Configuring Gemalto key managers with key server certificates signed by a multi-layer certificate chain of trust
To ensure that the Transport Layer Security (TLS) handshake succeeds between a DS8000® and a Gemalto key server that presents a certificate that is signed by a multi-layer certificate chain of trust, the entire certificate chain of trust must be present on the DS8000 server during the handshake. The certificate chain of trust includes a leaf certificate, a set of intermediate certificate authority (CA) certificates, and a root CA certificate.
Before you begin
When CAs sign server certificates with an intermediate CA, it might be necessary for Gemalto SafeNet KeySecure to send multiple certificates to a DS8000 client, which enables the DS8000 client to verify the server certificate. Multiple certificates that are contained in one certificate are called a certificate chain. A DS8000 client that uses a certificate chain to connect to a Gemalto SafeNet KeySecure KMIP port receives all certificates on the chain.
Certificate chains can be installed on SafeNet KeySecure through the Certificate Installation page.
- Configure the Gemalto server to send its leaf certificate and the set of intermediate CA certificates during the TLS handshake.
- Configure the DS8000 with the root CA certificate in its truststore by using the root CA as the key server certificate when configuring the key manager in the DS CLI or DS8000 Storage Management GUI.
During the TLS handshake, the Gemalto server sends a leaf certificate and a set of intermediate CA certificates to the DS8000. The DS8000 has the root CA certificate in its truststore. When the DS8000 receives the certificate chain from the Gemalto Server, it can validate the certificate chain beginning with the leaf certificate and ending with the root CA, which it trusts.