Kac certificate registration expiry, Importing the signed kac certificate, Importing the signed – Brocade Fabric OS Encryption Administrator’s Guide Supporting RSA Data Protection Manager (DPM) Environments (Supporting Fabric OS v7.2.0) User Manual

Page 51: Kac certificate

Advertising
background image

Fabric OS Encryption Administrator’s Guide (DPM)

31

53-1002922-01

Steps for connecting to a DPM appliance

2

KAC certificate registration expiry

It is important to keep track as to when your signed KAC certificates will expire. Failure to work with
valid certificates causes certain commands to not work as expected. If you are using the certificate
expiry feature and the certificate expires, the key vault server will not respond as expected. For
example, the group leader in an encryption group might show that the key vault is connected;
however, a member node reports that the key vault is not responding.

To verify the certificate expiration date, use the following command:

openssl x509 –in newcerts/<Switch Cert Name> -dates –noout

Output:

Not Before: Dec 4 18:03:14 2009 GMT

Not After : Dec 4 18:03:14 2010 GMT

In the example above, the certificate validity is active until “Dec 4 18:03:14 2010 GMT.” After the
KAC certificate has expired, the registration process must be redone.

NOTE

In the event that the signed KAC certificate must be re-registered, you will need to log in to the key
vault web interface and upload the new signed KAC certificate for the corresponding Brocade
Encryption Switch identity.

You can change the value of the certificate expiration date using the following command:

openssl x509 -req -sha1 -CAcreateserial -in certs/<Switch CSR Name> -days 365 -CA

cacert.pem -CAkey private/cakey.pem -out newcerts/<Switch Cert Name>

In the example above, the certificate is valid for a period of one year (365 days). You can increase
or decrease this value according to your own specific needs. The default is 3649 days, or 10 years.

Importing the signed KAC certificate

After a KAC CSR has been submitted and signed by a CA, the signed certificate must be imported
into the switch.

1. Select a switch from the Encryption Center Devices table, then select Switch > Import

Certificate from the menu task bar to display the Import Signed Certificate dialog box. (Refer to

Figure 15

).

FIGURE 15

Import Signed Certificate dialog box

2. Browse to the location where the signed certificate is stored, then click OK.

The signed certificate is stored on the switch.

Advertising
Popular Brands
Popular manuals