Setting up SSL with CipherTrust Manager
Standard SSL communication requires a certificate that identifies the server. This certificate is signed by a certificate authority (CA) known to both the server and the client. During the SSL handshake, the server certificate is passed to the client. The client uses a copy of the CA certificate to validate the server certificate, thus authenticating the server.
While the CA can be a third-party CA or your corporate CA, you will most likely use a local CA on the CipherTrust Manager. If you are not using a local CA, consult your CA documentation for instructions on signing requests and exporting certificates.
Note
It is recommended that you increase security only after confirming network connectivity. You should establish a TCP connection before enabling SSL. Otherwise, an unrelated network connection mistake could interfere with your SSL setup and complicate the troubleshooting process.
Authenticating Server Certificate
To use an SSL connection when communicating with the CipherTrust Manager appliance, configure the server and the client.
To configure the server:
Create a server certificate.
To create a server certificate, follow these steps:
Activate the server certificate. (See Activating the Server Certificate.)
Enabling SSL connection.
Log on to the CipherTrust Manager as an administrator.
Navigate to Admin Settings > Interface.
Under Interface Configurations, edit nae interface and select any TLS option in the Mode field.
Without TLS, any secret or message transmitted to and from the CipherTrust Manager through this interface could be compromised. Restart the CipherTrust Manager for these configuration changes to come into effect.
To configure the client, you must:
Place a copy of the CA certificate on your client. (See Downloading and Placing a Local CA Certificate)
Update the
CADP.NETCore_Properties.xmlfile as follows:<Protocol>ssl</Protocol>
Creating a Local CA
To create a local CA:
Log on to the CipherTrust Manager as an administrator.
Click CA.
Under the Local section, click Add Local CA.
Specify the required details.
Click Add Local CA.
The newly created CA is added to the Pending CAs list.
From the Pending CAs list, click the local CA that you want to create.
A window containing property and value of the CA displays.
You can either self-sign Certificate Signing Request (CSR) or upload a certificate signed by an external CA.
Note
For uploading a certificate signed by an external CA, you must have installed the external CA certificate.
Once the CA is verified, it is listed under the Local Certificate Authorities section.
In the Local Certificate Authorities list, you can view Subject, Serial#, Activation, Expiration, and State.
You can also delete, view certificate details, and download the local certificates.
Note
Only a local CA can sign certificate requests on the CipherTrust Manager appliance. If you are using a CA that does not reside on the CipherTrust Manager appliance you cannot use the Management Console to sign certificate requests.
Creating a CSR on the CipherTrust Manager
To create a certificate signing request on the CipherTrust Manager:
Log on to the CipherTrust Manager as an administrator.
Click CA.
Under the CSR Generator section, click Generate CSR.
Enter the fields as needed (Common Name is mandatory).
Click Generate CSR and download Private Key. Private key will be downloaded automatically, scroll down and click Download CSR.
Signing a Certificate Request with a Local CA
To sign a certificate request with a local CA:
Log in to the CipherTrust Manager as an administrator.
Navigate to CA > Local Authorities and click on the local CA from which you want to sign the CSR.
Click Upload CSR.
Copy the saved CSR in the previous section and paste it on the Upload Externally Generated CSR window. The copied text must include the header (-----BEGIN CERTIFICATE REQUEST-----) and footer (-----END CERTIFICATE REQUEST-----).
From the Certificate Purpose list, select server.
In the Duration in days field, enter the life span of the certificate. Default value is set to 365 days.
Click Issue Certificate.
The newly created certificate is listed under Parent Issuer. This certificate can be used as the server certificate for the NAE Server.
Activating the Server Certificate
To activate the server certificate:
Log on to the CipherTrust Manager as an administrator.
Navigate to Admin Settings > Interfaces.
For nae interface, click ellipsis icon (...) in the Action column and select the Edit option.
In the Local CA for Automatic Server Certificate Generation field, select Turn off auto generation from a local CA.
