Cryptographic Security Platform Vault Certificates

Cryptographic Security Platform Vault requires that an SSL certificate be installed on each Cryptographic Security Platform Vault node in a cluster. Each Cryptographic Security Platform Vault instance is installed with two web servers:

An internal web server that manages the Cryptographic Security Platform Vault node to node cluster communication on port 8443.
An external web server that manages the Cryptographic Security Platform Vault Web UI, the REST API interface, and the Policy agent communication on port 443.

By default, Cryptographic Security Platform Vault includes a component for creating a Root Certificate Authority (CA) that can generate digital certificates. When the first Cryptographic Security Platform Vault node is installed, it creates a Private and Public CA that it also stores in the Cryptographic Security Platform Vault object store.

The first Cryptographic Security Platform Vault node then uses the Private CA to create an SSL certificate that contains the hostname (FQDN) as well as the IP address of the Cryptographic Security Platform Vault node for the internal web server and Public CA to create an SSL certificate that contains the hostname, both short and FQDN, as well as the IP address of the Cryptographic Security Platform Vault node for the external web server. When the node reboots, Cryptographic Security Platform Vault checks the IP address and recreates the SSL certificate if the IP address has changed.

Cryptographic Security Platform Vault node to node communication is on a TLS channel and it uses SSL certificates issued by Private CA to secure communication. When additional Cryptographic Security Platform Vault nodes are added to the cluster, the first Cryptographic Security Platform Vault node shares the Private and Public CA through the Cryptographic Security Platform Vault object store over an HTTPS connection.

In addition to creating an SSL certificate on each Cryptographic Security Platform Vault node, the Public CA also creates a matching CA certificate that is copied to a VM when the VM is registered with Cryptographic Security Platform Vault. The VM uses the CA certificate to verify Cryptographic Security Platform Vault's identity every time it receives a communication from Cryptographic Security Platform Vault. If the CA certificate on the VM cannot verify the SSL certificate that signed the communication, the VM rejects the communication.

The VM also has its own certificate that it uses to sign any communication it sends to Cryptographic Security Platform Vault. If Cryptographic Security Platform Vault determines that the VM's certificate is invalid or has expired, Cryptographic Security Platform Vault rejects the communication.

Because both the VM and Cryptographic Security Platform Vault verify any incoming communication, a "man in the middle" attack is not possible. The VM must be able to verify Cryptographic Security Platform Vault's identity and Cryptographic Security Platform Vault must be able to verify the VM's identity before any information is exchanged.

In this scenario, the Public CA installed on all the Cryptographic Security Platform Vault nodes is the same, ensuring that every Cryptographic Security Platform Vault node is able to verify SSL certificates generated by every other Cryptographic Security Platform Vault node in the cluster. However, this default SSL certificate is considered self-signed, which can lead to trust issues.

Cryptographic Security Platform Vault Certificate Options

You can replace the default SSL certificate configured on external and internal web server with an externally signed SSL certificate at any time by uploading the externally signed SSL certificate and its associated CA certificate to one of the Cryptographic Security Platform Vault nodes in the cluster.

If an externally signed SSL certificate is uploaded to be installed on internal web server, Cryptographic Security Platform Vault automatically distributes an updated CA certificate to all other nodes in the cluster.

If an externally signed SSL certificate is uploaded to be installed on external web server, Cryptographic Security Platform Vault automatically distributes an updated CA certificate to all registered VMs. The VMs can then use the updated CA certificate to validate any communication coming from Cryptographic Security Platform Vault. You can either use the same external SSL certificate on all Cryptographic Security Platform Vault nodes or you can use a different SSL certificate on each node. If you use different certificates, however, Entrust recommends that those certificates all be signed by the same certificate authority. For more information, see Installing External Certificates for Internal and External Webservers.

Note: If you are generating an SSL certificate from openssl or other third-party tool, make sure you use a template designed for a web server certificate. Cryptographic Security Platform Vault registration may fail for some VMs if the SSL certificate is generated using a template designed for a Certificate Authority certificate.

You can also replace the current SSL certificate with a new self-signed certificate that will be automatically distributed to all Cryptographic Security Platform Vault nodes. If a new signed certificate is generated for external web server, Cryptographic Security Platform Vault does not need to communicate with the VMs because the default CA certificate is always copied to the VM during the registration process, even when Cryptographic Security Platform Vault is using an externally signed certificate. For more information, see Installing a New Self-Signed Certificate.