Certificates that are used for encryption key servers
When you enable encryption with key servers, two types of certificates are required to ensure secure communication between the system and the encryption key server.
Certificates are the primary method that is used by the key servers to authenticate the system and for the system to authenticate to the key servers. The exchange of these certificates verifies that access to the encryption keys that are stored on the key servers is allowed. The authentication of the system ensures that the key servers do not give access to keys to an untrusted party. The authentication of the key servers ensures that the system does not ask for sensitive keys to be stored by an untrusted party. Security of the system relies on two factors. First, the public certificates of the key servers and the system must be exchanged securely so that each device can trust the other. Second, the key servers and the system must keep their private key, which is associated with the certificate, secure.
If all key servers are using a certificate that is signed by the same certificate authority, it is recommended that the CA certificate is installed in the key server type’s settings (for example, chkeyserverisklm -sslcert …) rather than the key server endpoints (for example, mkkeyserver -sslcert …). The CA certificate for the key server type’s settings is used only when you connect to a key server if the key server endpoint does not have a certificate that is installed. If you are using individual self-signed certificates for each key server, the certificates are installed against each key server endpoint. If you are using key server certificates that are part of a chain of trust, see Using certificate chains for key servers.
If the key servers are part of the same system and are configured to replicate their keys and certificates with each other, then the key server certificates are copied to all of the key servers. The system can connect to all key servers with the same server certificate. In addition, the system’s certificate must be installed on each of the configured key servers. The key server administrator accepts the system certificate to grant access to the key servers. To configure the system certificate for secure communications, select
.Using certificate chains for key servers
In order for the system to authenticate by using SSL with a key server that uses signed certificate chains, the system requires multiple certificates to be installed. All certificates in the certificate chain (excluding the server certificate itself, that is, the leaf certificate) must be installed. For example, if a key server X’s certificate is signed by certificate authority Y, where certificate authority Y’s certificate is signed