Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Tasks for CAPI

Setting up SSL/TLS on CipherTrust Manager and CADP for C

search

Please Note:

printsuggest an edit

Setting up SSL/TLS on CipherTrust Manager and CADP for C

Note

The CipherTrust Manager comes with pre-configured SSL/TLS settings. However, you can also configure the settings according to your organizational needs.

Standard SSL/TLS communication requires a certificate that identifies the server. This certificate is signed by a certificate authority (CA) known to both the server and the client. During the SSL/TLS handshake, the server certificate is passed to the client. The client uses a copy of the CA certificate to validate the server certificate, thus authenticating the server.

Tip

It is recommended that you increase security only after confirming network connectivity. You should establish a TCP connection before enabling SSL/TLS. Otherwise, an unrelated network connection mistake could interfere with your SSL/TLS setup and complicate the troubleshooting process.

While the CA can be a third-party CA or your corporate CA, you will most likely use a local CA on the CipherTrust Manager appliance. If you are not using a local CA, consult your CA documentation for instructions on signing requests and exporting certificates.

To use an SSL/TLS connection to communicate between the CipherTrust Manager appliance (server) and CADP for C (client), first configure the server and then configure the client. The client will be configured for SSL communication during the CADP for C installation, if you enter SSL as the Key Management Server Protocol to use. If you plan to use an external Certificate Authority (CA) within your environment, then you will need to configure the SSL settings for the client manually. During the CADP for C installation, enter the TCP protocol as the Key Management Server Protocol when prompted. Then after the installation, manually configure the client for SSL settings. Refer to Configuring the Client Manually for more information.

This section covers the following topics:

copy link to clipboardConfiguring the Server

This section describes the procedure to configure SSL/TLS for the CipherTrust Manager.

  1. Create a server certificate. (If you are using a cluster, each member must have its own, unique certificate). Refer to Create a Server Certificate:

  2. Activate the server certificate. Refer to Activating the Server Certificate.

  3. Enable the SSL/TLS connection on the Server. Refer to Enabling the SSL/TLS connection on the Server.

copy link to clipboardCreate a Server Certificate

To create a server certificate, do the following:

  1. Create a Local CA. Refer to Creating a Local CA.

  2. Create a CSR on the console. Refer to Creating a CSR on the Console.

  3. Sign a Certificate Request with a Local CA. Refer to Signing a Certificate Request with a Local CA.

copy link to clipboardCreating a Local CA

To create a local CA:

  1. Log on to the console as an administrator with Certificate Authorities access control.

  2. Click CA.

  3. Under the Local Certificate Authorities section, click New Local CA.

  4. On the New Local CA window, enter the fields as needed.

  5. Click Create Local CA. It is added in the Pending CAs.

  6. From the Pending CAs list, click the local CA that you want to create. A window containing property and value of the CA displays.

  7. You can either self-sign Certificate Signing Request (CSR) or upload a certificate signed by an external CA.

    Note

    For uploading a certificate signed by an external CA, you must have installed the external CA certificate.

    Once the CA is verified, it is listed under the Local Certificate Authorities section.

    In the Local Certificate Authorities list, you can view Subject, Serial#, Activation, Expiration, and State.

    You can also delete, view certificate details, and download the local certificate.

    Note

    Only a local CA can sign certificate requests on CipherTrust Manager appliance. If you are using a CA that does not reside on CipherTrust Manager appliance you cannot use the console to sign certificate requests.

copy link to clipboardCreating a CSR on the Console

To create a certificate signing request (CSR) on the console:

  1. Log on to the console as an administrator with Certificates access control.

  2. Click CA.

  3. Under the CSR Tool section, click Create CSR.

  4. On the Create CSR window, enter the fields as needed (Common Name is mandatory).

  5. Click Create. You'll be prompted with two options: save csr and save private key.

    1. Click save csr to save the CSR in the .pem format.

      Note

      You must save the Private Key to continue.

