Certificate Details

The KeySafe 5 Agent uses certificates to secure communications to the Agent Communications Interface in the KeySafe 5 central platform.

Agent Communication Certificates

TLS certificates are used to authenticate the agent’s connection to the Agent Communication interface and secure communication between the KeySafe 5 Agent and the KeySafe 5 central platform.

For an agent on a nShield client machine, these certificates are found in the %NFAST_DATA_HOME%/keysafe5/conf/messagebus/tls directory.

File Name	Description
tls.crt	The TLS certificate for KeySafe 5 agent to authenticate to the Agent Communication interface.
tls.key	The private key for the KeySafe 5 agent to authenticate to the Agent Communication interface.
ca.crt	The CA certificate used to sign the Agent Communication Server certificates.

File Name

Description

tls.crt

The TLS certificate for KeySafe 5 agent to authenticate to the Agent Communication interface.

tls.key

The private key for the KeySafe 5 agent to authenticate to the Agent Communication interface.

ca.crt

The CA certificate used to sign the Agent Communication Server certificates.

TLS Certificate DistinguishedName Requirements

The KeySafe 5 Agent Communications interface uses a TLS certificate’s DistinguishedName to identify the certificate and restrict permissions for specific certificates.

Agent on KeySafe 5 client machine

For an agent on a nShield client machine, the DistinguishedName in the TLS certificate used for connection to the Agent Communications interface must contain the hostname of the machine that the agent is running on (or the value of overrride_hostname in Agent configuration, if this value is set). If the certificate’s DistinguishedName does not contain the machine’s hostname (or the value of override_hostname, if set) then the Agent will not start.

For an agent on a nShield client machine, the TLS certificate DistinguishedName may not contain the value keysafe5-backend-services. If it does, then the Agent will not start.

Agent on Connect HSM

For an agent on a nShield Connect HSM, the Agent configuration value for override_hostname will automatically be set to nshield_module_{esn} or hsm_{esn}, and this configuration is unable to be modified. The DistinguishedName in the TLS certificate used for connection to the Agent Communications interface must contain this value with the correct ESN for the Connect HSM.

The Certificate Signing Request (CSR) downloaded from the Connect Serial Console will contain the correct name in the request.