6.8. Managing the certificates used on PSM

PSM uses a number of certificates for different tasks that can be managed from the Basic Settings > Management > SSL certificate menu.

Figure 6.20. Basic Settings > Management > SSL certificate — Changing the web certificate of PSM

Basic Settings > Management > SSL certificate — Changing the web certificate of PSM

The following certificates can be modified here:

  • CA certificate: The certificate of the internal Certificate Authority of PSM.

  • Server certificate: The certificate of the PSM web interface, used to encrypt the communication between PSM and the administrators.

    Note

    If this certificate is changed, the browser of PSM users will display a warning stating that the certificate of the site has changed.

  • TSA certificate: The certificate of the internal Timestamping Authority that provides the timestamps used when creating encrypted audit-trails.

Note

PSM uses other certificates for different purposes that are not managed here, for example, to encrypt data stored on PSM. For details, see Procedure 7.10.1, Encrypting audit trails.

Use every keypair or certificate only for one purpose. Do not reuse cryptographic keys or certificates, for example, do not use the certificate of the PSM webserver to encrypt audit trails, or do not use the same keypair for signing and encrypting data.

For every certificate, the distinguished name (DN) of the X.509 certificate and the fingerprint of the private key is displayed. To display the entire certificate click on the DN. To display the public part of the private key, click on the fingerprint. It is not possible to download the private key itself from the PSM web interface, but the public part of the key can be downloaded in different formats (for example PEM, DER, or OpenSSH). Also, the X.509 certificate can be downloaded in PEM and DER formats.

During the initial configuration, PSM creates a self-signed CA certificate, and uses this CA to issue the certificate of the web interface (see Server certificate) and the internal Timestamping Authority (TSA certificate).

There are two methods to manage certificates of PSM:

  • Recommended: Generate certificates using your own PKI solution and upload them to PSM.

    Generate a CA certificate and two other certificates signed with this CA using your PKI solution and upload them to PSM. For the Server and TSA certificates, upload the private key as well. Balabit recommends using 2048-bit RSA keys (or stronger), and to use certificates that have the appropriate keyUsage or extendedKeyUsage fields set (for example, extendedKeyUsage=serverAuth for the PSM web server certificate).

    For details on uploading certificates and keys created with an external PKI, complete Procedure 6.8.2, Uploading external certificates to PSM.

    Warning

    The Server and the TSA certificates must be issued by the same Certificate Authority.

  • Use the certificates generated on PSM. In case you want to generate new certificates and keys for PSM using its self-signed CA certificate, or generate a new self-signed CA certificate, complete Procedure 6.8.1, Generating certificates for PSM.

    Note

    Generate certificates using your own PKI solution and upload them to PSM whenever possible. Certificates generated on PSM cannot be revoked, and can become a security risk if they are somehow compromised.