Using and Renewing Certificates
Certificates are used to verify the identity of a remote peer when agents communicate with CipherTrust Manager. CipherTrust Transparent Encryption and CipherTrust Manager can use internally generated or externally generated certificates.
Automatic Renewal of Client Certificates
The default lifespan of these certificates is set in CipherTrust Manager in the Registration Token section. For the automatic agent certificate renewal process to work, you must have current (not expired) and valid client certificates installed.
The system automatically renews any certificate that is 60 days or closer to expiration. VMD extracts the expiration date from the existing certificate *.pem files. If the current date is later than this renewal date, then the renewal date is the current day.
Note
-
The renewal process is transparent and requires no intervention by the administrator. If multiple client agents require renewal at the same time, the clients stagger the renewal process to avoid network congestion. This staggering could introduce a delay of up to 48 hours in the renewal process.
-
Certificate renewal will cause VMD to restart. When an agent restarts, or a certificate is renewed, the agent sends a system notification and a log entry.
Updating Client Certificates
You must regenerate client certificates when you:
-
Configure an agent to access a new initial CipherTrust Manager
-
When CipherTrust Manager updates its certificates
-
Delete and reinstall agent software
-
Regenerate the CA signer certificate of CipherTrust Manager
Since you are updating client certificates, the client already has certificates and the client is already registered with the initial CipherTrust Manager. The certificates on the local client will be deleted and regenerated automatically. However, you must unregister the client on the CipherTrust Manager before proceeding.
-
If you are upgrading agent certificates with the same CipherTrust Manager, there is no need to disable GuardPoints.
-
If you are upgrading the agent certificates with a different CipherTrust Manager, disable all configured GuardPoints for the client before proceeding. After certificate upgrade completes, assign the GuardPoints from the new CipherTrust Manager.
To update client certificates:
Validating Certificates with a Local CA Certificate
Ensure that registration by the CTE agent is serviced only by the expected key manager by providing a copy of the CA certificate that will be used to authenticate the TLS communications with the key manager.
Replacing Certificates
When replacing CA certificates which have signed CTE clients, see Certificate Renewals for the proper process.
External CA Certificates
External certificates are used for communication between CTE and CM. Install the external certificate before registering CipherTrust Transparent Encryption with CipherTrust Manager.