Installing a New External Certificate
Use this procedure to replace the current KeyControl Vault SSL certificate with a new externally-signed SSL certificate. If you want to use a new, self-signed SSL certificate generated by the Public CA or Private CA included with KeyControl Vault, see Installing a New Self-Signed Certificate.
Before You Begin
- If you generated the Certificate Signing Request (CSR) through KeyControl Vault, you need to make sure you have the resulting SSL certificate and the CA certificate in Base64-encoded pem format files accessible to the KeyControl Vault node that you are logged into. If you generated the CSR through some other means, make sure you have both of the Base64-encoded pem format certificates and the Base64-encoded pem format private key file that goes with the certificates. KeyControl Vault supports only RSA private keys. For more information, see Creating a Certificate Signing Request.
- If you generated the SSL certificate from openssl or other third-party tool, make sure the certificate is formatted as a web server certificate. KeyControl Vault registration may fail for some VMs if the SSL certificate is formatted as a Certificate Authority certificate.
- 
                                                    The SSL certificate generated for the internal web server should be able to function as the Client and Server certificate. 
- 
                                                    SSL certificates that contain an intermediate CA certificate chain are not supported for the internal web server. If there is a certificate chain, it must be specified in the CA certificate for the internal web server. 
- We strongly recommend that you verify all VMs registered with KeyControl Vault are online and accessible before you install a new SSL certificate on KeyControl Vault for the external web server. During the installation process, KeyControl Vault sends an updated version of the CA certificate to each of the registered VMs at their next heartbeat. If all VMs are online, this process is fairly simple and ensures that there is no interruption in the communication between the VMs and KeyControl Vault. If any VMs are inaccessible, however, the CA certificate may need to be manually updated on those VMs after the SSL certificate installation on KeyControl Vault is complete because the old CA certificate installed on the VMs will no longer be able to verify KeyControl Vault's identity and all communication coming from KeyControl Vault will be rejected by the VMs.
Procedure
- Log into the KeyControl webGUI using an account with Domain Admin privileges.
- In the top menu bar, click Cluster.
- 
                                                    Click the Servers tab and select a KeyControl Vault node. Note: You can use SSL certificates signed by different certificate authorities on individual KeyControl Vault nodes. However, Entrust recommends that all of the SSL certificates be signed by the same Certificate Authority so that only one CA certificate is required on the VMs registered with KeyControl Vault. 
- Select Actions > Install Certificate.
- 
                                                    In the Certificate tab of the Certificate Installation dialog box, specify the options you want to use. Field Description SSL Certificate The SSL certificate file in Base64-encoded pem format. This certificate must be valid for the installation to succeed. CA Certificate The certificate of the CA that issued the SSL certificate in Base64-encoded pem format. The VMs registered with KeyControl Vault use the CA certificate to verify communication with KeyControl Vault. Web Server Choose which web server to install the custom certificate. You can select both if you wish to install the same SSL certificate for the internal and the external web server. If the the SSL certificate is used for both web servers, it should be able to function as a Client and Server certificate and it should have the KeyControl Vault IP address specified in SAN. Important: Before KeyControl Vault installs the certificate, it checks with the certificate authority to make sure that the SSL certificate can be validated. If the CA certificate file you.are uploading for the external web server contains just the certificate of the root certificate authority, make sure that the SSL certificate file contains the entire chain of intermediate CA certificates as well as the SSL certificate for the selected KeyControl Vault node. 
- 
                                                    If you did not create the certificate signing request with KeyControl Vault: - Click the Private Key tab and click Load File, then navigate to the private key file you want to use. KeyControl Vault never stores the private key in clear text.
- If the private key file is encrypted, enter the user-specified password for the key file in the Password field. This password is not stored in the KeyControl Vault object store or on the local file system.
 
