Certificate Management in ESA on

Certificate Repository

Mon, 01 Jan 0001 00:00:00 +0000

A Certificate Revocation List (CRL) is a list containing entries of digital certificates that are no longer trusted as they are revoked by the issuing Certificate Authority (CA). The digital certificates can be revoked for one of the following possible reasons:

The certificate is expired.
The certificate is compromised.
The certificate is lost.
The certificate is breached.

CRLs are used to avoid the usage of certificates that are revoked and are used at various endpoints including the web browsers. When a browser makes a connection to a site, the identity of the site owner is checked using the server’s digital certificate. Also, the validity of the digital certificate is verified by checking whether the digital certificate is not listed in the Certificate Revocation List. If the certificate entry is present in this list, then the authentication for that revoked certificate fails.

Uploading Certificates

Mon, 01 Jan 0001 00:00:00 +0000

To upload certificates:

On the ESA Web UI, navigate to Settings > Network > Certificate Repository.
Click Upload New Files.

The Upload new file to repository dialog box appears.
Click Certificate/Key to upload a certificate file and a private key file.

CAUTION: Certificates have a public and private key. The public key is mentioned in the certificate and as a best practice the private key is maintained as a separate file. In ESA, you can upload either the certificate file or both certificate and private key file together. In ESA Certificate Repository, it is mandatory to upload the certificate file.

Uploading Certificate Revocation List

Mon, 01 Jan 0001 00:00:00 +0000

Creating a CRL - An Example

To create a CRL:

In the CLI Manager, navigate to Administration > OS Console.

Run the following command to revoke a client certificate:

openssl ca -config demoCA/newcerts/openssl.cnf -revoke Client.crt -keyfile CA.key -cert CA.crt

Run the following command to generate a CRL:

openssl ca -config demoCA/newcerts/openssl.cnf -gencrl -keyfile CA.key -cert CA.crt -out Client.crl

Uploading the CRL

To upload CRL:

On the ESA Web UI, navigate to Settings > Network > Certificate Repository .

Manage Certificates

Mon, 01 Jan 0001 00:00:00 +0000

On the ESA Web UI, navigate to Settings > Network > Manage Certificates.

The following figure and table provides the actions available from the Manage Certificates screen.

Callout	Action	Description
1	Hover over the Help icon	Gives information about Management and Web Services groups.
2	Download server’s CA certificate	Download the server’s CA certificate. You can download only the server’s CA certificate and upload it to another certificate trust store to trust the server certificate for communication with ESA.
3	Hover over the icon	Gives additional information or details about a certificate.

Changing Certificates

Mon, 01 Jan 0001 00:00:00 +0000

To change certificates:

On the ESA Web UI, navigate to Settings > Network > Manage Certificates.
Click Change Certificates.

The Certificate Management wizard appears with CA certificate(s) section.
Select the check box next to the CA Certificate that you want to set as active.

CAUTION: This section shows server, client, and CA certificates together. However, ensure that you select only the required certificates in their respective screens. You can select multiple CA certificates for ESA Management and Web Services section. ESA allows you to have only one server and one client active at any given time.

Changing CRL

Mon, 01 Jan 0001 00:00:00 +0000

To change CRL:

On the ESA Web UI, navigate to Settings > Network > Manage Certificates.
Click Revocation List.

The Certificate Revocation List dialog box appears.
Select the Enable Certificate Revocation List check box.
Select the check box next to the CRL file that you want to set as active.
Click Apply.

A confirmation message appears.