Signiant Support

How to trust certificates signed by other managers - Manual Print


Summary

Agents are configured, by default, for secure communications with other Agents using SSL/TLS mutual authentication. This requires that each host/Agent owns a unique X.509 certificate binding its FQDN (Fully Qualified Domain Name) to the certificate and host computer. In addition, participating Managers/Agents must trust the Certificate Authority (CA) that issued the X.509 certificate being presented. A Certificate Authority is a trusted 3rd party that communicating parties all trust, without actually knowing each other. However, they must all trust the 3rd party. Typically, within a site, all hosts/Agents are populated with X.509 certificates that are issued by a single CA such as the Manager ddsCA (Trusted CA). Therefore, by default, they all trust each other's certificate because they all possess certificates issued by the same CA, and also possess a copy of the Trusted CA Certificate within their security credential store for verification purposes.

When communicating Managers/Agents belong to different Organizations (or Departments), having their own site and separate Trusted CA (Manager) , there may be a requirement for extending trust across Trusted CAs.

Discussion

For mutual authentication to work, each end-entity (Manager/Agent) must present their unique digital identification (their X.509 certificate) to each other. Each entity in this case is populated with a certificate issued by their Trusted CA. Trust relation is such that if Host01 has a certificate issued by CA_01, and Host02 has a certificate issued by CA_02, then the following is true: Host01 must import CA_02 X.509 certificate while Host02 must import CA_01 X.509 certificate for mutual authentication to work.

Steps

•On each host run "dds_cert extract". This will return at least 2 files, ddsCA_cert.pem and <hostname>_cert.pem.
•Swap the ddsCA_cert.pem files. Copy the file created by each host to the other host.
•Stop the Process Control service
     ◦Linux/Mac: <install dir>/init/siginit stop sigagent
     ◦Windows: Control Panel -> Services -> Signiant Process Control Service - Stop

•Import the new certificate "dds_cert addca ddsCA_cert.pem" on both hosts
•Start the Process Control Service
     ◦Linux/Mac: <install dir>/init/siginit start sigagent
     ◦Windows: Control Panel -> Services -> Signiant Process Control Service - Start

Copyright © 2014 Signiant Inc, all rights reserved.