Info: How To Create a Certificate for Venafi Agent Using openSSL

Summary

 

By default, Director provides an encrypted connection between the Agents and the KMIP server. However, to securely authenticate Director Agents to the KMIP server, it is recommended you generate and install your own certificates on the KMIP Server and Director Agents.  The “Agent Installation and Management Guide” contains general instructions for generating and installing your own certificates.  The following specific steps can be followed to generate your own certificates using the OpenSSL cryptography toolkit.

More Information

 **You will need to use the attached ved.cnf file along with the openSSL commands below

1.      Create the certificate for the KMIP Server:

 

a.      Create key

openssl genrsa -des3 -out kmip.key 2048

<add passphrase>

<reenter passphrase>

 

b.      Create CSR

 openssl req -new -key kmip.key -out kmip.csr

<input passphrase for private key>

<input CSR data as requested>

 

c.      Self-Sign the CSR

 openssl ca -verbose  -out kmip.crt -selfsign -keyfile kmip.key -days 4383 -extensions v3_ca –in kmip.csr

 

2.      Create the certificate for the Agent:

 

a.      Create key

openssl genrsa -des3 -out agent.key 2048

<add passphrase>

<reenter passphrase>

 

b.      Create CSR

openssl req -new -key agent.key -out agent.csr

<enter passphrase for private key>

<enter CSR data as requested>

 

c.      Sign the CSR

openssl x509 -req -days 2922 -in agent.csr -CA kmip.crt -CAkey kmip.key -out agent.crt

(First issuance only need to append)  -CAcreateserial

 

3.      Export the KMIP certificate:

openssl pkcs12 -export -out kmip.pfx -inkey kmip.key -in kmip.crt

<enter kmip.key password>

<enter export password>

<re-enter export password>

 

4.      Export the Agent certificate:

openssl pkcs12 -export -out agent.pfx -inkey agent.key -in agent.crt -certfile kmip.crt

<enter agent.key password>

<enter export password>

<re-enter export password>

 

5.      In Director, create a Certificate Credential object using the KMIP Server certificate exported in step 3.

6.      In the KMIP Server object in the Platforms tree, select the Certificate Credential object you created in step 5.

7.      Rename the file agent.pfx exported in step 4 to vagent.p12.  Copy the file vagent.p12 to the following directory on the machines where Venafi Agent is installed:

        On Windows: drive:\Program Files\Venafi\Agent\Data

On Unix and Linux-based platforms: /var/opt/venafi/agent/data

 

**The vagent.p12 file contains the certificate and private key the Agent needs to authenticate with the KMIP server.

 

8.      On the local Agent machine, enter the following command to define the password used to encrypt the vagent.p12 file:

 

./vagent --modify passphrase=password

 

9.      In the Director administration console, create a Password Credential object for the password used to encrypt the vagent.p12 file.

 

10.   In the Base Agent object in the Platforms tree, select the Client Configuration tab, and then select the Password Credential object from step 9 in the Agent Certificate Password field.  (Defining the Agent Certificate Password in the in the Base Agent configuration ensures that Director Agents retain the correct password for the vagent.p12 file when they download their configuration settings from the KMIP server.)