    2. Click save private key to save the private key in .pem format.

      Note

      For generation of public/private key pairs for server certificates only RSA algorithm is supported.

copy link to clipboardSigning a Certificate Request with a Local CA

To sign a certificate request with a local CA:

  1. Log in to the console as an administrator with Certificates access control.

  2. Navigate to CA > Local Certificate Authorities and click on the local CA from which you want to sign the CSR.

  3. Click Upload and Sign CSR.

  4. Copy the saved CSR in the previous section and paste it on the Upload Externally Generated CSR window. The copied text must include the header (-----BEGIN CERTIFICATE REQUEST-----) and footer (-----END CERTIFICATE REQUEST-----).

  5. From the Certificate Purpose list, select server.

  6. In the Duration in days field, enter the life span of the certificate. Enter minimum 365 days.

  7. Click Issue Certificate.

The newly created certificate is listed under Parent Issuer. This certificate can be used as the server certificate for the NAE Server.

copy link to clipboardActivating the Server Certificate

To activate the server certificate:

  1. Log on to the Management Console as an administrator.

  2. Navigate to Settings > Interfaces.

  3. For NAE interface, click icon in the Action column.

  4. In the Local CA for Automatic Server Certificate Generation field, select Turn off auto generation from a local CA.

    Note

    In the Local CA for Automatic Server Certificate Generation field, if you select any CA then just click Update. It will automatically generate a server certificate and make it active.

  5. Expand Upload Certificate.

  6. In the Certificate text box, paste the server certificate, CA certificate, and key in the PEM format or base64 encoded PKCS#12 format.

    Note

    The list of certificates must be added from server cert to root ca in the ascending order. If there are any intermediate CAs, they can be added. Maintaining this order is important: <server cert> <ca cert> <key>

  7. Select Format.

  8. Click Upload New Certificate and then click Update.

copy link to clipboardEnable the SSL/TLS connection on the Server

To enable the SSL/TLS connection on the server:

  1. Log on to the console as an administrator with Certificate Authorities access control.

  2. Navigate to Settings > Interfaces.

  3. Under Interface Configurations, edit NAE interface and select a TLS option in the Mode field. Available options are:

    1. TLS, allow anonymous logins, ignore client cert

    2. TLS, user must supply password, ignore client cert

    3. TLS, allow anonymous logins, verify client cert

    4. TLS, user must supply password, verify client cert

    5. Verify client cert, username taken from client cert, auth request is optional

    6. Verify client cert, password is needed, username in cert must match username in authentication request

  4. Select the checkbox Allow unregistered clients to enable client's communication with the CipherTrust Manager over the interface, if you are using CipherTrust Manager 2.11 or above.

Tip

Without TLS, any secret or message transmitted to and from the CipherTrust Manager through this interface could be compromised.

copy link to clipboardConfiguring the Client

You can configure the client to use SSL for communication with the CipherTrust Manager using the CADP for C installer. If you plan to use an external CA within your environment, or go for advanced SSL settings then you are required to configure the client manually after basic installation using the installer.

copy link to clipboardConfiguring the Client using Installer

You have the option to configure the CADP for C to use SSL for communication with the CipherTrust Manager during the installation of CADP for C. To do so, be sure to enter SSL as the Key Management Server Protocol and other associated information when prompted during the installation process. The following certificates and keys will be generated and updated in the CADP for C properties files (CADP_CAPI.properties or CADP_PKCS11.properties depending on which CADP for C library you are using in your environment) during the installation:

  • Client certificate

  • Client key (Encrypted by pasphrase)

  • CA certificate

  • Encrypted passphrase

copy link to clipboardConfiguring the Client Manually

The Client can also be configured manually after the installation. During the CADP for C installation process, to perform a basic installation, enter TCP for the Key Management Server Protocol when prompted. After the installation is complete, manually configure the client for the SSL settings.

copy link to clipboardConfiguring the client

  1. Generate a client certificate. Refer to Generating a Client Certificate Request with OpenSSL section.

  2. After creating a certificate request using OpenSSL, you can then sign the request with the local CA on the CipherTrust Manager appliance. Once signed, the certificate request becomes a valid certificate. Refer to Signing a Certificate Request and Downloading the Certificate

    OR

    Consult the CA Documentation for instructions on signing requests and exporting certificates.

