Follow

Info: Truststore provisioning commands and permissions

What is a Truststore?

A trust store is a collection of Root certificates that are trusted by default and are maintained by the companies that make operating systems and web browsers, such as Apple, Microsoft, Mozilla, and Chrome. Each has its own standards and requirements for Root certificates but they all require an issuing CA to undergo one or more audits before their Root certificate is included. Trust store objects are created under devices and are associated with certificate trust bundles.

Picture1.png

A certificate trust bundle is a collection of whitelisted and blacklisted certificates that are assigned to a truststore. The trust bundle is associated to the truststore and the truststore is the application that is provisioned from its associated device.

Trust Store configuration (including trust bundle assignments) can be done via policy and is the recommended method if there are many trust stores with the same configuration, otherwise a Certificate Trust Bundle object can be added underneath a policy and associated with the Truststore.

Picture2.png

UNIX Permissions

Sudo permissions for the ID being used to provision the truststore must be granted in the /etc/sudoers file in order for the TPP truststore application driver to successfully provision on UNIX.

The TPP truststore application driver will first see if the truststore exists in the designated directory and if it does then if will make a backup before provisioning the new trust bundle into the truststore.

e.g. /etc/default/pem_truststore-ved.bak

As the truststore is being provisioned, the TPP application driver will create a tmp directory similar to below where it temporarily stores the file. It is removed after provisioning completes.

/tmp/.venafiWorkingDir_1379043263

UNIX PEM, GSK, JKS and PKCS#12 Truststore Provisioning Commands and Permissions

UNIX provisioning uses SSH to provision the Truststores in PEM, GSK, JKS and PKCS#12 keystore format. This table shows the commands used for the formats. Sftp is used to transfer the keystore from the VTPP server. Set is a shell builtin command and uname does not need to be executed with any privileges. The UNIX commands cp, ls, rm and mkdir need to be executed as root in order to place the Truststore into the designated directory. In this example, /etc/default is used as the target directory.

Picture3.png

Note: If mkdir has read and write permission to the /tmp directory, then sudo permission is not needed for mkdir.

sudoers file example entry

This /etc/sudoers example represents a least privilege security best practice. However, you should give serious consideration to using a password:

venafi01           ALL=NOPASSWD: /bin/cp, /bin/ls, /bin/rm, /bin/mkdir

Windows CAPI Truststore Provisioning Permissions

Windows uses WinRM to provision the Truststore in the CAPI store and requires an ID with local administrator rights in order to provision.

Blue Coat SSLVA, IBM Sterling Connect Direct, F5 LTM and Palo Alto Networks Provisioning Permissions

These devices would use the same access permissions as used for SSL certificate provisioning. Please refer to the Venafi TPP documentation for more information on setting up the credentials for the specific devices.

References

Info: About using Sudo

https://support.venafi.com/hc/en-us/articles/115007394487-Info-About-Using-Sudo 

Configuring a trust bundle

https://docs.venafi.com/Docs/current/TopNav/Content/Whitelisting/t-whitelist-create-trust-bundle.php

Configuring trust stores

https://docs.venafi.com/Docs/current/TopNav/Content/Whitelisting/c-whitelist-trust-store-config.php?Highlight=trust%20store

Was this article helpful?
0 out of 0 found this helpful

Comments