Installing a New External Certificate

Use this procedure to replace the current KeyControl Compliance Manager SSL certificate with a new externally-signed SSL certificate. If you want to use a new, self-signed SSL certificate generated by the Public CA or Private CA included with KeyControl Compliance Manager, see Installing a New Self-Signed Certificate.

Before You Begin 

  • If you generated the Certificate Signing Request (CSR) through KeyControl Compliance Manager, you need to make sure you have the resulting SSL certificate and the CA certificate in Base64-encoded pem format files accessible to the KeyControl Compliance Manager node that you are logged into. If you generated the CSR through some other means, make sure you have both of the Base64-encoded pem format certificates and the Base64-encoded pem format private key file that goes with the certificates. KeyControl supports only RSA private keys. For more information, see Creating a Certificate Signing Request.
  • If you generated the SSL certificate from openssl or other third-party tool, make sure the certificate is formatted as a web server certificate.

  • The SSL certificate generated for the internal web server should be able to function as the Client and Server certificate.

  • SSL certificates that contain an intermediate CA certificate chain are not supported for the internal web server. If there is a certificate chain, it must be specified in the CA certificate for the internal web server.

Procedure 

  1. Log into the KeyControl Compliance Manager webGUI with your standard account credentials.
  2. In the top right, click the Switch to Appliance Management link.
  3. In the top menu bar, click Cluster.

  4. Click the Servers tab and select a KeyControl Compliance Manager node.

  5. Select Actions > Install Certificate.

  6. In the Certificate tab of the Install Custom SSL Certificate dialog box, specify the options you want to use.

    Field

    Description
    SSL Certificate The SSL certificate file in Base64-encoded pem format. This certificate must be valid for the installation to succeed.

    CA Certificate

    The certificate of the CA that issued the SSL certificate in Base64-encoded pem format.

    Web Server

    Choose which web server to install the custom certificate. You can select both if you wish to install the same SSL certificate for the internal and the external web server. If the the SSL certificate is used for both web servers, it should be able to function as a Client and Server certificate and it should have the KeyControl Compliance Manager IP address specified in SAN.

    Important: Before KeyControl Compliance Manager installs the certificate, it checks with the certificate authority to make sure that the SSL certificate can be validated. If the CA certificate file you.are uploading for the external web server contains just the certificate of the root certificate authority, make sure that the SSL certificate file contains the entire chain of intermediate CA certificates as well as the SSL certificate for the selected KeyControl Compliance Manager node.

  7. If you did not create the certificate signing request with KeyControl Compliance Manager:

    1. Click the Private Key tab and click Load File, then navigate to the private key file you want to use. KeyControl Compliance Manager never stores the private key in clear text.
    2. If the private key file is encrypted, enter the user-specified password for the key file in the Password field. This password is not stored in the KeyControl Compliance Manager object store or on the local file system.

  8. Click Install Certificate.

  9. If you install the SSL certificate for the internal web server, the web server automatically restarts.

    If you install the SSL certificate for the external web server, when the installation is complete, click Restart Web Service or select Actions > Restart Web Service and confirm the request at the prompt.

    After the web service restarts, KeyControl Compliance Manager will use the new certificate.

    KeyControl Compliance Manager restarts the web server which may interrupt the browser connection. When the restart is finished you are returned to the KeyControl Compliance Manager webGUI login page.

    Tip: If you are using Chrome, the connection status in your browser may still show as insecure. To fix this, open the KeyControl Compliance Manager webGUI login page in a new tab.

  10. If you want to verify that the new certificate was properly installed, select the node and click the link next to Internal/External web server.

    If you already have custom certificate installed for external web server and the KeyControl Compliance Manager internal web server uses a default self signed SSL certificate, KeyControl Compliance Manager automatically detects and provide an option to use the same custom SSL certificate for internal web server if it meets the certificate requirements of internal web server. Select Use external Web server SSL certificate for internal Web server and click Save to install the same custom SSL certificate for the internal web server.

    If you already have custom certificate installed for internal web server and the KeyControl Compliance Manager external web server uses a default self signed SSL certificate, KeyControl Compliance Manager automatically detects it and provide an option to use the same custom SSL certificate for the external web server if it meets the certificate requirements of an external web server. Select Use internal Web server SSL certificate for external Web server and click Save to install the same custom SSL certificate for internal web server. When the installation is complete, click Restart Web Service or select Actions > Restart Web Service, then confirm the request at the prompt. After the web service restarts, KeyControl will use the custom SSL certificate for external web server.