Follow

How To: Set up an OpenSSL CA Driver

Summary

OpenSSL is a pluggable certificate authority (CA) driver for Venafi Encryption Director (VED). The purpose of the driver is to manage SSL certificates using an internal OpenSSL CA.


More Information

OpenSSL Configuration File Options:

In order for the VED OpenSSL CA driver to work properly with your OpenSSL CA, the following options are required in the openssl configuration file.

  1. The string_mask variable needs to be set to a value that supports printable strings and a CA cert needs to be generated with this value in place. Currently the following string_mask values are supported.
    • default
    • pkix
    • nombstr

Note: If you had already generated your CA certificate without a supported string_mask it will be necessary to generate a new CA certificate for use with VED. Please see the OpenSSL documentation at www.openssl.org for more instructions on how to do this.

 

  1. Subject Alt Name Enabled is only able to be selected if the OpenSSL host supports it. 

 

    • In order to check for this the Venafi Encryption Director reads the OpenSSL configuration file and looks for copy_extensions = copy or copy_extensions = copyall.

**For more information about configuring your OpenSSL installation as a CA please refer to the OpenSSL documentation at www.openssl.org.

 

 

OpenSSL CA Object Configuration Options:

  • Hostname/Address: Hostname or IP address of the OpenSSL CA host.
  • Credentials: Credentials to use when connecting to the OpenSSL CA host.
  • SSH Port: SSH port to use when connecting to the OpenSSL CA host.
  • CA Config File Path: The full path to the desired CA configuration file to use during certificate management.
  • Validate: Clicking on this button will validate the connection to the CA, retrieve defaults and options, and validate the relationship between the provided CA certificate, CA private key, and the private key credentials.
  • CA Certificate File Path: The full path to the CA certificate to use during certificate management. If this field is left blank when the validate button is clicked, it will be filled in with the default certificate in the CA configuration file.
  • CA Private Key File Path: The full path to the CA private key file to use during certificate management. If this field is left blank when the validate button is clicked, it will be filled in with the default private key file in the CA configuration file.
  • Private Key Credential: The password credential associated with the CA private key.
  • Temp Directory: Temporary directory to use during certificate management.
  • Subject Alt Name Enabled: The administrator should select this option if they would like this instance of the CA object to support subject alt names. This is only able to be selected if 'copy_extensions = copy' or 'copy_extensions = copyall' is found in the OpenSSL configuration file.
  • Available Validity Periods: Provides a selection list of available Validity Periods, in years, for this CA. Currently supported values are 1-10 years.
  • Supported Validity Periods: Select the validity period(s) from the Available Validity Periods that this instance will support. These values will be available for selection on the Certificate object if this instance of the OpenSSL CA object is chosen.

Creating the OpenSSL CA Driver Object:

  1. Open the Windows Administration Console and within the Policy tree, select the policy container where you wish your OpenSSL CA object to reside.
  2. Click Add --> Certificate Authorities --> OpenSSL
  3. Enter a Name for your OpenSSL CA object and click Create.
  4. Click on the newly created OpenSSL CA Object.
  5. Enter the Hostname or IP address.
  6. Select the credentials used to connect to your OpenSSL CA Host. This may be either a username credential or a private key credential.
  7. Enter the full system path to your OpenSSL configuration file. e.g. '/etc/pki/CA/openssl.cnf'
  8. Enter the full system path to the CA certificate file to use while managing certificates. e.g. '/etc/pki/CA/certs/CA.crt'
  9. Enter the full system path to the CA private key file associated with the certificate specified in the previous step. e.g. '/etc/pki/CA/private/CA.key'
  10. Select the password credential associated with the private key specified in the previous step.
  11. Specify the temp directory to be used on the OpenSSL CA host while managing certificates. The user specified in the conection credentials needs write access to this directory.
  12. Specify the desired validity periods (in years) that you wish to use with this OpenSSL CA Object. Currently supported values are 1-10 years. 

At this point we can validate that all of the information is correct by pressing the Validate button. A successful validation is required in order to save your OpenSSL CA Object.

The VED server will performs the following items during validation.

  • Validates the existence of the files provided CA Configuration File
  • If the CA Certificate Path or CA Private Key Path fields are empty, VED will populate these fields with the defaults from the CA configuration file. 
  • Validates the existence of the CA certificate file.
  • Validates the existence of the CA private key file.
  • Validates the Private Key Credential allow reading of the CA private key.
  • Validates that the CA certificate file and the CA private key file match.
  • Enables or disables the "Subject Alt Name Enabled" control.  If this control is not enabled, it will not be able to be checked.

After completing all of the entries, click on the Apply button to save the settings.

Note:  Anytime the CA Config File Path, CA Certificate Path, CA Private Key Path or Private Key Credential are changed, a successful Validation is required in order to save the changes.

 

TIP:

In order for OpenSSL to work correctly with Venafi Encryption Director the following items must be in the OpenSSL configuration file -openssl.cnf'-. The ‘string_mask’ parameter defined in the OpenSSL configuration file needs to support printable strings.  Currently supported string_mask values are:

 

  • default
  • pkix
  • nombstr
Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk