj0g+Q9BfK2vRKmTX2phTnjqeoVTy3qB6XxIHItmViURCT0t40tva7Ici89U
xYanshAtFyCzq+1aMKbt+SeDD6jo2Q4LBNnMTK8liZqMhNUs3A0rz1mTlpUbiLBi
d4Nz8d55iJxwOMSkbdQvWpoXHJnDEQW9d/9KFgnJu4nR8192Yta5BuxvuZHY57HL
riA3FJ+VFzZeZpEJOdUIpaAfGcsMBWd+irH+uPA70bcrkIlF+9YCr81LOcv7gY7l
8cIMrAIkMjY3YMOgXmqxzHq1WeooHKFrtrjYJDL9gVeKn2EmMWCSYY1lKXzZ1pgG
mdEOyrSYjCYgMyj5vp/Irfl57KwVVUo5DHzVx9fBLWAosKdeXNgyrXwhEUzx9A==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAuB2UJMu2lMYSx181SaLKXxuOrz39DFd6yae+fzFYXzyZxudR
DeHMSt0knPoV2L3Wsfp8PibtAKHyUK6b8Ego9Ccah16XYeOmeehBcYk/IwbUcp0L
AW4/4lB/a++Gkd9HPmUmOezbVMOyjk4LoerSLiqfbXIUHpbrFcxuTNKjve1ymMMT
2LubguXWu6xPB6faZtspn3ZB22FgqT4KPULUrDuiTTJ3wXJyKCIEb5kpEIk56u6a
E2N+IGQ2gFWN9tHWr6SwjQNm7QhdV63y5+JLMXyHuINfLr24fHEBUoSptbu4yhTu
5t7hlO5TTKIV/PBjjvbYtt0uYIcQhw3U5qhQWQIDAQABAoIBAQCmXywgN+kr9PTB
LlqDyNPgL5G272f7wA0Xrjnoy9lUbflzkFFhHvoxaDYOl7ooGhuoxnWA4EHoAW9q
0u3cqgg/4BoL20EmVsV3gZWpl+DysNhHHXv1df/KbP1HtrE+nanOSy7IxyzHIvP1
vbarQPtedmuMRbrCjZOvJgVB7FHEbAP8BG+qsGHU/6EOlQBvskoR7EdwuZ/q12n4
1as0Sy0qAtLhPcdOA+iUXWvxTSm5GVO/+9I/xs/SDT4kI8CgBgyQpuH0B8j5Gw9W
Y3NSn8ahXhy9mh1tGY4ltJSby6F3YUy57I117loJ8w4fRqfQEdxr6rQgxvRNM36h
DuSefqxFAoGBAOzAcvrbSW7uiHjnz37xbr7AdegF47dtOJnoIXYKNF3MQ3lw5PxM
wc+SMJqpL84sG6OZXxs9qOxj2ZCrkthzPJxEhnOp1qGd1jvL4pW5N4e8cXF3i5k/
qY+l2JZOHuy55tIO8vUXwma0bDnU+YrC7APb6AtaOVi96EjU8QITzqmXAoGBAMcV
mpovSrjbVrAEEe9/XPmnlk0Sk2GDWSHGIcdwCVXmWqwTA20Yra8z6Ax26ARcotKw
eTyEMA5LQh1l2MytLaAqTfjIPrpD3ZsIJ0JWYmlvOLwxqVcgesx+YaEvN8tiBOR4
HYNWJteDWgXHrbNX45Q6BOYDPorjoa5vb4P91bOPAoGAEqBBa4L9EAEsM3bpWC9e
axtxK0PrWm75WQJuP38mB4sec9tx6HeRd+ckc8aDwFCwC/rxBI+hTpe8cilNcEIA
rrqlaUwfWq+0PxgXR3g+6irlMewZy4C6slZ1571VqYImqrgKXUX1QWdIbHRY/ZXA
Q711UA9VG6o1MCWwoF02kRkCgYEAqb4r0WadKTwqj20I9dD8LwjKx/AcpTnel0Nd
rbRC4XDEwo57j1tJS2bQZUBE1uM9GLLKy+RRLP7R4kriLLFDg5pOXN4vTZVrrzGm
d5M72XWxRBR7tAPHb/AZwdqGkeyDC2G2mDKub3ZZHTCBU7aOHeXSI2OEwdsQEbCF
vl6BBNUCgYEApKwKLv+u9KrK/bdQCYsNTLXTeuiZh8FbnYZtT3dXvgsFUiCUdOGI
jlXLL6+p7Cs+O2k145WCb6yFzk5X4Z9y0gV7jIkumRX07QA5K5Zdfjrxx4cBjn2y
8ZnEXTu3PkbgPlkIalAaSW19C5JgLoRCPTKT/taDJaSKa/L4RN1iv2o=
-----END RSA PRIVATE KEY-----