by Root certificate authority Z, then the system requires the certificates Y and Z to be installed on the system to successfully communicate with key server X. To install this certificate, create a single certificate file that contains the full chain of certificates, excluding the key server's certificate. The first certificate in the file is the CA certificate, which was used to sign the leaf of the certificate chain (the key server certificate). The last certificate in the file is the root CA certificate. In between the first certificate in the file and the root certificate, all of the intermediate CA certificates are specified in order. If multiple intermediate certificates exist, include these certificates in order from leaf to root.
The resulting certificates file must contain the first intermediate certificate at the top of the file, followed by subsequent intermediate CA certificates in order, one-by-one. Finally, the root CA certificate is last at the bottom of the file. The resulting file contains only the PEM data for each certificate with anything else, such as comments, removed from the file. Each certificate in the file is separated by a new line and each certificate begins with the header “-----BEGIN CERTIFICATE-----” and end with “-----END CERTIFICATE-----”.
-----BEGIN CERTIFICATE-----
MIIF4DCCA8igAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYUxCzAJBgNVBAYTAkdC
MRAwDgYDVQQIDAdFbmdsYW5kMRMwEQYDVQQHDApNYW5jaGVzdGVyMQwwCgYDVQQK
DANJQk0xDDAKBgNVBAsMA1NURzEPMA0GA1UEAwwGcm9vdENBMSIwIAYJKoZIhvcN
AQkBFhNqYW1pZXByeUB1ay5pYm0uY29tMB4XDTE4MTEwNzIxNTg1OVoXDTI4MTEw
NDIxNTg1OVoweDELMAkGA1UEBhMCR0IxEDAOBgNVBAgMB0VuZ2xhbmQxDDAKBgNV
BAoMA0lCTTEMMAoGA1UECwwDU1RHMRcwFQYDVQQDDA5pbnRlcm1lZGlhdGVDQTEi
MCAGCSqGSIb3DQEJARYTamFtaWVwcnlAdWsuaWJtLmNvbTCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAKbE3NRBJHGcOLBdRRe9InwQqw2kIQ7dDMyAOFbh
/EcuZ03ex0q8HYgJmzGaSwjFZlFBOOZ3eZGWxMgFzKljX8Q7LuQBMi/t7Vxh9Qec
TDcjJ4jtClgFFzlYHFNk0dFJ9sryrhuNMeel64nafJGQQ+dy+vONbqBZfgaMXSbZ
DgQUmmtVqALn+PgFKOjRIMSTpm4hddxn0yg+Av1rAYlRkbpE0B69ktLRZMtnb0s/
dXE73LTMjA7+62P4/DHlU6cBs3ljURsV59OpYrGnTDO1mFIo8Ot89aHQotW/SWCm
RYIsxZ7Hfh6P/fdhScSdJXyyz8Nfs8qr2Ec3Vz2dss0k3MI0E4L2lyKcYaPgUmxF
DlO39ZEcffLrUsfI2GN9RuvE2umqk6FgSCbDP3mxjMxUs3rB8oItU2g5sJ1MVGqb
gYUtS/19hPpjDB/yAjI5Dlv0uUlefBTMPASpLEzF8AKkkVg98Vmkkx5eYjuu3Qpr
rHXN8CVGvhw9TUYzA9Pt9POmq6icMoBHpzujGcDrMflM8aE3sI+EmsFnbZnESeje
CWpc6Q8EZaxnnnHixfMBzX7Al8IIhnzeNUL5x46oUaFzpthYN3FlwWN/W8UDMPPr
h9mh82/CfZqol7suOh5WFWBbA2YGqRQacezMwxteAmvoCvxXhjducU1AzPLkwyPd
xXUBAgMBAAGjZjBkMB0GA1UdDgQWBBSXo1kphy8JAvB25abXPxEDUgHccTAfBgNV
HSMEGDAWgBQ6vl82Zxr3V7UJHz0StpCWmfakQzASBgNVHRMBAf8ECDAGAQH/AgEA
MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAIPyFwnJrVyEuC+Hi
8tj0L/aIJabuT8QNmZcqcSW4dfvDDupp7VUiheexCr9btuYIUGrL59clrrJwPFRw
