Internal Certificate Authority
Contents
If you have not made any configuration changes yet, please see How to make configuration changes
Introduction
The idenprotect Core Platform can integrate with an external CA or it can use its own internal CA. Not all parameters are required for all CA Types.
Other CA configuration articles are Certificate Authority Server Configuration, Certificate Authority Profile Name Configuration, Certificate Authority Stores Configuration
For more information on other Certificate Authorities, see one of the following articles:
Internal Certificate Authority
The Internal Certificate Authority (CA) is a lightweight CA that can be used to sign the certificates within an idenprotect installation.
It can be used with little or no configuration, but there are some changes that an administrator may want to make.
Required Configuration
During installation, idenprotect Core Platform creates Java KeyStore (keystore.jks) and TrustStore (truststore.jks) files in /etc/idenprotect/ directory. The created files contain placeholder CA certificates suitable for running idenprotect Core Platform for development or testing purposes. The placeholder certificates will be self-signed and it is possible to specify the subject of this certificate by editing the value for the CA Key Store Subject.
When idenprotect Core Platform is run in production use, the certificates in the JKS files should be replaced with your organization’s signed certificates.
The internal CA can support both RSA and EC signature algorithms and they can be specified by setting the appropriate settings. These settings specify how the root certificates are signed.
It is also possible to manually create these keystores to support Chaining Certificate Authorities
Server Configuration
The following Server configuration properties are required for internal CA. For more information, see Certificate Authority Server Configuration
- Elliptic Curve Signing Algorithm (default is SHA256withECDSA)
- RSA Signing Algorithm (default is SHA512withRSA)
- CRL Distribution Point(default is http://{host}/public/crl.crl). See more: Revoking Certificates.
Stores Configuration
The following Stores configuration properties are required for internal CA. For more information see Certificate Authority Stores Configuration
- CA Key Store Alias (default is idenprotect)
- CA Key Store Password (default is cakeystorepass)
- CA Key Store Path (default is /etc/idenprotect/)
- CA Key Store Subject (default is C=GB, ST=LEEDS, OU=IT, CN=testIdenprotect)
Profiles Configuration
Note that this configuration is different from the Certificate Authority Profile Name Configuration and is not editable via the idenprotect Core Platform Admin Console
The Internal CA signs certificates for idenprotect using a number of pre-defined certificate profiles. However some of the parameters of these can be configured, specifically, the signature algorithm used to sign the certificate and the validity of the certificate.
This configuration specifies the validity period and signature algorithm for the different certificates used by idenprotect Core Platform, namely the Server Certificate, the Device Certificate, the Secure Enclave certificate, and the Ephemeral Certificate. The changes can be made under: -
- Server file system in
/etc/idenprotect/ca.properties
| Parameter in Properties File | Default Value |
|---|---|
server.validity
|
315000000 |
server.sigAlgo
|
SHA256withECDSA |
ephemeral.validity
|
28800 |
ephemeral.sigAlgo
|
SHA512withRSA |
secenc.validity
|
6400000 |
secenc.sigAlgo
|
SHA256withECDSA |
device.validity
|
6400000 |
device.sigAlgo
|
SHA256withRSA |
Creating a keypair
Navigate to CONFIG -> Internal CA tab.
Set new values for CA Keystore subject and click submit. You can use your own Keystore as root.
Warning! This will create new keys (keystore.jks and truststore.jks) for the Internal CA Server and may change the issuer DN.
Old keys will be backed up and can be found at /etc/idenprotect/ folder.