    Example response

    {
    "certificates": "-----BEGIN CERTIFICATE-----\nMIIEqjCCApKgAwIBAgIQZkQE+oYbUzqL+bmYF2f3VjANBgkqhkiG9w0BAQsFADBa\nMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxDzANBgNVBAcTBkF1c3RpbjEPMA0G\nA1UEChMGVGhhbGVzMRwwGgYDVQQDExNDaXBoZXJUcnVzdCBSb290IENBMB4XDTIz\nMDMyMjA2MTExOVoXDTMzMDMxODA5MzM1OFowDjEMMAoGA1UEAxMDbmFlMIIBIjAN\nBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuB2UJMu2lMYSx181SaLKXxuOrz39\nDFd6yae+fzFYXzyZxudRDeHMSt0knPoV2L3Wsfp8PibtAKHyUK6b8Ego9Ccah16X\nYeOmeehBcYk/IwbUcp0LAW4/4lB/a++Gkd9HPmUmOezbVMOyjk4LoerSLiqfbXIU\nHpbrFcxuTNKjve1ymMMT2LubguXWu6xPB6faZtspn3ZB22FgqT4KPULUrDuiTTJ3\nwXJyKCIEb5kpEIk56u6aE2N+IGQ2gFWN9tHWr6SwjQNm7QhdV63y5+JLMXyHuINf\nLr24fHEBUoSptbu4yhTu5t7hlO5TTKIV/PBjjvbYtt0uYIcQhw3U5qhQWQIDAQAB\no4G3MIG0MA4GA1UdDwEB/wQEAwIDiDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNV\nHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDEexvfPs6aqKYwDCCc6r7dQUEhKMF4GA1Ud\nHwRXMFUwU6BRoE+GTWh0dHA6Ly9jaXBoZXJ0cnVzdG1hbmFnZXIubG9jYWwvY3Js\ncy9iMTk2M2U4NS0wMmUxLTQ2MmQtYTQzNi1hNWUxMWNlY2NhMDEuY3JsMA0GCSqG\nSIb3DQEBCwUAA4ICAQA+4SrI4C42l4C8Aw5CAlbPdLFpOMoABwaCg2p0DqR0Su7E\nXZSZexDxod8w/5aNZAJ2rrHCJqwaDoKehNfaa/fQ/wDhVPkw6Nn2gjn6IEVNpxgU\nBQbE+i0vmU0NnsHF6VEMh3299sf94K9IxHqZbDgogBeBLxtqjvLSsECeoHmMfL2V\n/GfzMXKsiHp97gNwK8Mt6vWA4uJ/ojhK5mUlfRoEp4MyH6IuauLoWMNDGQ9xEmj9\nRYKzZgZsEraS3sOLj3ZWDkpF/tGMAiadqRav9Zyb7/mMJ014RZdpRKMtLFQ/xqnM\nZPsKYj0g+Q9BfK2vRKmTX2phTnjqeoVTy3qB6XxIHItmViURCT0t40tva7Ici89U\nxYanshAtFyCzq+1aMKbt+SeDD6jo2Q4LBNnMTK8liZqMhNUs3A0rz1mTlpUbiLBi\nd4Nz8d55iJxwOMSkbdQvWpoXHJnDEQW9d/9KFgnJu4nR8192Yta5BuxvuZHY57HL\nriA3FJ+VFzZeZpEJOdUIpaAfGcsMBWd+irH+uPA70bcrkIlF+9YCr81LOcv7gY7l\n8cIMrAIkMjY3YMOgXmqxzHq1WeooHKFrtrjYJDL9gVeKn2EmMWCSYY1lKXzZ1pgG\nmdEOyrSYjCYgMyj5vp/Irfl57KwVVUo5DHzVx9fBLWAosKdeXNgyrXwhEUzx9A==\n-----END CERTIFICATE-----\n"
}