- 
                                                    Click Install Certificate. If an SSL certificate is to be installed for the external web server and if there are any VMs already registered with the system, KeyControl Vault automatically distributes the new CA certificate to those VMs on their next heartbeat and tracks the progress of the install in the Certificate State field. KeyControl Vault updates the installation status shown in the webGUI every 5 minutes. The state can be: - 
                                                            IN PROGRESS—The install is in progress. The table displays one line for each KeyControl Vault node showing the total number of VMs, the number of VMs that timed out and could not be reached, and the number that are waiting for the web service to restart. If a new VM is added to KeyControl Vault or a previously-inaccessible VM comes back online during this phase, KeyControl Vault automatically sends the appropriate CA certificate to that VM as soon as there is a successful VM heartbeat. The length of time this phase takes depends on heartbeat duration configured for the registered VMs and whether all of those VMs are accessible. KeyControl Vault polls for responses once every 5 minutes. If all VMs have had a successful heartbeat during that time, KeyControl Vault completes this phase and changes the installation status to RESTART PENDING. If one or more VMs have not yet been contacted or if their heartbeat has failed, KeyControl Vault waits another 5 minutes and polls again. This process continues until all registered VMs have either been successfully contacted or have failed 4 consecutive heartbeats. If even one VM is inaccessible, the entire installation process remains in this phase until that VM either comes back online or has failed the fourth scheduled heartbeat. In the latter case, KeyControl Vault considers the installation request to have timed out for that VM and it sets the installation status to TIMED OUT. For example, If you are using the default heartbeat duration of 5 minutes, that means KeyControl Vault will wait at least 20 minutes until it considers the request to have timed out. If you have increased the heartbeat duration for any of the VMs registered with KeyControl Vault, then this step will take longer. If you have increased the heartbeat for a particular VM to 1 day, KeyControl Vault may have to wait up to 24 hours before the next scheduled VM heartbeat occurs and it can update the status of the installation request to RESTART PENDING. If that VM is inaccessible, KeyControl Vault has to wait for 4 days before it stops trying to update that VM. It is only when the last VM has been contacted or has timed out that KeyControl Vault concludes this phase. Tip: If you do not want to wait for the next scheduled heartbeat on a particular VM, log into that VM as an administrator and issue the hcl heartbeatcommand on that VM. This allows KeyControl Vault to update the certificate information on the VM immediately.
- RESTART PENDING—The install is completed and the new certificate will be used as soon as the web service is restarted. KeyControl Vault has successfully sent the new CA certificate to all registered VMs, so there should be no interruption in service once the web service restarts.
- TIMED OUT—At least one of the VMs associated with the KeyControl Vault node could not be reached and the new CA certificate could not be sent to those VMs. When a VM times out, KeyControl Vault sends an alert to the Cloud Admins associated with that VM. The Cloud Admins are responsible for updating the KeyControl Vault CA certificate on the unreachable VMs. For more information, see Troubleshooting Certificate Issues.
 
- 
                                                            
- 
                                                    If you install the SSL certificate for the internal web server, the web server automatically restarts. If you install the SSL certificate for the external web server, when the installation is complete, click Restart Web Service or select Actions > Restart Web Service and confirm the request at the prompt. After the web service restarts, KeyControl Vault will use the new certificate. KeyControl Vault restarts the web server which may interrupt the browser connection to the webGUI. When the restart is finished you are returned to the webGUI login page. Tip: If you are using Chrome, the connection status in your browser may still show as insecure. To fix this, open the KeyControl webGUI login page in a new tab. 
- 
                                                    If you want to verify that the new certificate was properly installed, select the node and click the link next to Internal/External web server. If you already have custom certificate installed for external web server and the KeyControl Vault internal web server uses a default self signed SSL certificate, KeyControl Vault automatically detects and provide an option to use the same custom SSL certificate for internal web server if it meets the certificate requirements of internal web server. Select Use external Web server SSL certificate for internal Web server and click Save to install the same custom SSL certificate for the internal web server. If you already have custom certificate installed for internal web server and the KeyControl Vault external web server uses a default self signed SSL certificate, KeyControl Vault automatically detects it and provide an option to use the same custom SSL certificate for the external web server if it meets the certificate requirements of an external web server. Select Use internal Web server SSL certificate for external Web server and click Save to install the same custom SSL certificate for internal web server. When the installation is complete, click Restart Web Service or select Actions > Restart Web Service, then confirm the request at the prompt. After the web service restarts, KeyControl will use the custom SSL certificate for external web server. 
