Workflow

This list describes the workflow.

  1. Using the Manager UI or API, an administrator creates a private account with the vault provisioner role.
  2. The administrator gives the private account a temporary user name and password. Now, the administrator can change the account password, but cannot assign any other authentication credentials to the account.
  3. The administrator provides the temporary user name and password to the application administrator manually along with manager ca-cert, private account ID, and template ID for both vault and mirror(if applicable).
  4. Separately, the application administrator generates an RSA private key and CSR, which includes a unique Subject DN. The exact value of the Subject DN is not relevant, but it must not conflict with the Subject DN of any other PKI user or any device.
  5. The application administrator, upon receipt of the temporary user name and password from the administrator, uses these credentials to register the CSR with the Manager by using the Register Client Certificate REST API method.
    Note:
    • This API method accepts CSR and expiration date as parameters.
    • Expiration date is an optional parameter, and when not provided the certificate expiration date defaults to one year in the future.
  6. Upon successful registration, the Manager returns a certificate to the application for it to use for all future authentications. In the process, the Manager removes the one-time user name and password from the account record. The Manager also associates the registered CSR and newly generated certificate with this account. Now that the one-time user name and password are removed, the administrator can no longer modify any properties of the account. The account can still be disabled or the administrator can change the account name.
  7. The application now authenticates to the Manager exclusively by using its key and certificate.
  8. The application creates a locked vault by using the Create Locked Vault REST API method.

    A Manager-generated event notifies the application if the private account certificate is expiring within one month.

  9. The system accepts both old and new certificates until the old certificate expires, even if a new certificate is issued.

    Vault I/O does not work if an expired certificate is used by the application or the account is disabled.

  10. For certificate renewal, the user should pass up an expiration date and account ID through the REST API.

    Whenever the API method is called, the Manager looks up the certificate, determines whether it needs to be renewed, renews it if necessary, and then sends the certificate back to the application.

  11. If a key is compromised, the application should rotate keys by calling the Rotate Client Key REST API. This API replaces the existing key and revoke one or more old certificates.