Replacing and revoking certificates and keys

The following third-party components enable KeySafe 5 to operate:

  • MongoDB.

  • Rabbit MQ.

The communication between the KeySafe 5 central management platform, the KeySafe 5 Agent, and these third-party component components is strongly recommended to be via mutually-authenticated secure channels. The certificates, and associated private keys, that need to be configured to secure these communication channels are described in the KeySafe 5 Installation Guide. The operator of the KeySafe 5 system should observe industry standard PKI practices associated with the lifecycle of the certificates that are securing the KeySafe 5 system’s mutually-authenticated secure channels.

Replace a KeySafe 5 secure channel certificate

If a client or server certificate has exceeded its cryptoperiod, it has expired. Where a certificate has expired, the certificate and its associated keys must be replaced.

If it is suspected that either a client or server certificate’s private key has been compromised, the certificate and its key must be replaced and (if needed) revoked.

Replace operations must be performed by a trusted administrator with the sufficient permissions to access the location of the certificate. Certificates and their associated private keys are described in the KeySafe 5 Installation Guide.

To replace a certificate:

  1. Halt the KeySafe 5 system active service.

  2. Generate a new certificate and associated private key for each certificate that is to be replaced.

  3. Load the new certificate and private key onto the KeySafe 5 system or the appropriate third-party component.

  4. Test the newly loaded certificate to ensure the associated secure channel is working correctly.

  5. Bring the KeySafe 5 system back into active service.

If the replaced certificate also needs to be revoked:

  1. Request the owner of the root/intermediate certificate, that signed the certificate that has been replaced, to either:

    • Create or update the appropriate Certificate Revocations List (CRL), or

    • Update their OCSP information.