Certificate Scripts

This set of scripts addresses the following tasks:

ekm_root_ca_prepare_next

When executed in parallel on the selected pair of servers, this script generates the next-root-ca key and certificate.

Prerequisites:

ekm_root_ca_prepare_next
[-f,--force] overwrite the next key that was prepared in the past
[-a,--attempts <arg>] number of attempts to reach the partner Default: 2000
[-t,--timeout <arg>] gap in seconds between each connection attempt. Default:1 sec

To review the new key and certificate, examine the root partition.

CORE allows only one next-root-ca-key. An attempt to create an additional key - results in an error. To overwrite the pending next-key, use the command with the --force option.

Example:

sudo /opt/ekm/bin/ekm_root_ca_prepare_next.sh --force

In the EP, the expected response is:

... INITIALIZE_ENGINE_SSL
... SEND_KEEP_ALIVE
... GENERATE_NEXT_ROOT_CA_CERTIFICATE
... DONE
Operation completed successfully

Important
Following the successful execution, start the EKMClosedEnterprise Key Management - previous name of the product. Service. Refer to EKM Service Management.

ekm_root_ca_trust_next

When executed on a CORE server, this script contacts the main EP server, obtains the next-root-ca-certificate, and adds it to the server's CORE CA trust repository.

ekm_root_ca_trust_next
[-s,--self <arg>] // EP Certified-IP

[-o <port>] // EP Bootstrap-Port.

Example:

sudo /opt/ekm/bin/ekm_root_ca_trust_next.sh

Note
This command must be executed on all servers in the cluster that created the next-root-ca-certificate using the ekm_root_ca_prepare_next script. This requirement includes the main EP and Partner servers.

ekm_root_ca_move_next

This script endorses the next-root-ca-key to become THE root-ca-key.

ekm_root_ca_move_next
[-s,--self <arg>] // EP Certified-IP

[-o <port>] // EP Bootstrap-Port.

Example:

sudo /opt/ekm/bin/ekm_root_ca_move_next.sh

ekm_renew_server_certificate

The ekm_renew_server_certificate script serves the following purposes:

  1. Renew the certificate.
  2. Modify its SANClosedSubject Alternative Names - Certificate field with a list of IP addresses. list.
  3. This option allows modifying the initial SANClosedSubject Alternative Names - Certificate field with a list of IP addresses. list that is generated during the server's bootstrap. It is required when a CORE client cannot refer to a server by one of its names or IP addresses that are stored in the server's SANClosedSubject Alternative Names - Certificate field with a list of IP addresses. list.

    Tip
    To examine SANClosedSubject Alternative Names - Certificate field with a list of IP addresses. list of EP server's certificate, use CORE UI or
    openssl x509 -in /etc/ekm/ssl/cert.crt -text
    The server hostnames and IP addresses appear in the X509v3 Subject Alternative Name.

Syntax:

ekm_renew_server_certificate.sh
[-n,--names <arg>]
[--ignore]
[-s,--self <arg>] // Certified-IP
[-o <port>] // Server's Bootstrap-Port.

--names
CSVClosedComma Separated Values list of IP addresses and DNS names that are stored in the certificate's SANClosedSubject Alternative Names - Certificate field with a list of IP addresses. list.
The previous list is overwritten.
To clear the list from any additional names, omit the --names option.
--ignore
Do not check the validity of the current certificate

Example:

sudo /opt/ekm/bin/ekm_renew_server_certificate.sh \
--name ekmloadbalancer.demo.local,192.168.0.1

ekm_obfuscate_pfx

Applicable to EP servers. Required to support CORE or KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server clients that do not trust EP certificate signed by CORE Root CA. This script onboards EP certificate signed by the client-approved CA by creating/overwriting the key-external.pfx in the Certificates Folder.

Note
This script is step 2 in the following sequence:
1. Create CSRClosedCertificate Signing Request - a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate for EP. Let the required CA sign it. Obtain the signed certificate.
2. Onboard the new certificate to become the key-external.pfx of EP.
3. Attach the certificate to the port that will handle such clients.
4. Restart the EKMClosedEnterprise Key Management - previous name of the product. service.

Syntax:

/opt/ekm/bin/ekm_obfuscate_pfx.sh
-p,--pfx <arg> // Path to the PFX of EP signed by external CA
-w,--password <arg> // the external PFX password
[-o,--port <arg>] // EP Bootstrap-Port. Default:443

ekm_config_kmip_cert

The script adds CA certificate(s) to the KMIP Trust Keystore used by EP to verify certificates of KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server clients. Options:

Syntax:

/opt/ekm/bin/ekm_config_kmip_cert.sh
-c,--cert <arg> // path to the external CA certificate in PEM format // or path to the JKS keystore file
[-a,--add_rootca ] // include the CORE Root CA certificate
[-w, --password ] // password of the JKS keystore

Important

- To activate this change, perform the EKMClosedEnterprise Key Management - previous name of the product. Service Restart (see EKM Service Management)

In the following examples, we create:

To examine the content of the KMIP Trust Repository, use the keytool command.

Example:

keytool -list -v -keystore /etc/ekm/ssl/external-kmip-cert.ks

Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries //truncated

Note
- The alias name of the CORE Root CA certificate becomes Unbound UKC KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server Root CA G1.
- The alias name of the external certificate becomes external_<random number>.