KeyControl Certificates
KeyControl requires that an SSL certificate be installed on each KeyControl node in a cluster. By default, KeyControl includes a component for creating a Root Certificate Authority (CA) that can generate digital certificates. When the first KeyControl node is installed, it creates a Public CA that it also stores in the KeyControl object store.
The first KeyControl node then uses the Public CA to create an SSL certificate that contains the hostname, both short and FQDN, as well as the IP address of the KeyControl node. When the node reboots, KeyControl checks the IP address and recreates the SSL certificate if the IP address has changed.
When additional KeyControl nodes are added to the cluster, the first KeyControl node shares the Public CA through the KeyControl object store over an HTTPS connection.
In addition to creating an SSL certificate on each KeyControl node, the Public CA also creates a matching CA certificate that is copied to a VM when the VM is registered with KeyControl. The VM uses the CA certificate to verify KeyControl's identity every time it receives a communication from KeyControl. If the CA certificate on the VM cannot verify the SSL certificate that signed the communication, the VM rejects the communication.
The VM also has its own certificate that it uses to sign any communication it sends to KeyControl. If KeyControl determines that the VM's certificate is invalid or has expired, KeyControl rejects the communication.
Because both the VM and KeyControl verify any incoming communication, a "man in the middle" attack is not possible. The VM must be able to verify KeyControl's identity and KeyControl must be able to verify the VM's identity before any information is exchanged.
In this scenario, the Public CA installed on all the KeyControl nodes is the same, ensuring that every KeyControl node is able to verify SSL certificates generated by every other KeyControl node in the cluster. However, this default SSL certificate is considered self-signed, which can lead to trust issues.
KeyControl Certificate Options
You can replace the default SSL certificate with an externally signed SSL certificate at any time by uploading the externally signed SSL certificate and its associated CA certificate to one of the KeyControl nodes in the cluster. After you upload the external certificates, KeyControl automatically distributes an updated CA certificate to all registered VMs. The VMs can then use the updated CA certificate to validate any communication coming from KeyControl. You can either use the same external SSL certificate on all KeyControl nodes or you can use a different SSL certificate on each node. If you use different certificates, however, HyTrust recommends that those certificates all be signed by the same certificate authority. For more information, see Installing a New External Certificate.
Note: If you are generating an SSL certificate from openssl or other third-party tool, make sure you use a template designed for a web server certificate. KeyControl registration may fail for some VMs if the SSL certificate is generated using a template designed for a Certificate Authority certificate.
You can also replace the current SSL certificate with a new self-signed certificate that will be automatically distributed to all KeyControl nodes. In this case, KeyControl does not need to communicate with the VMs because the default CA certificate is always copied to the VM during the registration process, even when KeyControl is using an externally signed certificate. For more information, see Installing a New Self-Signed Certificate.
