Updating certificates

As part of the encryption process, you must ensure that certificates that are exchanged between the system and key servers are updated periodically before they expire. You can use the management GUI or the command-line interface to update certificates that are used to create secure communication between the system and all configured key servers.

Certificates are the primary method that is used by the key servers to authenticate the system and for the system to authenticate to the key servers. The exchange of these certificates verifies that access to the encryption keys that are stored on the key servers is allowed. The authentication of the system ensures that the key servers do not give access to keys to an untrusted party. The authentication of the key servers ensures that the system does not ask for sensitive keys to be stored by an untrusted party. Security of the system relies on two factors. First, the public certificates of the key servers and the system must be exchanged securely so that each device can trust the other. Second, the key servers and the system must keep their private key, which is associated with the certificate, secure.

These certificates periodically require updates because of certificate expiration dates or for security reasons. Whenever you update certificates, these new certificates must be added to both the system and the key servers to ensure mutual authentication. It does not matter which connection endpoint on which you update certificates first. However, if the system certificate requires a new certificate, update the system certificate first, then download and install it on all key servers. If key server certificates require updates, update the certificate on the key server first, then download and install it on the system.

When the certificates are being changed, a temporary outage occurs when the connection breaks between the system and the key servers. This short connection outage does not impact I/O operations. If a certificate is already expired or is revoked, then the connection between the system and the key servers is broken.

Using the management GUI

If you are updating the certificates on the system in the management GUI, complete these steps:
  1. In the management GUI, select Settings > Secure Communications > Update Certificate.
  2. Select either Self-signed certificate or Signed certificate for the certificate type. If you select Self-signed certificate, complete the form and select Update. A self-signed certificate is generated by the system and automatically updates the certificate on the system. During the update of the self-signed certificate, the management GUI connection breaks and you must reload the interface after approximately 2 minutes.
    Note: Thales CipherTrust Manager does not support a self-signed system certificate. Only CA-signed certificates can be used by Thales CipherTrust Manager key servers.

    If you select Signed certificate, complete the form to create a certificate request for your current certificate authority (CA). CAs are trusted entities that distribute certificates to endpoints so authentication and trust can be established between the endpoints. For the system and the key servers, both these endpoints must trust this CA. For more information, see Certificates that are used for encryption key servers. After you complete the form, select Generate Request. This action creates a certificate request for your CA. After you receive the signed certificate, upload the certificate to the system.

After the certificate is added to the system, you need to export and copy the new certificate to the key servers in your configuration. To export the certificate to the key servers, complete these steps:
  1. In the management GUI, select Settings > Security > Encryption.
  2. Expand Certificates and select Export Public Key. The public certificate is exported to file /dumps/certificate.pem so it can be copied to the configured key servers.
  3. Copy the certificate.pem file to the key servers.
If you updated certificates on the key servers, complete these steps:
  1. On each key server, use the interface to upload the new certificate to all the key servers that are in your configuration. For more information, see the documentation for your type of key server.
  2. In the management GUI, select Security > Encryption.
  3. Expand Certificate and select Update Certificate for each configured key server. This action replaces the existing key server certificate with the new certificate for the key servers.

Using the command-line interface (CLI)

If you are updating certificates on the system, complete these steps:
  1. To create a self-signed certificate, enter the following command:
    chsystemcert -mkselfsigned -keytype keytype -validity days
    where keytype indicates one the supported encryption types for the certificate and days indicates the number of days before the certificate expires.
    Note: Thales CipherTrust Manager does not support a self-signed system certificate. Only CA-signed certificates can be used by Thales CipherTrust Manager key servers.
To create an externally signed certificate, complete these steps:
  1. Enter following command to generate a certificate signing request:
    chsystemcert -mkrequest -country country -state state -locality locality -org organization -orgunit organizationunit -email email -commonname commonname -subjectalternativename subject_alternative_name
     -keytype keytype -validity days  
    This command creates a certificate signing request (CSR) file for a trusted third party certificate authority (CA) to sign. The certificate request is automatically written to /dumps/certificate.csr.
  2. Use secure copy (scp) to copy the file /dumps/certificate.csr from the system to your local machine. Share the generated CSR file to the trusted third-party CA. If the CA is a public CA, then it may take some time for the CA to verify your identity before issuing the signed certificate. When it is ready, download the signed certificate file from the CA. You should also download any intermediate CA certificates that were used to sign the request. The files must all be in PEM format.
  3. If the intermediate CA's are used to sign the certificate request, create a single certificate chain file that contains the contents of the signed certificate and the contents of each intermediate CA certificate, concatenated together. The root CA certificate is not mandatory, but can optionally be included.
  4. Use secure copy (scp) to copy the certificate back onto the system in the file /dumps/certificate.pem, where certificate.pem is the name of the certificate.
  5. After you copy the signed CA certificate to the system, enter the following command:
    chsystemcert -install -file /dumps/certificate.pem
    where /dumps/certificate.pem is the absolute path name of the CA-signed certificate.

For either type of certificate, export the certificate so it can be copied to the configured key servers. For more information, see Export certificates.

If you are updating certificates on key servers, complete these steps:
  1. On each key server, use the interface to upload the new certificate to all the key servers that are in your configuration. For more information, see the documentation for your type of key server.
  2. If you are adding a self-signed certificate, enter the following command:
    chkeyserver -sslcert certificate_file keyserver_name|keyserver_id 
    where where certificate_file is the absolute path name of the certificate and keyserver_name|keyserver_id is either the name or ID for the key server.
  3. If you are adding a CA-signed certificate, run one of the following commands for your configured key server type:
    IBM® Security Guardium® Key Lifecycle Manager
    chkeyserverisklm -sslcert certificate_file
    where certificate_file is the absolute path name of the certificate.
    Thales CipherTrust Manager or Gemalto SafeNet Key Secure
    chkeyserverciphertrustmanager -sslcert certificate_file
    where certificate_file is the absolute path name of the certificate.