Certificate Management in ESA

Provides information about how the certificates are managed in ESA.

When ESA is installed, it generates default self-signed certificates in X.509 v3 PEM format. These certificates are:

  • CA Certificate – This consists of the CA.pem and CA.key file.
  • Server Certificate - This consists of the server.pem and server.key file.
  • Client Certificate - This consists of the client.pem and client.key file.

The services that use and manage these certificates are:

  • Management – It is the service which manages certificate based communication and authentication between ESA and its internal components like LDAP, Appliance queue, protectors, etc.
  • Web Services – It is the service which manages certificate based communication and authentication between ESA and external clients (REST).
  • Consul – It is the service that manages certificates between the Consul server and the Consul client.

ESA provides a certificate manager where you can manage the default certificates and also upload your own CA-signed certificates. This manager comprises of two components which are as follows:

  • Certificate Repository
  • Manage Certificates

Note: When creating a CA-signed client certificate which you want use in ESA, it is mandatory that you keep the CN attribute of the client certificate to be “Protegrity Client".

If there are CA cross-sign certificates with the AddTrust legacy, then you must upload the active intermediate certificates from the Manage Certificates page. If the expired certificates are present in the certificate chain, then it might lead to failures.

For more information about upload the updated certificates, refer to the section Changing Certificates.

For more information about the CA cross-sign certificates with the AddTrust legacy, refer to https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020.

If other attributes, such as email address or name, are appended to the CN attribute, then you perform the following steps to set the CN attribute to Protegrity Client.

For example, if the CN attribute is set as Protegrity Client/emailAddress=user@abc.com, then the attributes appended after the / delimiter must be removed.

  1. In the ESA CLI Manager, navigate to Administration > OS Console

  2. Open the pty_get_username_from_certificate.py file using a text editor.

    /etc/ksa/pty_get_username_from_certificate.py

  3. Comment the line containing the CN attribute and enter the following regular expression:

    REG_EX_GET_VAL_AFTER_CN = "CN=(.*?)\/"

  4. Save the changes.

  5. Navigate to Administration > Services

  6. Restart the Service Dispatcher service.

Certificate Repository

The certificate repository is a store or repository where ESA stores all the certificates. It gives you the capability to upload certificates to the repository. It also allows you to upload Certificate Revocation List (CRL).

Uploading Certificates

Describes how to upload certificates through the Certificate Repository screen.

Uploading Certificate Revocation List

Explains the steps to upload the Certificate Revocation List (CRL) through the Certificate Repository screen.

Manage Certificates

The Manage Certificates module is used to select the certificates that you want to make active and have ESA use them for its communication with various internal components. It allows you to select the certificate revocation list that you want activated.

Changing Certificates

Describes how to change certificates through the Manage Certificates screen.

Changing CRL

Describes how to change the CRL through the Manage Certificates screen.

Last modified February 7, 2025