Validating CM and CTE with a Local CA Certificate
To ensure that registration by the CTE agent is serviced only by the expected key manager, you can provide a copy of the root CA certificate that will be used to authenticate the TLS communications with the key manager, during the registration process.
You can only download the CA certificate when you are a root user in the root domain. You cannot download the certificate from a subdomain. It will not work.
Prerequisite
Make sure that you have previously created the client in CipherTrust Manager.
Using a Local CA Certificate
-
Extract the root CA certificate from the CipherTrust Manager.
-
Log on to CipherTrust Manager as an administrator.
-
In the left navigation pane, click CA > Local. The list of available CAs displays.
-
Click the ellipsis icon corresponding to the CA.
-
Click Download to download the CA.
-
Copy the certificate to a directory on the agent system.
-
-
To install the root CA certificate into the CTE client, add it to the registration command line:
You must have administrator privilege to complete this step.
C:\Windows\system32> C:\Program Files\Vormetric\DataSecurityExpert\agent\shared\bin\register_host.exe -silent -log=<Path-to-log-file> -vmd <Hostname-or-IP-of-CM> -agent=<Hostname-or-IP-of-agent> -token=<CM registration token> -cafile=<Path-to-root-ca-cert>
Example
C:\Program Files\Vormetric\DataSecurityExpert\agent\shared\bin\register_host.exe -silent -log=c:\vte_reg_log.txt -vmd 10.171.36.175 -agent=ani-vm-217-35190.sjcicd.com -token=mMEz3Y6Ob9D4L7QuvK5SOmhulRm8DYI8odV5j3OdvuHqk6LhZqE0FeIZHILYTmDiE9 -cafile=C:\tmp\Austin175.pem
-
Confirm in CipherTrust Manager that the client is registered and healthy.