Configuring Gemalto key managers with key server certificates signed by a multi-layer certificate chain of trust

To ensure that the Transport Layer Security (TLS) handshake succeeds between a DS8000® and a Gemalto key server that presents a certificate that is signed by a multi-layer certificate chain of trust, the entire certificate chain of trust must be present on the DS8000 server during the handshake. The certificate chain of trust includes a leaf certificate, a set of intermediate certificate authority (CA) certificates, and a root CA certificate.

Before you begin

When CAs sign server certificates with an intermediate CA, it might be necessary for Gemalto SafeNet KeySecure to send multiple certificates to a DS8000 client, which enables the DS8000 client to verify the server certificate. Multiple certificates that are contained in one certificate are called a certificate chain. A DS8000 client that uses a certificate chain to connect to a Gemalto SafeNet KeySecure KMIP port receives all certificates on the chain.

Certificate chains can be installed on SafeNet KeySecure through the Certificate Installation page.

To ensure that the entire certificate chain of trust is present on the DS8000 server:
  1. Configure the Gemalto server to send its leaf certificate and the set of intermediate CA certificates during the TLS handshake.
  2. Configure the DS8000 with the root CA certificate in its truststore by using the root CA as the key server certificate when configuring the key manager in the DS CLI or DS8000 Storage Management GUI.
Note: For this procedure, 2048- and 4096-bit size key server certificates are supported.

During the TLS handshake, the Gemalto server sends a leaf certificate and a set of intermediate CA certificates to the DS8000. The DS8000 has the root CA certificate in its truststore. When the DS8000 receives the certificate chain from the Gemalto Server, it can validate the certificate chain beginning with the leaf certificate and ending with the root CA, which it trusts.

Procedure

  1. Log in to the SafeNet KeySecure Management Console as an administrator with certificates access control.
  2. From the Security tab, click SSL Certificates to open the Certificate List.
  3. Select the certificate and click Properties to open the Certificate Information view.
  4. Click Install Certificate to open the Certificate Installation view.
  5. Enter the intermediate CA certificate in the Certificate Response field, and click Save. The combined certificates are displayed in the Certificate Installation view.
  6. From the Device tab, select the Server Certificate for the Gemalto KMIP Port, and click Edit to use edit mode.
  7. In the Server Certificate column, select the server certificate, and click Save.
  8. Use a command-line client to verify that Gemalto gives the full certificate chain during TLS handshake. Enter the following OpenSSL command:

    openssl s_client -connect <gemalto_address>:<kmip_port>

    where <gemalto_address> is the address of the Gemalto server and <kmip_port> is the KMIP port number.

    Verify that the full chain is displayed in the Certificate Chain section of the OpenSSL output.
  9. When you configure the key managers on the DS8000 system, use the root CA that signed the top-level intermediate CA as the key server certificate to establish trust between the system and the root CA. If the system trusts the root CA, it can validate any subsequent intermediate CAs and leaf certificates in the certificate chain.