Updating certificates
As part of the encryption process, you must ensure that certificates that are exchanged between the system and key servers are updated periodically before they expire. You can use the management GUI or the command-line interface to update certificates that are used to create secure communication between the system and all configured key servers.
Certificates are the primary method that is used by the key servers to authenticate the system and for the system to authenticate to the key servers. The exchange of these certificates verifies that access to the encryption keys that are stored on the key servers is allowed. The authentication of the system ensures that the key servers do not give access to keys to an untrusted party. The authentication of the key servers ensures that the system does not ask for sensitive keys to be stored by an untrusted party. Security of the system relies on two factors. First, the public certificates of the key servers and the system must be exchanged securely so that each device can trust the other. Second, the key servers and the system must keep their private key, which is associated with the certificate, secure.
These certificates periodically require updates because of certificate expiration dates or for security reasons. Whenever you update certificates, these new certificates must be added to both the system and the key servers to ensure mutual authentication. It does not matter which connection endpoint on which you update certificates first. However, if the system certificate requires a new certificate, update the system certificate first, then download and install it on all key servers. If key server certificates require updates, update the certificate on the key server first, then download and install it on the system.
When the certificates are being changed, a temporary outage occurs when the connection breaks between the system and the key servers. This short connection outage does not impact I/O operations. If a certificate is already expired or is revoked, then the connection between the system and the key servers is broken.
Using the management GUI
- In the management GUI, select .
- Select either Self-signed certificate or Signed
certificate for the certificate type. If you select Self-signed
certificate, complete the form and select Update. A self-signed
certificate is generated by the system and automatically updates the certificate on the system.
During the update of the self-signed certificate, the management GUI connection breaks and you must
reload the interface after approximately 2 minutes. Note: Thales CipherTrust Manager does not support a self-signed system certificate. Only CA-signed certificates can be used by Thales CipherTrust Manager key servers.
If you select Signed certificate, complete the form to create a certificate request for your current certificate authority (CA). CAs are trusted entities that distribute certificates to endpoints so authentication and trust can be established between the endpoints. For the system and the key servers, both these endpoints must trust this CA. For more information, see Certificates that are used for encryption key servers. After you complete the form, select Generate Request. This action creates a certificate request for your CA. After you receive the signed certificate, upload the certificate to the system.
- In the management GUI, select .
- Expand Certificates and select Export Public Key. The public certificate is exported to file /dumps/certificate.pem so it can be copied to the configured key servers.
- Copy the certificate.pem file to the key servers.
- On each key server, use the interface to upload the new certificate to all the key servers that are in your configuration. For more information, see the documentation for your type of key server.
- In the management GUI, select .
- Expand Certificate and select Update Certificate for each configured key server. This action replaces the existing key server certificate with the new certificate for the key servers.
Using the command-line interface (CLI)
- To create a self-signed certificate, enter the following
command:
where keytype indicates one the supported encryption types for the certificate and days indicates the number of days before the certificate expires.chsystemcert -mkselfsigned -keytype keytype -validity days
Note: Thales CipherTrust Manager does not support a self-signed system certificate. Only CA-signed certificates can be used by Thales CipherTrust Manager key servers.
- Enter following command to generate a certificate signing
request:
This command creates a certificate signing request (CSR) file for a trusted third party certificate authority (CA) to sign. The certificate request is automatically written to /dumps/certificate.csr.chsystemcert -mkrequest -country country -state state -locality locality -org organization -orgunit organizationunit -email email -commonname commonname -subjectalternativename subject_alternative_name -keytype keytype -validity days
- Use secure copy (scp) to copy the file /dumps/certificate.csr from the system to your local machine. Share the generated CSR file to the trusted third-party CA. If the CA is a public CA, then it may take some time for the CA to verify your identity before issuing the signed certificate. When it is ready, download the signed certificate file from the CA. You should also download any intermediate CA certificates that were used to sign the request. The files must all be in PEM format.
- If the intermediate CA's are used to sign the certificate request, create a single certificate chain file that contains the contents of the signed certificate and the contents of each intermediate CA certificate, concatenated together. The root CA certificate is not mandatory, but can optionally be included.
- Use secure copy (scp) to copy the certificate back onto the system in the file /dumps/certificate.pem, where certificate.pem is the name of the certificate.
- After you copy the signed CA certificate to the system, enter the following command:
where /dumps/certificate.pem is the absolute path name of the CA-signed certificate.chsystemcert -install -file /dumps/certificate.pem
For either type of certificate, export the certificate so it can be copied to the configured key servers. For more information, see Export certificates.
- On each key server, use the interface to upload the new certificate to all the key servers that are in your configuration. For more information, see the documentation for your type of key server.
- If you are adding a self-signed certificate, enter the following
command:
where where certificate_file is the absolute path name of the certificate and keyserver_name|keyserver_id is either the name or ID for the key server.chkeyserver -sslcert certificate_file keyserver_name|keyserver_id
- If you are adding a CA-signed certificate, run one of the following commands for your configured
key server type:
- IBM® Security Guardium® Key Lifecycle Manager
where certificate_file is the absolute path name of the certificate.chkeyserverisklm -sslcert certificate_file
- Thales CipherTrust Manager or Gemalto SafeNet Key Secure
where certificate_file is the absolute path name of the certificate.chkeyserverciphertrustmanager -sslcert certificate_file