    Upload the External CA Certificate on the Server. Refer to Uploading an External CA Certificate on the Server

  3. Update the following parameters in the CADP_PKCS11.properties or CADP_CAPI.properties files (depending on which CADP for C library you are using in your environment) as follows: 

    Protocol=ssl
CA_File=<location and name of the CA certificate>
Cert_File=<location of the client cert>\client.crt
Key_File=<path to client key>\clientkey
Passphrase=<the passphrase used to unlock the client's key file>

    For example:

    CA_File=/root/CipherTrust/CADP_for_C/certs/ca-cert.pem
Cert_File=/root/CipherTrust/CADP_for_C/certs/client-cert.pem
Key_File=/root/CipherTrust/CADP_for_C/certs/client-key.pem

Note

Only absolute file path should be used for the Properties.

copy link to clipboardGenerating a Client Certificate Request with OpenSSL‌‌

To generate a client certificate request:

  1. Open the command window.

  2. If you are using OpenSSL, run the following command:

    openssl.exe req -out clientreq -newkey rsa:2048 -keyout clientkey

    Note

    By default, both the certificate request and private key will be created in the working directory. You can generate them in another directory by including a location in the certificate request and key name.
    For example, to create them in the C:\client_certs directory, use the following command:
    openssl.exe req -out C:\client_certs\clientreq -newkey rsa:2048 - keyout C:\client_certs\clientkey.

    The certificate request generation process will then request the following details:

    • A PEM passphrase to encode the private key: The passphrase that encodes the private key is the first passphrase you provide after issuing the above command. This will be the Passphrase parameter in the CADP_CAPI.propertiesor CADP_PKCS11.propertiesfile.

    • The distinguished name: The distinguished name is a series of fields whose values are incorporated into the certificate request. These fields include country name, state or province name, locality name, organization name, organizational unit name, common name, and email address.

    • A challenge password: This challenge password is NOT used in the CipherTrust Manager environment.

    • An optional company name.

copy link to clipboardSigning a Certificate Request and Downloading the Certificate‌‌

This section describes how to sign a certificate request with a local CA and then download the certificate.

Note

You must download the certificate immediately after it is signed by the CA.

Signing a Certificate Request

To sign a certificate request with a local CA:

  1. Log on to the console as an administrator with Certificate Authorities access controls.

  2. Navigate to CA > Local Certificate Authorities and click the local CA by which you want to sign the CSR.

  3. Click Upload and Sign CSR.

  4. Copy the CSR and paste it on the Upload Externally Generated CSR window. The copied text must include the header (-----BEGIN CERTIFICATE REQUEST-----) and footer (-----END CERTIFICATE REQUEST-----).

  5. From the Certificate Purpose list, select client.

  6. In the Duration in days field, enter the life span of the certificate. Enter minimum 365 days.

  7. Click Issue Certificate. The newly created certificate is listed under Parent Issuer.

  8. Click the image button to save the certificate on your local machine.

    Note

    You should place the certificate in a secure location and modify access appropriately.

Download a local CA certificate

To download a local CA certificate from CipherTrust Manager appliance:

  1. Log in to the console as an administrator with Certificate Authorities access controls.

  2. Navigate to CA > Local Certificate Authorities and click the download button to download a local CA. You should place the CA certificate in a secure location and modify access appropriately.

copy link to clipboardUploading an External CA Certificate on the Server

Since the client certificate was signed by an external CA, you must upload the CA certificate on the CipherTrust Manager appliance.

To upload a CA certificate:

  1. Log in to the console as an administrator with Certificate Authorities access controls.

  2. Navigate to CA > External Certificate Authorities.

  3. In the Upload External Certificate text box, paste all text from the certificate, including header and footer.

  4. Click upload.

    Note

    Both the server and client certificates should be signed by the same CA to make SSL/TLS work.

The SSL/TLS configuration is now complete on both the server and the client. The server is now ready to communicate with the client.

On this page