Internal Certificate Authority

From iDENprotect Knowledge Base
Jump to: navigation, search

If you have not made any configuration changes yet, please see How to make configuration changes

Introduction

The idenprotect Core Platform can integrate with an external CA or it can use its own internal CA. Not all parameters are required for all CA Types.

Other CA configuration articles are Certificate Authority Server Configuration, Certificate Authority Profile Name Configuration, Certificate Authority Stores Configuration

For more information on other Certificate Authorities, see one of the following articles:

Internal Certificate Authority

The Internal Certificate Authority (CA) is a lightweight CA that can be used to sign the certificates within an idenprotect installation.

It can be used with little or no configuration, but there are some changes that an administrator may want to make.

Required Configuration

During installation, idenprotect Core Platform creates Java KeyStore (keystore.jks) and TrustStore (truststore.jks) files in /etc/idenprotect/ directory. The created files contain placeholder CA certificates suitable for running idenprotect Core Platform for development or testing purposes. The placeholder certificates will be self-signed and it is possible to specify the subject of this certificate by editing the value for the CA Key Store Subject.

When idenprotect Core Platform is run in production use, the certificates in the JKS files should be replaced with your organization’s signed certificates.

The internal CA can support both RSA and EC signature algorithms and they can be specified by setting the appropriate settings. These settings specify how the root certificates are signed.

It is also possible to manually create these keystores to support Chaining Certificate Authorities

Server Configuration

The following Server configuration properties are required for internal CA. For more information, see Certificate Authority Server Configuration

Stores Configuration

The following Stores configuration properties are required for internal CA. For more information see Certificate Authority Stores Configuration

  • CA Key Store Alias (default is idenprotect)
  • CA Key Store Password (default is cakeystorepass)
  • CA Key Store Path (default is /etc/idenprotect/)
  • CA Key Store Subject (default is C=GB, ST=LEEDS, OU=IT, CN=testIdenprotect)

Profiles Configuration

Note that this configuration is different from the Certificate Authority Profile Name Configuration and is not editable via the idenprotect Core Platform Admin Console

The Internal CA signs certificates for idenprotect using a number of pre-defined certificate profiles. However some of the parameters of these can be configured, specifically, the signature algorithm used to sign the certificate and the validity of the certificate.

This configuration specifies the validity period and signature algorithm for the different certificates used by idenprotect Core Platform, namely the Server Certificate, the Device Certificate, the Secure Enclave certificate, and the Ephemeral Certificate. The changes can be made under: -

  • Server file system in /etc/idenprotect/ca.properties
Parameters for Profiles
Parameter in Properties File Default Value
server.validity 315000000
server.sigAlgo SHA256withECDSA
ephemeral.validity 28800
ephemeral.sigAlgo SHA512withRSA
secenc.validity 6400000
secenc.sigAlgo SHA256withECDSA
device.validity 6400000
device.sigAlgo SHA256withRSA

Creating a keypair

Navigate to CONFIG -> Internal CA tab.

Set new values for CA Keystore subject and click submit. You can use your own Keystore as root.

Warning! This will create new keys (keystore.jks and truststore.jks) for the Internal CA Server and may change the issuer DN.

Old keys will be backed up and can be found at /etc/idenprotect/ folder.