  4. For clients, the chain uploaded in the previous step is available to download.

    Example request

    ksctl interfaces renewal-cert get --name nae

    Example response

    {
    "certificates": "-----BEGIN CERTIFICATE-----\nMIIEqjCCApKgAwIBAgIQZkQE+oYbUzqL+bmYF2f3VjANBgkqhkiG9w0BAQsFADBa\nMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVFgxDzANBgNVBAcTBkF1c3RpbjEPMA0G\nA1UEChMGVGhhbGVzMRwwGgYDVQQDExNDaXBoZXJUcnVzdCBSb290IENBMB4XDTIz\nMDMyMjA2MTExOVoXDTMzMDMxODA5MzM1OFowDjEMMAoGA1UEAxMDbmFlMIIBIjAN\nBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuB2UJMu2lMYSx181SaLKXxuOrz39\nDFd6yae+fzFYXzyZxudRDeHMSt0knPoV2L3Wsfp8PibtAKHyUK6b8Ego9Ccah16X\nYeOmeehBcYk/IwbUcp0LAW4/4lB/a++Gkd9HPmUmOezbVMOyjk4LoerSLiqfbXIU\nHpbrFcxuTNKjve1ymMMT2LubguXWu6xPB6faZtspn3ZB22FgqT4KPULUrDuiTTJ3\nwXJyKCIEb5kpEIk56u6aE2N+IGQ2gFWN9tHWr6SwjQNm7QhdV63y5+JLMXyHuINf\nLr24fHEBUoSptbu4yhTu5t7hlO5TTKIV/PBjjvbYtt0uYIcQhw3U5qhQWQIDAQAB\no4G3MIG0MA4GA1UdDwEB/wQEAwIDiDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNV\nHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDEexvfPs6aqKYwDCCc6r7dQUEhKMF4GA1Ud\nHwRXMFUwU6BRoE+GTWh0dHA6Ly9jaXBoZXJ0cnVzdG1hbmFnZXIubG9jYWwvY3Js\ncy9iMTk2M2U4NS0wMmUxLTQ2MmQtYTQzNi1hNWUxMWNlY2NhMDEuY3JsMA0GCSqG\nSIb3DQEBCwUAA4ICAQA+4SrI4C42l4C8Aw5CAlbPdLFpOMoABwaCg2p0DqR0Su7E\nXZSZexDxod8w/5aNZAJ2rrHCJqwaDoKehNfaa/fQ/wDhVPkw6Nn2gjn6IEVNpxgU\nBQbE+i0vmU0NnsHF6VEMh3299sf94K9IxHqZbDgogBeBLxtqjvLSsECeoHmMfL2V\n/GfzMXKsiHp97gNwK8Mt6vWA4uJ/ojhK5mUlfRoEp4MyH6IuauLoWMNDGQ9xEmj9\nRYKzZgZsEraS3sOLj3ZWDkpF/tGMAiadqRav9Zyb7/mMJ014RZdpRKMtLFQ/xqnM\nZPsKYj0g+Q9BfK2vRKmTX2phTnjqeoVTy3qB6XxIHItmViURCT0t40tva7Ici89U\nxYanshAtFyCzq+1aMKbt+SeDD6jo2Q4LBNnMTK8liZqMhNUs3A0rz1mTlpUbiLBi\nd4Nz8d55iJxwOMSkbdQvWpoXHJnDEQW9d/9KFgnJu4nR8192Yta5BuxvuZHY57HL\nriA3FJ+VFzZeZpEJOdUIpaAfGcsMBWd+irH+uPA70bcrkIlF+9YCr81LOcv7gY7l\n8cIMrAIkMjY3YMOgXmqxzHq1WeooHKFrtrjYJDL9gVeKn2EmMWCSYY1lKXzZ1pgG\nmdEOyrSYjCYgMyj5vp/Irfl57KwVVUo5DHzVx9fBLWAosKdeXNgyrXwhEUzx9A==\n-----END CERTIFICATE-----\n"
}

    Now, the clients can use this new chain to setup their environment.

  5. After the clients have been updated with the new certificate chain, the admin can apply the new certificate chain on the CipherTrust Manager. This replaces the existing server certificates with the newly generated server certificates.

    Example request

    ksctl interfaces renewal-cert apply --name nae

    There will be no response if the new certificate chain is applied successfully.

