Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Installation

Client Certificate Renewal in Linux/Windows

search

Please Note:

Client Certificate Renewal in Linux/Windows

Note

MS Cert store is not supported.
• The NAE_IP parameter must be same in both the configuration files for client certificate renewal.
• Supported with CipherTrust Manager 2.15.0 and above.

This section provide information on how client certificate renewal will be implemented in CADP For C (Linux/Windows).

Utility for Certificate Renewal

While installing CADP for C, if you chose to proceed with registration token, the installer internally calls 'cadp_for_basic' utility with registration token to register a client.

The utility returns the following status:

  • Success:

    • Linux - An entry (job) for client certificate renewal is added to the Crontab.

    • Windows - An entry (job) for client certificate renewal is added to the Window Task Scheduler.

  • Failed: Check the 'cadp_c_basic.log' file for the reason.

The cadp_for_basic utility can be called through the following ways:

  1. Manually

    To call the utility manually, execute the following command:

    cadp_for_basic -d <CADP_For_C Installation Path> --renew_cert --force_update

  2. Auto

    A scheduler for certificate renewal is automatically added to:

    • Crontab (Linux)

    • Windows Task Scheduler (Windows) - A task CipherTrust\CADP_for_C\Cert_Expiry_Check_n_Update is added to the Windows Task scheduler.

    This scheduler will run daily at 12:00 p.m. (as per Client system timezone). If the certificates are due for renewal, the utilities present in the installed directory will update the certificates automatically. 

    cadp_for_basic -d <CADP_For_C Installation Path> --renew_cert

    where,

    • renew_cert: is a flag that checks certificate expiry time:

      • Renew the certificates if the remaining time is less than or equal to 60 days, that is 0 < x <=60 days and shows a notification log 'Your certificates are auto renewed successfully' in cadp_c_basic.log file.

      • If the remaining time interval (x) is between 90 to 60 days, it shows a notification log 'Your certificates are going to be renewed in next days' in cadp_c_basic.log file. Here, <x> will be 60 <= x <=90.

      • If the duration is more than 90 days, the utility will not perform any operation.

      • If the certificates are expired, then a notification log 'Certificate has expired already' is displayed in cadp_c_basic.log file.

    • force_update: If this flag is given along with --renew_cert, then utility will not check remaining time of certificates expiration and will forcefully renew the certificates at that instant and shows a notification log 'Your certificates are renewed successfully' in cadp_c_basic.log file.

This utility also provides a feature to return the number of days remaining for certificate expiration by executing the following command:

Example

cadp_for_c_basic  -d <CADP_For_C Installation Path> --checkCertExpiry

Output:

Client Cert Expiration Days Remaining: <x>

Sample Commands

Linux

  • To fetch the number of days remaining for certificate expiration: 

    cadp_for_c_basic -d "/opt/CipherTrust/CADP_for_C/" --checkCertExpiry

  • To force renew the certificates:

    cadp_for_c_basic -d "/opt/CipherTrust/CADP_for_C/" --renew_cert --force_update

Windows

  • To fetch the number of days remaining for certificate expiration: 

    cadp_for_c_basic.exe  -d "C:\Program Files\CipherTrust\CADP_for_C\\" --checkCertExpiry

  • To force renew the certificates:

    cadp_for_basic.exe -d "C:\Program Files\CipherTrust\CADP_for_C\\" --renew_cert --force_update

On this page