KeyControl Vault Certificates

KeyControl Vault requires that an SSL certificate be installed on each KeyControl Vault node in a cluster. Each KeyControl Vault instance is installed with two web servers:

An internal web server that manages the KeyControl Vault node to node cluster communication on port 8443.
An external web server that manages the KeyControl Vault Web UI, the REST API interface, and the Policy agent communication on port 443.

By default, KeyControl Vault includes a component for creating a Root Certificate Authority (CA) that can generate digital certificates. When the first KeyControl Vault node is installed, it creates a Private and Public CA that it also stores in the KeyControl Vault object store.

The first KeyControl Vault node then uses the Private CA to create an SSL certificate that contains the hostname (FQDN) as well as the IP address of the KeyControl Vault node for the internal web server and Public CA to create an SSL certificate that contains the hostname, both short and FQDN, as well as the IP address of the KeyControl Vault node for the external web server. When the node reboots, KeyControl Vault checks the IP address and recreates the SSL certificate if the IP address has changed.

KeyControl Vault node to node communication is on a TLS channel and it uses SSL certificates issued by Private CA to secure communication. When additional KeyControl Vault nodes are added to the cluster, the first KeyControl Vault node shares the Private and Public CA through the KeyControl Vault object store over an HTTPS connection.

In addition to creating an SSL certificate on each KeyControl Vault node, the Public CA also creates a matching CA certificate that is copied to a VM when the VM is registered with KeyControl Vault. The VM uses the CA certificate to verify KeyControl Vault's identity every time it receives a communication from KeyControl Vault. If the CA certificate on the VM cannot verify the SSL certificate that signed the communication, the VM rejects the communication.

The VM also has its own certificate that it uses to sign any communication it sends to KeyControl Vault. If KeyControl Vault determines that the VM's certificate is invalid or has expired, KeyControl Vault rejects the communication.

Because both the VM and KeyControl Vault verify any incoming communication, a "man in the middle" attack is not possible. The VM must be able to verify KeyControl Vault's identity and KeyControl Vault must be able to verify the VM's identity before any information is exchanged.

In this scenario, the Public CA installed on all the KeyControl Vault nodes is the same, ensuring that every KeyControl Vault node is able to verify SSL certificates generated by every other KeyControl Vault node in the cluster. However, this default SSL certificate is considered self-signed, which can lead to trust issues.

KeyControl Vault Certificate Options

You can replace the default SSL certificate configured on external and internal web server with an externally signed SSL certificate at any time by uploading the externally signed SSL certificate and its associated CA certificate to one of the KeyControl Vault nodes in the cluster.

If an externally signed SSL certificate is uploaded to be installed on internal web server, KeyControl Vault automatically distributes an updated CA certificate to all other nodes in the cluster.

If an externally signed SSL certificate is uploaded to be installed on external web server, KeyControl Vault automatically distributes an updated CA certificate to all registered VMs. The VMs can then use the updated CA certificate to validate any communication coming from KeyControl Vault. You can either use the same external SSL certificate on all KeyControl Vault nodes or you can use a different SSL certificate on each node. If you use different certificates, however, Entrust recommends that those certificates all be signed by the same certificate authority. For more information, see Installing a New External Certificate.

Note: If you are generating an SSL certificate from openssl or other third-party tool, make sure you use a template designed for a web server certificate. KeyControl Vault registration may fail for some VMs if the SSL certificate is generated using a template designed for a Certificate Authority certificate.

You can also replace the current SSL certificate with a new self-signed certificate that will be automatically distributed to all KeyControl Vault nodes. If a new signed certificate is generated for external web server, KeyControl Vault does not need to communicate with the VMs because the default CA certificate is always copied to the VM during the registration process, even when KeyControl Vault is using an externally signed certificate. For more information, see Installing a New Self-Signed Certificate.