When KeyControl is installed it includes a component for creating a Root Certificate Authority (CA) that can generate digital certificates. When the first KeyControl node is installed, it creates a Public CA that it also stores in the KeyControl object store.
The first KeyControl node then uses the Public CA to create a certificate that contains the hostname, both short and FQDN, as well as the IP address of the KeyControl node. When the node reboots, KeyControl checks the IP address and recreates the certificate if the IP address has changed.
When additional KeyControl nodes are added to the cluster, the first KeyControl node shares the Public CA through the KeyControl object store over an HTTPS connection.
The Public CA installed on all the KeyControl nodes is the same, ensuring that every KeyControl node is able to verify certificates generated by every other KeyControl node in the cluster.
In addition to creating a user-facing certificate on each KeyControl node, the Public CA also creates a certificate for each guest VM linked to the KeyControl cluster. The guest VM certificate is copied to the VM when you register it with KeyControl.
All communication between the guest VMs and KeyControl include the appropriate certificate to enable peer verification. When KeyControl receives a request from a VM, it verifies the attached VM's certificate. When a guest VM receives a response or an instruction from KeyControl, the VM verifies the attached KeyControl certificate.
Because the same Public CA is used to create the certificates for all KeyControl nodes, only one CA certificate is needed for all of the nodes in the cluster. Therefore any node can verify an incoming request from any guest VM, and a guest VM can verify communication coming from any KeyControl node.
Certificate Security
The guest VM gets a copy of the CA certificate when the VM certificate bundle is copied to the VM. The certificate bundle can be downloaded from KeyControl and copied out-of-band to the VM. The VM uses the CA certificate to verify the identity of KeyControl, so a "man-in-the-middle" attack is not possible. On the other hand, as KeyControl uses its own CA to sign the VM’s certificate, it can verify the identity of the VM.