Creating and importing a client certificate

If you are using client-side authentication with TLS to access the HashiCorp vault, you must create and import a client certificate on all your systems such as the central manager and managed units.

1. On your Guardium® system, create a certificate signing request (CSR) file by using the CLI command create csr alias.
   Copy the CSR starting at the '-----BEGIN NEW CERTIFICATE REQUEST-----' tag and ending at the '-----END NEW CERTIFICATE REQUEST' tag.
   Provide the CSR file to a Certificate Authority (CA) of your choice to obtain a valid certificate. The certificate must be in PEM format to import into your Guardium system. After you receive the PEM certificate from your CA, import the certificate by using the CLI command store certificate keystore alias.
   Example:

   create csr alias
   
   Please enter a one-word alias to uniquely identify this certificate:
   vault
   
   If the Common Name (CN=) field is used as an Identifier, prefix the identifier with ID: (example ID:1234).
   
   What is the Common Name (CN=) for this certificate (default: gmachine.com) ?
   
   What is the name of your organizational unit (OU=) ? YourTeam
   
   What is the name of your organization (O=) ? YourCompany
   
   What is the name of your city or locality (L=) ? YourCity
   
   What is the name of your state or province (ST=) ? YourState
   
   What is the two-letter country code for this unit (C=) ? US
   
   What encryption algorithm should be used?
   1=dsa
   2=rsa
   3=ecdsa
   Default:  RSA
   
   Invalid input or no input. Using default 'RSA'
   
   What is the keysize to use (1=1024 or 2=2048. Default '2048') ?
   Invalid input or no input. Using default '2048'
   
   Add up to nine optional SANs (Subjective Alternative Name) in fully qualified domain name format. To continue without adding a SAN, press Enter.
   
   What is the name of SAN #1 ?
   
   Generating CSR...
   
   ****************************************************************************
   
   Certificate Request:
   Data:
   Version: 0 (0x0)
   Subject: C=US, ST=YourState, L=YourCity, O=YourCompany, OU=YourTeam, CN=gmachine.com
   
   -----BEGIN NEW CERTIFICATE REQUEST-----
   #####################################################################
   #####################################################################
   #####################################################################
   #####################################################################
   #####################################################################
   #####################################################################
   #####################################################################
   #####################################################################
   -----END NEW CERTIFICATE REQUEST-----
   
   ****************************************************************************
   
   store certificate keystore alias
   
   ok

2. On the Guardium system that contains the CA certificate, copy the CSR file to the database server to have it sign with a CA root certificate.
   Example:

   openssl x509 -req -in gmachine_signing_request.csr -CA ca_root_certificate.crt -CAkey ca_private_key.key -CAcreateserial -out gmachine_signed_certificate.crt -days 10000 -sha256 

3. Configure the HashiCorp vault with the new trusted client certificate that is allowed to authenticate.
   Example:

   [root@Hashicorp ssl]# vault write auth/cert/certs/gmachine \
         display_name=gmachine \
         policies=guardium_policy \
         certificate=@gmachine_signed_certificate.crt \
         ttl=3600
   Success! Data written to: auth/cert/certs/gmachine

4. Store the signed client certificate that is sent back from the database server into the tomcat.keystore of your Guardium system.
   If the client certificate is signed by a self-sign CA certificate, then you must also upload the CA certificate along with the signed client certificate.
   Example to import both the CA certificate and the signed client certificate together:

   store certificate keystore alias console
   
   Please enter a one-word alias to uniquely identify this certificate:
   vault
   
   Found the following Certificate Signing Request (CSR):
   
   ****************************************************************************
   
   Certificate Request:
   Data:
   Version: 0 (0x0)
   Subject: Subject: C=US, ST=YourState, L=YourCity, O=YourCompany, OU=YourTeam, CN=gmachine.com
   
   -----BEGIN NEW CERTIFICATE REQUEST-----
   ###############################################################
   ###############################################################
   ###############################################################
   ###############################################################
   ###############################################################
   ###############################################################
   ###############################################################
   -----END NEW CERTIFICATE REQUEST-----
   
   ****************************************************************************
   
   Are you importing a certificate that corresponds to this CSR? [y/N]
   y
   
   Please paste your End-Entity certificate below in PEM encoded format. A certificate in
   PEM encoded format should include the '-----BEGIN CERTIFICATE-----' and '-----END
   CERTIFICATE-----' tags. The Certificate Authority (CA) Root and Intermediate
   certificate(s) (if applicable) will also need to be pasted at this time for
   validation purposes. Please ensure that all certificates are in PEM format and
   include the aforementioned tags. When pasting multiple certificates, please make
   sure that each certificate is pasted on a new line in the following order:
   
           -----BEGIN CERTIFICATE-----
           (End-Entity certificate)
           -----END CERTIFICATE-----
           -----BEGIN CERTIFICATE-----
           (Intermediate certificate(s) - if applicable)
           -----END CERTIFICATE-----
           -----BEGIN CERTIFICATE-----
           (Root certificate)
           -----END CERTIFICATE-----
   
   Once done pasting your certificate(s), press ENTER followed by CTRL-D to continue.
   
   -----BEGIN CERTIFICATE-----
   ###############################################################
   ###############################################################
   ###############################################################
   ###############################################################
   ###############################################################
   ###############################################################
   ###############################################################
   -----END CERTIFICATE-----
   -----BEGIN CERTIFICATE-----
   ###############################################################
   ###############################################################
   ###############################################################
   ###############################################################
   ###############################################################
   ###############################################################
   ###############################################################
   -----END CERTIFICATE-----
   
   < view of the certificate >
   
   Certificate reply was installed in keystore
   
   Restarting GUI service...
   
   SUCCESS: Certificate imported successfully - Keystore has been updated.
   
   Please make sure that the relevant CA certificates have been imported by issuing
   the following CLI command:
   
                   << store certificate keystore >>
   
   
   There are no external_stap keystore certificate expiration warnings at this time.
   
   There are no insights keystore certificate expiration warnings at this time.
   ok