Note
In the Local CA for Automatic Server Certificate Generation field, if you select any CA then just click Update. It will automatically generate a server certificate and make it active.
Under Local Trusted CA, select the required CA from the drop down list and click the Add (+) icon.
Click Update.
Navigate to Admin Settings > Interfaces. For nae interface, click ellipsis icon (...) in the Action column and select the Upload/Generate New Certificate option.
In the Certificate text box, paste the server certificate, CA certificate, and Key in the PEM format or base64 encoded PKCS12 format.
Note
The list of certificates must be added from the server certificate to the root CA in the ascending order. If there are any intermediate CAs, they can be added. The Key can be anywhere. Maintaining this order is important:
<server cert> <ca cert> <key>Select Format.
Click Upload New Certificate and then click Update. Restart the application after uploading the certificate.
Downloading and Placing a Local CA Certificate
To download a local CA certificate from the CipherTrust Manager appliance:
Log on to the CipherTrust Manager as an administrator.
Navigate to CA > Local and click the ellipsis icon and select the Download button to download a local CA. You should upload the CA certificate in a secure location and modify the access appropriately.
Update the following parameters in your
CADP.NETCore_Properties.xmlfile:<Protocol>ssl</Protocol> <SSL> <Host>...</Host> ... ... </SSL>Note
The email address provided in the server certificate cannot be passed in the Host entry.
The
Hostfield supports one value only. If you have multiple server certificates associated with multiple NAE IPs, they all should have the same Common Name or the SAN value.Value of the Host tag is required for Server authentication and is mandatory to make SSL connection. This contains the
Common NameorSubject Alternative Nameof the Server Certificate on the NAE Server.Whenever you update the properties file, you must restart the application for the changes to take effect.
You can provide the CA certificate in the following ways:
a. Place the CA certificate in the trusted store.
Location on Linux: /etc/pki/ca-trust/source/anchors/
Location on Windows: Microsoft Cert Store > Local Computer > Trusted Root Certification Authorities > Certificates
Location on Ubuntu: /usr/local/share/ca-certificates/
Update the CA certificate for your platform. For example, if the platform is Ubuntu, run the following commands:
sudo update-ca-certificates cp MyCA.crt /usr/local/share/ca-certificates/ sudo update-ca-certificatesNote
Steps to update the CA certificate will vary for different platforms.
b. Provide the path of CA certificate in the CA_File property.
- Place a copy of the CA certificate on your client and update the
CADP.NETCore_Properties.xmlfile as follows:<Protocol>ssl</Protocol> <CA_File Tier="1"><Path of the Certificate Authority File></CA_File>
Authenticating Client Certificate on the CipherTrust Manager
This SSL configuration requires that both the server and the client provide certificates. Each certificate is signed by a trusted CA known to both the server and the client. Most likely, you will use one CA to sign both the certificates. During the SSL handshake, the certificates are exchanged. Both the client and the server use the CA certificate to validate one another’s certificate, thus authenticating the other party.
To enable client certificate authentication, you must first successfully configure SSL. Then, you must make additional configuration changes to the client and the server.
It is recommended that you increase security only after confirming network connectivity. You should establish an SSL connection before enabling client certificate authentication. Otherwise, an SSL configuration mistake could interfere with your client certificate authentication setup and complicate the troubleshooting process.
To configure the client:
Create a client certificate.
This may involve the following steps:
Signing a Certificate Request and Downloading the Certificate
Specifying the Signed Client Certificate Request in the PFX Format
You can create a certificate request using OpenSSL. You can then sign the request with the local CA on the CipherTrust Manager appliance. Once signed, the certificate request becomes a valid certificate.
If you are not using a local CA, consult your CA documentation for instructions on signing requests and exporting certificates.
Update the
CADP.NETCore_Properties.xmlfile as follows:<ClientCert Location ='File'></ClientCert> <Passphrase></Passphrase>Note
Client Certificate must be in
.PFXformat.Passphrase can't be blank in client authentication.
