Filter
Top Products
Using Certificates in an EncrypTight System
EncrypTight User Guide 265
In usage, you type this string as follows:
-dname “cn=<common name>, ou=<organization unit>, o=<organization name>,
l=<location>, s=<state/province>, c=<country>”
The information must be entered in the order shown. For example:
-dname “cn=John Doe, ou=customer support, o=my company, l=raleigh, s=NC,
c=US”
Related topics:
● “Generating a Key Pair” on page 272
● “Generating a Key Pair for use with the HSM” on page 276
● “Working with Certificate Requests” on page 281
Using Certificates in an EncrypTight System
EncrypTight components ship with self-signed identity certificates. You can continue to use these
certificates, or you can replace them with certificates acquired from a trusted CA. By default,
EncrypTight uses the Transport Layer Security (TLS) protocol for communications between components.
This encrypts communications, but does not automatically provide authentication. If you enable strict
authentication, you can use certificates to authenticate identities and set up encrypted communications for
management traffic between components.
To authenticate the communications, each component needs one of the following:
● A copy of the identity certificate for every component with which it communicates.
● A trusted root CA. EncrypTight components can check up to 10 certificates in a certificate chain.
Manually exporting and installing certificates for a large number of devices can be burdensome. In larger
deployments it is more efficient to use a CA certificate than to install individual certificates for each
component with which a device might need to communicate.
When you replace the self-signed certificates, each component in an EncrypTight system needs at least an
identity certificate for itself and a copy of the trusted CA certificate. The CA certificate is used to
validate the identity certificate when communication sessions are initiated. You might also need
certificates for any intermediate CAs in the chain.
You request and install certificates for the EncrypTight software and the ETKMS using the java-based
keytool utility. For the ETEP PEPs, you can use the Certificate Manager perspective in ETEMS to
request and install certificates (for more information, see “Working with Certificates for the ETEPs” on
page 277).
Related topics:
● “About Strict Authentication” on page 262
● “Working with Certificates for EncrypTight and the ETKMSs” on page 272
● “Working with Certificates and an HSM” on page 275
● “Working with Certificates for the ETEPs” on page 277
● “Validating Certificates” on page 287