    If admin doesn't apply the new certificate chain manually on the CipherTrust Manager, the auto-apply option is triggered when the CA expires.

Adding an External CA

You must add an external CA on CipherTrust Manager to use the CA as a trusted entity for various interfaces and services inside the system.

You need to obtain and upload the external CA's PEM-formatted certificate file.

Add an External CA in web console UI

  1. Login to the root domain as an Application Administrator in the Admins group, such as admin.

  2. Navigate to CA > External.

  3. Click + Add External CA.

  4. Provide a Display Name

  5. Provide the CA's Certificate.

    • Select File Upload and Upload Certificate to provide the certificate file.

    or

    • Select Text and paste the certificate contents into the text field.

  6. Click Add External CA.

Add an External CA in ksctl CLI

Use the following command:

ksctl ca externals upload --cert-infile mycert.pem

Verifying revocation status of client certificates

The CipherTrust Manager can be configured to verify the revocation status of client certificate presented to NAE or KMIP interface before establishing a connection with the client.

To configure the CipherTrust Manager for inspecting the client certificate revocation status:

A certificate contains an OCSP responder URL and a Certificate Revocation List (CRL) URL, which are used for verifying the revocation status of the certificate.

Note

An LDAP URL is not supported, that is, if the CRL or OCSP URL begins with ldap://, the CipherTrust Manager skips that URL.

Let's understand how CipherTrust Manager verifies the revocation status of a certificate and permits/drops connection requests in such cases:

Verifying revocation status

CipherTrust Manager looks the client certificate for OCSP responder URL and CRL URL.

  1. If OCSP URL is present

    CipherTrust Manager accesses this URL to verify the revocation status of the client certificate.

    Note

    • The certificate to be verified must contain the URL of the certificate issuer(CA). The issuer certificate should be specified using the AIA extension of X.509. The issuer URL should be a http URL and must be accessible.

    • If the issuer URL is not specified in the certificate, the certificate revocation check "Soft Fails" and the connection is created.

    1. If OCSP URL is accessible, the status of certificate gets verified successfully, and CipherTrust Manager allows/drops connection request accordingly.

    2. If OCSP URL is not accessible due to any reason, CipherTrust Manager considers the situation as a "Soft Fail". It allows the connection to establish, but reports a warning. This warning audit log and its details can be viewed in the Records.

  2. If OCSP URL is not present, but CRL URL is present

    CipherTrust Manager verifies the status of certificate using the CRL, and allows/drops connection request accordingly.

    1. If CRL URL is accessible, the status of certificate gets verified successfully, and CipherTrust Manager allows/drops connection request accordingly.

    2. If CRL URL is not accessible due to any reason, CipherTrust Manager considers the situation as a "Soft Fail". It allows the connection to establish, but reports a warning. This warning audit log and its details can be viewed in the Records.

  3. If both OCSP URL and CRL URL are not present

    CipherTrust Manager considers the client certificate to be signed by its local CA, and allows the connection to establish.

    Note

    In any case, if the certificate is found to be revoked, CipherTrust Manager drops the connection request and logs it in Records.

OCSP and CRL caching

As stated above, verifying the revocation status of a certificate involves establishing a connection with the URL (OCSP or CRL) present in the certificate, and verifying its revocation status. Once the revocation status of a certificate is verified, CipherTrust Manager stores this information for some preset time.

Let's understand how long this information is stored in and how it is used in this time frame:

  • For OCSP method

    After successfully connecting to the OCSP URL, CipherTrust Manager stores the revocation status of the client certificate for a duration of 5 minutes.

    • If CipherTrust Manager receives another connection request from the same client within 5 minutes of a previously successful connection, then CipherTrust Manager refers to the cached revocation status value to verify its revocation status.

    • If CipherTrust Manager recieves another connection request from the same client after 5 minutes of a previously successful connection, then CipherTrust Manager verifies its revocation status through the OCSP URL again.

  • For CRL method

    Each CA promises to update its CRL at the day and time specified in the Next Update field for that CA. While performing a certificate revocation check, the CipherTrust Manager inspects the Next Update value for the CRL associated with each CA on the CipherTrust Manager.

    • If the Next Update value for that CRL is in the past, the CipherTrust Manager attempts to connect to the CRL distribution point (CDP) for the CA to download the updated CRL.