Whenever you update the properties file, you must restart the application for the changes to take effect.
To configure the server, you must upload a CA certificate on the server.
Generating a Client Certificate Request with OpenSSL
To generate a client certificate request:
Open the command window.
If you are using OpenSSL, run the following command:
openssl req -out clientreq -newkey rsa:2048 -keyout clientkeyNote
By default, both the certificate request and private key will be created in the working directory. You can generate them in another directory by including a location in the request and key names. For example, to create them in the
C:\client_certsdirectory, use the following command: openssl req -out C:\client_certs\clientreq -newkey rsa:2048 -keyout C:\client_certs\clientkey
The key generation process will then request the following data:
A PEM passphrase to encode the private key
The passphrase that encodes the private key is the first passphrase you provide after issuing the command above.
The distinguished name
The distinguished name is a series of fields whose values are incorporated into the certificate request. These fields include country name, state or province name, locality name, organization name, organizational unit name, common name, and email address.
A challenge password
This challenge password is NOT used in the CipherTrust Manager environment.
An optional company name
Signing a Certificate Request and Downloading the Certificate
This section describes how to sign a certificate request with a local CA and then download the certificate. You must download the certificate immediately after it is signed by the CA.
To sign a certificate request with a local CA:
Log on to the Management Console as an administrator.
Navigate to CA > Local and click the local CA by which you want to sign the CSR.
Click Upload CSR.
Copy the CSR and paste it on the Upload Externally Generated CSR window. The copied text must include the header (-----BEGIN CERTIFICATE REQUEST-----) and footer (-----END CERTIFICATE REQUEST-----).
From the Certificate Purpose list, select client.
In the Duration in days field, enter the life span of the certificate. Enter minimum 365 days.
Click Issue Certificate.
The newly created certificate is listed under Parent Issuer.
Click the download button to save the certificate on your local machine.
Note
You should place the certificate in a secure location and modify access appropriately.
Update the following parameters in the
CADP.NETCore_Properties.xmlfile:<ClientCert Location='File'>Path to client cert</ClientCert> <Passphrase> the passphrase used to unlock the client certificate in pfx format</Passphrase>Note
Whenever you update the properties file, you must restart the application for the changes to take effect. Use the
ClientCertparameter in theCADP.NETCore_Properties.xmlfile to indicate the name and location of the client certificate.
Specifying the Signed Client Certificate Request in the PFX Format
In case of client certificate authentication, the certificate can be provided in the PFX format. Run the following command:
openssl pkcs12 -export -out clientcred.pfx -inkey clientkey -in signed.pem
where, clientcred.pfx is the name of the pfx file to be generated. It requests the export password while creating the pfx format . This export password will be used as passphrase parameter in the CADP.NETCore_Properties.xml file.
Note
The export password must not be blank.
If client certificate authentication is to be done using MSCertStore, the PFX file must be imported under Personal Store of the Local Machine which is accessible only by the Admin users. In this case, only the client certificate property in the properties file should be set, no need to set passphrase. For example,
<ClientCert Location ='MSCertStore'>ed 16 e0 50 78 7a 0b fb d5 bb 68 19 4c 07 a1 b3 64 5d 9d 1b</ClientCert>.If client certificate resides in file system (for all platforms), the PFX file path must be specified in the properties file along with export password used while creating the PFX. For example,
<ClientCert Location ='File'>C:\DotNetCore\Certificates\clientcred.pfx</ClientCert>``<Passphrase>xyz</Passphrase>.
Uploading an External CA Certificate on the Server
If the client certificate was signed by an external CA, you must upload the CA certificate on the CipherTrust Manager appliance. To upload a CA certificate:
Log on to the CipherTrust Manager as an administrator.
Navigate to CA > External.
In the Add External Certificate text box, paste all text from the certificate, including header and footer.
Click upload.
Note
Both the server and client certificates should be signed by the same CA to make SSL work.
