Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

CTE Agent Linux and Windows Quick Start Guide

Using and Renewing Certificates

search

Please Note:

printsuggest an editpdf paneldownload

Using and Renewing Certificates

Certificates are used to verify the identity of a remote peer when agents communicate with CipherTrust Manager. CipherTrust Transparent Encryption and CipherTrust Manager can use internally generated or externally generated certificates.

copy link to clipboardAutomatic Renewal of Client Certificates

The default lifespan of these certificates is set in CipherTrust Manager in the Registration Token section. For the automatic agent certificate renewal process to work, you must have current (not expired) and valid client certificates installed.

The system automatically renews any certificate that is 60 days or closer to expiration. VMD extracts the expiration date from the existing certificate *.pem files. If the current date is later than this renewal date, then the renewal date is the current day.

Note

  • The renewal process is transparent and requires no intervention by the administrator. If multiple client agents require renewal at the same time, the clients stagger the renewal process to avoid network congestion. This staggering could introduce a delay of up to 48 hours in the renewal process.

  • Certificate renewal will cause VMD to restart. When an agent restarts, or a certificate is renewed, the agent sends a system notification and a log entry.

copy link to clipboardUpdating Client Certificates

You must regenerate client certificates when you:

  • Configure an agent to access a new initial CipherTrust Manager

  • When CipherTrust Manager updates its certificates

  • Delete and reinstall agent software

  • Regenerate the CA signer certificate of CipherTrust Manager

Since you are updating client certificates, the client already has certificates and the client is already registered with the initial CipherTrust Manager. The certificates on the local client will be deleted and regenerated automatically. However, you must unregister the client on the CipherTrust Manager before proceeding.

  • If you are upgrading agent certificates with the same CipherTrust Manager, there is no need to disable GuardPoints.

  • If you are upgrading the agent certificates with a different CipherTrust Manager, disable all configured GuardPoints for the client before proceeding. After certificate upgrade completes, assign the GuardPoints from the new CipherTrust Manager.

To update client certificates:

  1. Unenroll the client

  2. Install and Register the new Agent

copy link to clipboardValidating Certificates with a Local CA Certificate

Note

This feature is not compatible when using CipherTrust Transparent Encryption with CipherTrust Data Security Platform Services (CDSPaaS).

Ensure that registration by the CTE agent is serviced only by the expected key manager by providing a copy of the CA certificate that will be used to authenticate the TLS communications with the key manager.

copy link to clipboardReplacing Certificates

Note

This feature is not compatible when using CipherTrust Transparent Encryption with CipherTrust Data Security Platform Services (CDSPaaS).

When replacing CA certificates which have signed CTE clients, see Certificate Renewals for the proper process.

copy link to clipboardExternal CA Certificates

Note

This feature is not compatible when using CipherTrust Transparent Encryption with CipherTrust Data Security Platform Services (CDSPaaS).

External certificates are used for communication between CTE and CM. Install the external certificate before registering CipherTrust Transparent Encryption with CipherTrust Manager.

On this page