Certificate Details

In KeySafe 5 Kubernetes deployment, certificates are used to secure communications. The following sections provide details about the different types of certificates used in KeySafe 5.

WebUI/API Interface Certificates

Certificates are used to secure the API and WebUI interface. These certificates are found in Kubernetes Secret resource defined by the value tls.existingSecret in the helm-keysafe5-istio Helm Chart.

File Name	Description
tls.crt	The TLS certificate for the WebUI/API interface.
tls.key	The private key for the WebUI/API interface.

File Name

Description

tls.crt

The TLS certificate for the WebUI/API interface.

tls.key

The private key for the WebUI/API interface.

Agent Communication Certificates

TLS certificates are used to secure communication between KeySafe 5 central platform and KeySafe 5 Agents.

Server Certificates

The server certificates are used by KeySafe 5 to secure the Agent communications interface.

These certificates are found in Kubernetes Secret resource defined by the value messageBus.serverTLS.existingSecret in the helm-keysafe5-backend Helm Chart.

File Name	Description
tls.crt	The server TLS certificate for the KeySafe 5 Agent communication interface.
tls.key	The private key for the KeySafe 5 Agent communication interface.
ca.crt	The CA certificate used to sign the TLS certificate and all KeySafe 5 Agent certificates. KeySafe 5 Agents not signed by this CA will not be able to connect to the KeySafe 5 Service.

File Name

Description

tls.crt

The server TLS certificate for the KeySafe 5 Agent communication interface.

tls.key

The private key for the KeySafe 5 Agent communication interface.

ca.crt

The CA certificate used to sign the TLS certificate and all KeySafe 5 Agent certificates. KeySafe 5 Agents not signed by this CA will not be able to connect to the KeySafe 5 Service.

Client Certificates

The client certificates are used by KeySafe 5 internally to authenticate the connection to the Agent Communication interface.

These certificates are found in Kubernetes Secret resource defined by the value messageBus.tls.existingSecret in the helm-keysafe5-backend Helm Chart.

The TLS certificate that KeySafe 5 uses for connection to the Agent Communications interface must contain keysafe5-backend-services in the certificate’s Distinguished Name so that the Agent Communications interface can properly limit permissions for this certificate. If the certificate’s DistinguishedName does not contain keysafe5-backend-services then KeySafe 5 will be unable to connect to the Agent Communication interface.

File Name	Description
tls.crt	The TLS certificate for KeySafe 5 to authenticate to the Agent Communication interface. This certificate is signed by the CA used to sign KeySafe 5 Agent certificates.
tls.key	The private key for the KeySafe 5 Service to authenticate to the Agent Communication interface.
ca.crt	The CA certificate used to sign the Agent Communication Server certificates.

File Name

Description

tls.crt

The TLS certificate for KeySafe 5 to authenticate to the Agent Communication interface. This certificate is signed by the CA used to sign KeySafe 5 Agent certificates.

tls.key

The private key for the KeySafe 5 Service to authenticate to the Agent Communication interface.

ca.crt

The CA certificate used to sign the Agent Communication Server certificates.