Cryptographic Security Platform Compliance Manager Certificates

Cryptographic Security Platform Compliance Manager requires that an SSL certificate be installed on each Cryptographic Security Platform Compliance Manager node in a cluster. Each Cryptographic Security Platform Compliance Manager instance is installed with two web servers:

  • An internal web server that manages the Cryptographic Security Platform Compliance Manager node to node cluster communication on port 8443.
  • An external web server that manages the Cryptographic Security Platform Appliance Management webGUI on port 443.

By default, Cryptographic Security Platform Compliance Manager includes a component for creating a Root Certificate Authority (CA) that can generate digital certificates. When the first Cryptographic Security Platform Compliance Manager node is installed, it creates a Private and Public CA that it also stores in the Cryptographic Security Platform Compliance Manager object store.

The first Cryptographic Security Platform Compliance Manager node then uses the Private CA to create an SSL certificate that contains the hostname (FQDN) as well as the IP address of the Cryptographic Security Platform Compliance Manager node for the internal web server and Public CA to create an SSL certificate that contains the hostname, both short and FQDN, as well as the IP address of the Cryptographic Security Platform Compliance Manager node for the external web server. When the node reboots, Cryptographic Security Platform Compliance Manager checks the IP address and recreates the SSL certificate if the IP address has changed.

Cryptographic Security Platform Compliance Manager node to node communication is on a TLS channel and it uses SSL certificates issued by Private CA to secure communication. When additional Cryptographic Security Platform Compliance Manager nodes are added to the cluster, the first Cryptographic Security Platform Compliance Manager node shares the Private and Public CA through the Cryptographic Security Platform Compliance Manager object store over an HTTPS connection.

Cryptographic Security Platform Compliance Manager Certificate Options

You can replace the default SSL certificate configured on external and internal web server with an externally signed SSL certificate at any time by uploading the externally signed SSL certificate and its associated CA certificate to one of the Cryptographic Security Platform Compliance Manager nodes in the cluster.

If an externally signed SSL certificate is uploaded to be installed on internal web server, Cryptographic Security Platform Compliance Manager automatically distributes an updated CA certificate to all other nodes in the cluster.

Related Topics