Certificates Signed by External CAs

CORE services are obtained using a secured TLSClosedTransport Layer Security - a cryptographic protocol that provides communications security over a computer network connection which, during its handshake phase, exchanges certificates that contain crucial information required to set up the connection.

To assure the authenticity of a certificate, its cryptographic signature is validated using the data owned by the issuer of the certificate (CA). This data is distributed using CA certificates that must be available on the device to perform the validation.

A CA certificate may be issued by the CORE CA or, as mandated, by an External CA. On the following diagram, "Validated by X CA" means that the certificate was issued by "X CA".

CORE Client and Server Certificate issuer options

By default, CORE supports the Both Certificates Issued by CORE CA case, yet each client served by a single EP may specify any of the above requirements regarding its or EP certificate. CORE supports all cases, yet, non-default cases require special preparation on the EP server that is described hereon.

The maximum number of External CAs:

  •  that may issue CORE client certificate:
    - unlimited by CORE
    - but restricted by the number of available TCP/IP ports on EP that may be reached from its clients.
  •  that may issue EP server certificate: 1.

Both Certificates Issued by CORE CA

This is the case when a client:

  • can install the CORE Root CA to validate the EP certificate.
  • can identify itself to EP by a certificate issued by the CORE Root CA.

You may use Registered Clients, Ephemeral Clients, and Full Client.

The additional steps: none.

Note
As needed, you may obtain the CORE Root CA certificate by using the ucl root_ca -o <path> command. See ucl root_ca.

EP Certificate Issued by External CA

This is the case when a client:

  • can't validate the EP certificate using the CORE Root CA.
  • can identify itself to EP by a certificate issued by the CORE Root CA.

You may use Registered Clients, Ephemeral Clients, and Full Client.

The additional steps:

  • configuration on EP described in the quickstart.
  • the servers=<EP>:<port> setting in the client configuration must specify the EP port that will serve the client. See Servers Setting.

Quickstart 2

On the EP port that will serve such a client, we shall configure EP to identify itself using a certificate signed by an external CA and to use the matching private key.

Prerequisites:

  • Obtain the certificate with the matching private key a password-protected PFXClosedAn archive file format for storing cryptography objects using Base64 encoding file. Assume that:
    • the file name is ExternallySignedEPcert.pfx and
    • the password is 123456.
  • non-443 port reachable by clients. Assume that:
    • the port is 6443.
  • Note
    We cannot use port 443, because EP on this port must use the certificate and the matching private key for internal server-to-server traffic.

Steps:

  1. Install the obtained material to the external_key.pfx file in the Certificates Folder. This file is protected by a passphrase known to EP.
  2. sudo /opt/ekm/bin/ekm_obfuscate_pfx.sh -p ./ExternallySignedEPcert.pfx -w 123456

  3. In the Server.xml File, copy the settings of port 443 to new port 6443:
    1. Open for editing the Server.xml File.
    2. Locate the <Connector port="443"XML element.
    3. Copy and paste it (everything from "<" to "/>").
    4. In the cloned XML element, replace port 443 with 6443.
  4. Update port 6443:
  5. Replace specification of the keystoreFile from key.pfx to external_key.pfx. Keep the rest unchanged. The resulting configuration of the new port should look as follows:

    <Connector port="6443" protocol="com.dyadicsec.ekm.syscrypto.ObfuscatorProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="want" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" ciphers="HIGH+AESGCM"

    keystoreFile="${catalina.home}/../../etc/ekm/ssl/key_external.pfx"
    keystorePass="NotThePassword" keystoreType="pkcs12"

    truststoreFile="${catalina.home}/../../etc/ekm/ssl/root_ca.ks"
    truststorePass="NotThePassword" truststoreType="jks"
    />

  6. Restart the EKMClosedEnterprise Key Management - previous name of the product. Service on EP (see EKM Service Management ).

