Skip to main content

Obtaining Trusted Certificates

It is recommended that you use trusted certificates for authenticating Key Manager front ends to Key Manager administrators. For this you will need to contact your corporate CA and enroll for a server certificate. Since it may take some time to get a response from the CA, the instructions in this section should be performed well before the rest of the Key Manager Server setup.

Using trusted certificates is optional. Key Manager provides utilities for setting up Key Manager front ends with self-signed certificates. If you are performing an evaluation installation of Key Manager, or if your corporation lacks a CA, you can skip this section.

Obtaining a trusted certificate usually involves the following:

  1. Create a private key for the server:

    # openssl genrsa -out server.key 2048

    This This generates the server key server.key to the current working directory.

  2. Generate a Certificate Signing Request (CSR) (replace keymanager.example.com with the address of the machine):

     # openssl req -subj '/CN=keymanager.example.com' -key server.key \
         -new -out server.csr

    This generates the CSR server.csr to the current working directory.

  3. Enroll for the server certificate by sending the CSR to your CA. Your CA should then provide you with the server certificate file, and the CA-certificate chain (a file containing CA certificates up to a trusted root CA).

    API clients such as the Key Manager command-line client also use certificates to authenticate to Key Manager back ends. If your client certificates are issued by another CA than the one issuing your server certificates, you must also obtain the certificate chain of that CA, and its certificate chain.

    note

    It is possible to use trusted certificates for authenticating the Key Manager Server, while using self-signed certificates for authenticating Key Manager command-line clients.

You should now have the necessary certificate files:

  • Server key
  • Server certificate
  • Certificate chain of the CA that issued the server certificate
  • Certificate chain of the CA that issues/issued client certificates (client-certificate CA)