    • If the Next Update value for that CRL is in the future, the CipherTrust Manager waits until that specified time to attempt to connect to the CDP and download the updated CRL.

Enabling/disabling certificate revocation check

The Certificate Revocation Check is enabled by default. You can enable or disable the certification revocation Check using:

  • API playground

    Refer to "Properties" section (/v1/configs/properties).

  • CLI tool (ksctl)

    Refer the following examples:

    • Command to enable Certificate Revocation Check

      ksctl properties modify -n ENABLE_CERT_REV_CHECK -p true

    • Command to disable Certificate Revocation Check

      ksctl properties modify -n ENABLE_CERT_REV_CHECK -p false

    • Available Flags:

      FlagsInput TypeDescription
      -h, --helpnot applicableCommand help
      -n, --namestringName of the system configuration
      -p, --valuestringValue to be set for the system configuration

Getting the fingerprint of the CA certificate

The fingerprint of the old CA certificate that was used to register the client with the CipherTrust Manager is needed when re registering a client. A CipherTrust Manager administrator can provide you the fingerprint.

Fingerprint of the CA certificate can be viewed on the GUI or the API playground.

On the API Playground

To get the fingerprint of a CA certificate:

  1. Acquire an authorization token.

  2. In the left pane of the API playground, click Certificate Authority.

  3. Under Certificate Authority, click Get local CA. The Get section of the API playground is displayed in the right pane.

  4. Click id in /v1/ca/local-cas/{id}.

  5. Enter id of the local CA in the text box.

  6. Click GET. Details of the CA including fingerprints are displayed in the output. Only sha256Fingerprint and sha512Fingerprint are supported for reregistration.

  7. Copy the desired fingerprint. This fingerprint will be used when re-registering clients.

Similarly, you can get fingerprint of external CA certificates.

On the GUI

To get the fingerprint of a CA certificate:

  1. Log on to the CipherTrust Manager as administrator.

  2. In the left pane, click CA > Local. The list of available CAs is displayed.

  3. Click the ellipsis icon corresponding to the CA.

  4. Click Details. Details of the CA including fingerprints are displayed. Only sha256Fingerprint and sha512Fingerprint are supported for reregistration.

  5. Copy the desired fingerprint. This fingerprint will be used when re-registering clients.

Similarly, you can get fingerprint of external CA certificates.

Managing usage of certificate authority (CA)

You can manage the usage of CA on individual CipherTrust Manager domains. The CipherTrust Manager supports user and client authentication.

  • Client authentication: If enabled, the certificates signed by the CA can be used for client authentication in that domain.

  • User authentication: If enabled, the certificates signed by the CA can be used for user authentication in that domain.

If authentication is disabled, the CipherTrust Manager domain does not trust the CA for respective authentication mechanisms, and the certificates are rejected even if valid.

Updating Usage of a Local CA in Web Console UI

  1. Login to the root domain as an Application Administrator in the Admins group, such as admin.

  2. Navigate to CA > Local.

  3. In the Local Certificate Authorities table, find the Local CA.

  4. Click the corresponding overflow icon (ellipsis) to view usage change options. Available usage change operations could be:

    • Disable Client Auth - Click this to disable client authentication

    • Disable User Auth - Click this to disable user authentication

    • Enable Client Auth - Click this to enable client authentication

    • Enable User Auth - Click this to enable user authentication

    The usage change is applied immediately.

Updating Usage of a Local CA in ksctl CLI

To update usage of a local CA, run:

Syntax

ksctl ca locals update --id <ca-identifier> --allow-user-authentication <true|false> --allow-client-authentication <true|false>

Example request

ksctl ca locals update --id e66d047a-2f67-48bf-bcac-862ac773e12a --allow-user-authentication true --allow-client-authentication false