Client Certificate Issued by External CA

This is the case when a client:

  • can validate a certificate of EP using the CORE Root CA.
  • must identify itself to EP using a certificate issued by External CA.

You must use External Client.

The additional steps:

  • configuration on EP described in the quickstart.
  • the servers=<EP>:<port> setting in the client configuration must specify the EP port that will serve the client. See Servers Setting.

Quickstart 3

Prerequisites: External CA certificate in the PEMClosedBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----" format.

Note
You may also obtain the external CA certificate(s) in the passphrase protected JKSClosedA Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption. file. In such a case Step #2 uses a corresponding set of parameters as specified in ekm_config_kmip_cert.

Prerequisites:

Steps:

To install and activate an external CA certificate, update the CORE Java keystore (JKSClosedA Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption.) that keeps all CA certificates used for the EP port 6443:

  1. Obtain the external CA certificate file and, as needed, convert it to the PEMClosedBase64 encoded DER wrapped by "--- BEGIN <type> ---" and "--- END <type> ----" format (ext-ca.pem).
  2. Onboard the external certificate to the secure passphrase protected staging JKSClosedA Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption. (/etc/ekm/ssl/external-kmip-cert.ks) and add it to the CORE Root CA certificate.
  3. sudo /opt/ekm/bin/ekm_config_kmip_cert.sh -c <path>/ext-ca.pem -a

  4. Move the staging JKSClosedA Java KeyStore (JKS) is a repository of security certificates – either authorization certificates or public key certificates – plus corresponding private keys, used for instance in SSL encryption. to a permanent location (<path>/ext-ca.ks).
  5. sudo mv /etc/ekm/ssl/external-kmip-cert.ks <path>/ext-ca.ks

  6. In the Server.xml File, copy configuration of 443 to 6443:
    1. Open for editing the Server.xml File.
    2. Locate the <Connector port="443"XML element.
    3. Copy and paste it (everything from "<" to ">").
    4. In the cloned XML element, replace port 443 with 6443.
  7. Update port 6443:
  8. Replace specification of the truststoreFile from root_ca.ks to ext-ca.ks. Keep the rest unchanged. The resulting configuration of the new port should look as follows:

    <Connector port="6443" protocol="com.dyadicsec.ekm.syscrypto.ObfuscatorProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="want" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" ciphers="HIGH+AESGCM"

    keystoreFile="${catalina.home}/../../etc/ekm/ssl/key.pfx"
    keystorePass="NotThePassword" keystoreType="pkcs12"

    truststoreFile="<path>/ext-ca.ks"
    truststorePass="NotThePassword" truststoreType="jks"/>

  9. Restart the EKMClosedEnterprise Key Management - previous name of the product. Service on EP (see EKM Service Management).

Note
Since ext-ca.ks contains both the External and CORE CA certificates, port 6443 can validate certificates issued by the External CA and the CORE CA.

Both Certificates Issued by External CA

This is the case when a client:

  • can't validate the EP certificate using the CORE Root CA.
  • must identify itself to EP using a certificate issued by External CA.

You must use External Client.

The additional steps:

  • configuration on EP described in the quickstart.
  • the servers=<EP>:<port> setting in the client configuration must specify the EP port that will serve the client. See Servers Setting.

Quickstart 4

  1. Perform Quickstart 2.
  2. Perform Quickstart 3.
  3. Validate that the Server.xml Filehas additional XML element:
  4. <Connector port="6443" protocol="com.dyadicsec.ekm.syscrypto.ObfuscatorProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="want" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" ciphers="HIGH+AESGCM"

    keystoreFile="${catalina.home}/../../etc/ekm/ssl/key_external.pfx"
    keystorePass="NotThePassword" keystoreType="pkcs12"

    truststoreFile="<path>/ext-ca.ks"
    truststorePass="NotThePassword" truststoreType="jks"/>

  5. Restart the EKMClosedEnterprise Key Management - previous name of the product. Service on EP (see EKM Service Management).