Certificate Management on

Certificates in the ESA

Mon, 01 Jan 0001 00:00:00 +0000

Digital certificates are used to encrypt online communication and authentication between two entities. For two entities exchanging sensitive information, the one that initiates the request for exchange can be called the client. The one that receives the request and constitutes the other entity can be called the server.

The authentication of both the client and the server involves the use of digital certificates issued by the trusted Certificate Authorities (CAs). The client authenticates itself to a server using its client certificate. Similarly, the server also authenticates itself to the client using the server certificate. Thus, certificate-based communication and authentication involves a client certificate, server certificate, and a certifying authority that authenticates the client and server certificates.

Certificates in DSG

Mon, 01 Jan 0001 00:00:00 +0000

During the install process of DSG, a series of self-signed SSL Certificates are generated. You may use it in a non-production environment. It is recommended to use your own certificate for production use.

To view the certificates:

On the ESA/DSG Web UI, navigate to Cloud Gateway > 3.3.0.0{build_number} > Transport > Certificate/Key Material.
On the Certificate/Key Material screen, view the certificates.

When you install a DSG node, the following types of certificates and keys are generated:

Replicating Certificates in a Trusted Appliance Cluster

Mon, 01 Jan 0001 00:00:00 +0000

The following figure illustrates the replication of certificates between two ESAs in a TAC.

The figure depicts two ESAs in a TAC. The ESA1 contains the server and the client certificates. The certificates in ESA1 are signed by CA1. The Protectors communicate with ESA1 to retrieve the client certificate.

Note: The Subject attribute for the server certificates is CN=<hostname> and that of the client certificate is CN= Protegrity Client.

Insight Certificates

Mon, 01 Jan 0001 00:00:00 +0000

The default certificates provided are signed using the system-generated Protegrity-CA certificate. However, after installation custom certificates can be used. Ensure that all the certificates are signed by the same CA as shown in the following diagram.

Update the certificates in the following order:

Audit Store Cluster certificate
Audit Store REST certificate
PLUG client certificate for Audit Store
Analytics client certificate for Audit Store

The various certificates used for communication between the nodes with their descriptions are provided here. The passphrase for the certificates are stored in the /etc/ksa/certs directory.

Validating Certificates

Mon, 01 Jan 0001 00:00:00 +0000

Verifying the validity of a certificate

You can verify a client or a server certificate using the following commands:

```

openssl verify -CAfile /etc/ksa/certificates/CA.pem /etc/ksa/certificates/client.pem
openssl verify -CAfile /etc/ksa/certificates/CA.pem /etc/ksa/certificates/ws/server.pem

```

If the client or server certificate is signed by the provided CA certificate, then the certificate is valid. The message **OK** appears.

Verifying the purpose of a certificate

You can verify if the certificate is a client, a server, or a CA certificate using the following command: