Appendix A - Install a signed certificate from your local root CA in the Entrust KeyControl cluster

Any CA can be use for this integration. For the purpose of this integration, a Microsoft Windows CA configured as a local root CA was utilized.

  1. Create a CSR

  2. Sign the certificate

  3. Install certificate

Create a CSR

  1. Log into the Entrust KeyControl server web GUI.

  2. In the Vault Management dashboard, select the Settings icon on the top right.

  3. Select the Action icon pull-down menu. Then select Generate CSR.

  4. Enter your information.

    Include the FQDN and / or IP of all the Entrust KeyControl nodes in the Subject Alternative Names.

    For example:

    keycontrolvault csr

Sign the certificate

  1. Log into your local root CA with Administrator privileges.

  2. Copy the CSR created above to a local folder.

  3. Launch the certsvr application.

  4. Right-click on the <certification authority name> in the left pane and select All Tasks / Submit new request…​.

  5. Select the copied CSR.

  6. Select <certification authority name> / Pending Request in the left pane.

  7. Right-click on the request in the right pane and select All Tasks / Issue.

  8. Select <certification authority name> / Issued Certificates in the left pane.

  9. Select the certificate.

    For example:

    keycontrolvault cert

  10. Select the Details tab / Copy to File…​. Follow the instructions, selecting Base-64 encoded X.509 in Export File Format. Example name keycontrolvault.

  11. Export the local root CA certificate in pem format.

    C:\Users\Administrator>certutil -ca.cert C:\Users\Administrator\Downloads\rootcacert.cer
CA cert[0]: 3 -- Valid
CA cert[0]:
-----BEGIN CERTIFICATE-----
MIIDlzCCAn+gAwIBAgIQPaxaYmRa1atOVpZms+TaZjANBgkqhkiG9w0BAQsFADBS
MRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFzAVBgoJkiaJk/IsZAEZFgdpbnRlcm9w
MSAwHgYDVQQDExdpbnRlcm9wLUNPTlRST0xMRVItQ0EtNDAeFw0yNDAxMTEyMTEx
MzZaFw0zNDAxMTEyMTIxMzZaMFIxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEXMBUG
CgmSJomT8ixkARkWB2ludGVyb3AxIDAeBgNVBAMTF2ludGVyb3AtQ09OVFJPTExF
Ui1DQS00MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2rthVuA/D9c3
pRcg1OKXayMBSTEurG0H6icp09re683suJoGDxBBV1Qp0+I6v2PwkkDD46lYlhCn
ycr/+UenUS0As30NM9FbWejVdYBH2JHhHZDi2A9HyprWVFb+tLktX1VXbwTXP3QO
+WPIEBtXRXTyP0ivkuMVRuyEd+qwTzvldjUGd0j5pRMb2cmI/sFRKN9CjDBNxDDX
z/wKB+Kaf9n6oh7RrWXIh5+v/N3gI4EG8z2fL0l0TmPzWdTafg9edvSnOviKVrmT
qzGmxlT6DQt8xGRecDiJMH3+9R3XvRLhflcpANdqMAZnNipDCx4re4+DBH7S8mSh
Vr1nK2xybQIDAQABo2kwZzATBgkrBgEEAYI3FAIEBh4EAEMAQTAOBgNVHQ8BAf8E
BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUYzwTn023Ko23BcNb3u5i
zpQLc5QwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggEBACmiaN0t
tBkyzkxpWy5xA+ePDyCBFLuQ6W1BByI6TCPOLp6CFsmYg9NB4c61+Y5lpIQhDJFf
AODT1LZRTq6b5h8vl1GdNzim2wPrtjviNvmQ0Q5R/2tJzR9D3SB6Hv+bU5lRP7j/
giWpEx5ImmmfG7BJ4DxWxpA2sooC02iP2TOw5GJcI+varjKNCsyYSiyYhigOpnh/
3ZlpMv2IGB/YykLfCPL2SOtYq0LcAnniiXmxx9iylgZwi3xQPx35JLn8b2Mrg0qI
iMaAoCzJXU09aZcMv+ZCQ27PaowRmxx+WSdYt8ZORP+cHC+xemLyamnyxzXp07qE
MsNUdQy+Lo5h5XI=
-----END CERTIFICATE-----

CertUtil: -ca.cert command completed successfully.

C:\Users\Administrator>certutil -encode C:\Users\Administrator\Downloads\rootcacert.cer C:\Users\Administrator\Downloads\rootcacert.pem.cer
Input Length = 923
Output Length = 1328
CertUtil: -encode command completed successfully.

  12. Copy the keycontrolvault certificate and the rootcacert.pem.cer to a location accessible by the Entrust KeyControl server.

Install certificate

  1. Log into the Entrust KeyControl server web GUI.

  2. In the Vault Management dashboard, select the Settings icon on the top right.

  3. Select Custom radio button in Certificate Types.

  4. Browse and select the certificate as shown.

    kc server root certs

  5. The other defaults settings are appropriate for most applications. Make any changes necessary.

  6. Select Apply.