Example response

{
    "id": "09e3feb5-7c37-4345-9f05-14a95eb4acd9",
    "uri": "kylo:kylo:naboo:localca:09e3feb5-7c37-4345-9f05-14a95eb4acd9",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2022-01-04T16:55:08.995526Z",
    "updatedAt": "2022-01-05T07:31:10.468173266Z",
    "name": "admin",
    "state": "active",
    "csr": "",
    "cert": "-----BEGIN CERTIFICATE-----\nMIIBoTCCASegAwIBAgIQLyw13lVuY5/+BbOYhPfRpjAKBggqhkjOPQQDAzASMRAw\nDgYDVQQDEwdhZG1pbkNBMB4XDTIyMDEwMzE2NTUxMloXDTIzMDEwMzE2NTUxMlow\nEjEQMA4GA1UEAxMHYWRtaW5DQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMhbWYui\neU0/VVZU0bsD6FWt3xGaBWaGrC2BS6EH+YcacosTm0SMWJSYHhN8YqxF8eMmTF1y\np7tTSRXo89xYqDZK/wMmOjv55l1yhwV+82o8d1y2Q9obkhgXb39JaxLAlaNCMEAw\nDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIIBQfXX\nu5bdGlOjynb7aL4Leq81MAoGCCqGSM49BAMDA2gAMGUCMQD+aEg5pq3VM78Pp5F0\nJEurbY23XoKwixe23IKUhYBTfdpvaDUZGMtV6c7zIfUa2mMCMBN4Nkc6qva1cHxo\nFbsmjX42K8fukNqzm39w8vM4o+lhnb5J4bRyghbD/Ej67F6Myw==\n-----END CERTIFICATE-----\n",
    "serialNumber": "62703269446467328287939974236420428198",
    "subject": "/CN=adminCA",
    "issuer": "/CN=adminCA",
    "notBefore": "2022-01-03T16:55:12Z",
    "notAfter": "2023-01-03T16:55:12Z",
    "sha1Fingerprint": "B3673DFB030A894EF71A71C0C382E78455C1DA84",
    "sha256Fingerprint": "0242266C65ECA9BB893A75EC425A107CCC92C0BEED8224AD87A3A64E9E077739",
    "sha512Fingerprint": "4B20E210A6FE04D5A086346E809076A17C47873D29F1DC071308121BAF2D2AD9C516726E48364281A15224CFA0365B8AFED34B61D8C109DEDBDF4AB365BBF744",
    "purpose": {
        "client_authentication": "Disabled",
        "user_authentication": "Enabled"
    }
}

Updating Usage of External CA in Web Console UI

  1. Login to the root domain as an Application Administrator in the Admins group, such as admin.

  2. Navigate to CA > External.

  3. In the External Certificates Authorities table, find the external CA.

  4. Click the corresponding overflow icon (ellipsis) to view usage change options. Available usage change operations could be:

    • Disable Client Auth - Click this to disable client authentication

    • Disable User Auth - Click this to disable user authentication

    • Enable Client Auth - Click this to enable client authentication

    • Enable User Auth - Click this to enable user authentication

    The usage change is applied immediately.

Updating Usage of an External CA in ksctl CLI

To update usage of an external CA, run:

Syntax

ksctl ca externals update --id <ca-identifier> --allow-user-authentication <true|false> --allow-client-authentication <true|false>

Example request

ksctl ca externals update --id 5cb55f29-2749-4960-a912-98aeff6accda --allow-user-authentication true --allow-client-authentication false

Example response

{
    "id": "f029ff14-9f27-4015-8609-23f41b6de898",
    "uri": "kylo:kylo:naboo:external_ca:f029ff14-9f27-4015-8609-23f41b6de898",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2022-01-04T16:57:34.723799Z",
    "updatedAt": "2022-01-05T07:32:10.243282197Z",
    "name": "1234",
    "cert": "-----BEGIN CERTIFICATE-----\nMIIBoTCCASegAwIBAgIQLyw13lVuY5/+BbOYhPfRpjAKBggqhkjOPQQDAzASMRAw\nDgYDVQQDEwdhZG1pbkNBMB4XDTIyMDEwMzE2NTUxMloXDTIzMDEwMzE2NTUxMlow\nEjEQMA4GA1UEAxMHYWRtaW5DQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMhbWYui\neU0/VVZU0bsD6FWt3xGaBWaGrC2BS6EH+YcacosTm0SMWJSYHhN8YqxF8eMmTF1y\np7tTSRXo89xYqDZK/wMmOjv55l1yhwV+82o8d1y2Q9obkhgXb39JaxLAlaNCMEAw\nDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIIBQfXX\nu5bdGlOjynb7aL4Leq81MAoGCCqGSM49BAMDA2gAMGUCMQD+aEg5pq3VM78Pp5F0\nJEurbY23XoKwixe23IKUhYBTfdpvaDUZGMtV6c7zIfUa2mMCMBN4Nkc6qva1cHxo\nFbsmjX42K8fukNqzm39w8vM4o+lhnb5J4bRyghbD/Ej67F6Myw==\n-----END CERTIFICATE-----",
    "purpose": {
    "client_authentication": "Disabled",
    "user_authentication": "Enabled"
    },
    "serialNumber": "62703269446467328287939974236420428198",
    "subject": "/CN=adminCA",
    "issuer": "/CN=adminCA",
    "notBefore": "2022-01-03T16:55:12Z",
    "notAfter": "2023-01-03T16:55:12Z",
    "sha1Fingerprint": "B3673DFB030A894EF71A71C0C382E78455C1DA84",
    "sha256Fingerprint": "0242266C65ECA9BB893A75EC425A107CCC92C0BEED8224AD87A3A64E9E077739",
    "sha512Fingerprint": "4B20E210A6FE04D5A086346E809076A17C47873D29F1DC071308121BAF2D2AD9C516726E48364281A15224CFA0365B8AFED34B61D8C109DEDBDF4AB365BBF744"
}