iZTDq3sOQQQz8keYEwXGsjTFafFcdkFIKg1rD+JZojrCvMvpGn1Zt0eqCkla7PsB
pbaXRIbh/ybyafxzPhBYeFDdl9BQQf9vsa1DkNABsx80hy/lHjohaLlG5C+aG+5r
2bUXRNhgl3lSToQkD/JgdvBbgycIcriiL4u6mTJbnpiCB2JbBdyuAzTkdNAZStCv
kB/N+E+7agjx32IxHwjr1FjQZuyqRbHcsvz3f5VB4pGX/6+xeFQn6DlUewvB6CBg
OqsUddu+FKgFw4f3l59UVC1KicQ4Hokbst9WJGkSMgdvQOXyxwapHrsGiTTbzekG
dD7XUdUiLGcT1CDB3NrcHsJ1a2PCUgMQpeEsWDyUspBrvo40w3jfSoKtFmwp3o6a
vx9esOWzevLzAbv7YGZD/iXTQbUk2iNJjt5lRIee20GxZK+/BV36378U0CNKwdUt
mKAaOHY/DsGzOghGdvCz8/g5zhPN+bw9ZXm116cAygIJt2xytVy1cLvtbY2Vzgd9
zE1hCdm6oOfijOQ6F1JAzE/vewTxxOuNzp/T4LLGmrXtWwqhkrFrhRUiwsRb5zjY
XIh94QnyIz09Oj/W0qxllTPIGxk=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF8jCCA9qgAwIBAgIJAMmFTDgLwpj8MA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
VQQGEwJHQjEQMA4GA1UECAwHRW5nbGFuZDETMBEGA1UEBwwKTWFuY2hlc3RlcjEM
MAoGA1UECgwDSUJNMQwwCgYDVQQLDANTVEcxDzANBgNVBAMMBnJvb3RDQTEiMCAG
CSqGSIb3DQEJARYTamFtaWVwcnlAdWsuaWJtLmNvbTAeFw0xODExMDcyMTEwMzda
Fw0zODExMDIyMTEwMzdaMIGFMQswCQYDVQQGEwJHQjEQMA4GA1UECAwHRW5nbGFu
ZDETMBEGA1UEBwwKTWFuY2hlc3RlcjEMMAoGA1UECgwDSUJNMQwwCgYDVQQLDANT
VEcxDzANBgNVBAMMBnJvb3RDQTEiMCAGCSqGSIb3DQEJARYTamFtaWVwcnlAdWsu
aWJtLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM1wapd+YEWk
1/INfxjA+0mwwmz4fFgbyIjLtPjh6Z9KMRx8x368PXZ7Y1br/Zt9rbMx0cwxEO6b
U6XG/h91Fk4mCPKsjFRImlrFEHWDZ+/mv38SgF1yqTJ4Cb1ZjZS6bY0VwLo0gRiu
hUjwMUvoIksUc9+dauuQU8TtllqmXfOCVdsONiixlTCQy+sqbceYucEZItXkFWCH
6VAKrbyQS2QZP8KAoCw9j1skiUAqJ9hVwryQ602chqqzUGoAJbSBL2Xn8JQM2LEn
2KlVoIQFASTmnyKuaqeBHcIB5KCSDCQcy8TtybO/X38YmpYzfHC+L7Tr3gcgfEZf
vAitoPTFjqqBlXbNR5Vl8t8aMNq++WP42iI5sv40NWrSqsURXMxFFkMV++YYaeq9
kra5WCfeZMSYOzolM5fNBLrkA1sfFWqRH6IMGFSxlg+GRlbXS47RwpgncI/GSStN
RR9mfYiFU05VbnZSlLMhYZZv3KoZars+V5KNGfi95zBcMocinq/SVFXCRtIZfp3A
M6/OKL7mziA4NgjaaybmNbQOZGD4/eZDRSljSoMpL4xgs9BMEv4QyfKbOJXMQHqi
to7jNJRkpz3yxlwkLAGkigyCKmQFAzj0ykB3V+NwmLTJezKBolOvdjda+2rkP2/b
EvCBHIqgAP9t9EOLMDke8v0dyryN+ESJAgMBAAGjYzBhMB0GA1UdDgQWBBQ6vl82
Zxr3V7UJHz0StpCWmfakQzAfBgNVHSMEGDAWgBQ6vl82Zxr3V7UJHz0StpCWmfak
QzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF
AAOCAgEAiGo8x8nGlOVXQhkVzLzwoXMHNDHTpn13u8SGkX68zVaulvwuXOXl4d6b
QMXrMLQ3KonrKSpBCgTbyjDHp+6/NiFUs0t+O4gZczQHx8CgyjkRYmhrtcNW/RGb
66jYTkZpcTbJsrxOyzJY04Z0cr5Qxi9lgj+MHFPcSj3WJxWidurkQCh/AOSERuYg
LhNxNihomfKplKGUBKAhwTjBW7abIN4u/15iNaM/67X+/MOF1IKjB9U6ikgIjY5D
VetEEJhnYLjuzHpCmNeFZ1hbySMaiKP3kUNKSidEh5Oi+UP2UujgZi8VMPZApStW
AmRVCWtpiwcBD2WqsUuL+XcpqWBZ7GcNa89maMcybTjPAl0y2phi27ZXm78LmpCS
uK/UbRfpUpAsxiIPK1tnFkKcqdWBYNuOt1GIW9ADsYytDjo14X+i7axJYPtiqW+H
UxY/6b16c2/YOeCwIq+1g4882VtAoQfGmODC2AhhFqHrFhfOQ3Ag86x9scUjQl+J
4uYQkKsR1xW/y9Tx9dpqZZrZEu3B91SrtvA/6GtGFFs7jyeRCPdhb8+KF2NBonNl
FZC+p8qEeMSaCbBdI+ptL7vKQzzwKT/72Ts5BsABn4ZHXsD/39x0HPqSfWcEKR1e
s8hisZjl8mRRb5+sHRsmNoh9ki1AjIUTSjn/O+94Xahc0LvMWJk=
-----END CERTIFICATE-----