Certificate format in REST-API and UI

If you are uploading certificates using the REST API, certificates are encoded in a JSON string and have \n characters to indicate line endings. CipherTrust Manager's UI web console does not have these characters, so it's easiest to remain in the same interface for certificate operations, and/or pass in and export certificates using a file instead of a pasted string wherever possible. If you are copy-pasting certificate strings between the UI and other interfaces, you must re-encode the certificate strings.

  • To change PEM-encoded strings to JSON, use echo $v | jq -R --slurp where $v is a variable for the string. This is needed to format certificates in the UI to REST API format.

  • To change JSON encoded strings to PEM, use echo $v | /usr/local/bin/jq -r, where $v is a variable for the string. This is needed to format certificates from REST API to the UI format.

Adding Web Certificate for FQDN Connectivity

To add a web certificate for FQDN connectivity:

  1. View the parsed server certificate in use.

    1. Log on to the CipherTrust Manager as an administrator.

    2. Go to Admin Settings > Interfaces.

    3. On the Inerfaces page, click the overflow icon next to the web interface.

    4. Click Certificate Options....

    5. On the Interface Certificate Options on 'web' dialog box, select View Certificate and click Ok.

    6. On the View WEB Certificate dialog box, copy the value of the subject Property. For example, C=US, ST=TX, L=Austin, O=Thales, CN=web.ciphertrustmanager.local.

    7. Close the dialog box.

  2. Issue a new certificate.

    1. Go to CA > Local, and click the Name link of the local CA. The Certificate issued by <local-ca-name> screen is displayed.

    2. Click + Issue Certificate.

    3. Paste the subject value you copied above in the Common Name field.

    4. Select RSA as Algorithm and 4096 as Size.

    5. Under Subject Alternative Names, in the DNS Names (comma separated) field, specify the FQDN of your CipherTrust Manager instance.

    6. In the Name (comma separated) field, enter web.

    7. Click Issue Certificate, and click save private key. The private key, key.pem is downloaded.

    8. Change the Certificate Purpose to server, Duration in days to 365 days, and click Issue Certificate.

      The certificate is successfully issued. You are returned to the Certificate issued by <local-ca-name> screen.

  3. Download the certificate. Click the overflow icon corresponding to the newly issued certificate and click Download. The Certificate, certificate.pem, is downloaded.

  4. Concatenate the private key and the certificate downloaded above. For example, run cat key.pem certificate.pem > web_certificate.pem.

  5. Upload the above created web_certificate.pem.

    1. Go to Admin Settings > Interfaces.

    2. On the Interfaces page, click the overflow icon next to the web interface.

    3. Click Certificate Options.... The Interface Certificate Options wizard is displayed.

    4. Select Upload New Certificate and click Ok. The Upload Certificate dialog box is displayed.

    5. Click Choose Certificate File and upload the above created web_certificate.pem file.

    6. Click Upload Certificate. The web_certificate.pem file is uploaded.

    7. Click Close.

  6. Go to Admin Settings > Services. The Services page shows the available services.

  7. Scroll down to the web service.

  8. Click Restart next to the web service.

  9. Restart the CipherTrust Manager application. Click System Restart at the bottom of the page. The system will be unavailable during restart.

  10. Download the caBundle (Local CA in CipherTrust Manager) for your CipherTrust Manager server certificate that will need to be uploaded to OCI later.

On this page