Chapter 1: About This Manual

AKM Certificate Manager

AKM automatically generates all certificates and private keys needed for client connections. However, the AKM Certificate Manager can also be used to generate a new private CA certificate and new client and admin certificates if needed. This standalone Windows application is separate from the built in certificate management found in the AKM Administrative Menu. The AKM Certificate Manager described in this document should be used in unique situations for PKI needs and it’s suggested to work with the Townsend Security Technical Support team when using this tool. Typically all certificate needs can be met using the built in Certificate Manager.

Who is this for?

This guide is designed to help System Administrators and Crypto Officers create certificates and private keys for use with the AKM server. It is not intended for use as a general certificate authority and should only be used with AKM. This guide covers installing AKM Certificate Manager, creating a certificate authority (CA) certificate, creating client and admin certificates, signing a Certificate Signing Request (CSR), backing up certificates, and replacing certificates.

Security notice

Private key files must be protected during creation, distribution, and storage to prevent loss. The loss of these files will compromise the security of the AKM server. Depending on the file format, the private key files may be bundled with a certificate or they may be separate files. Transfer the private key files by sharing them over a secure network, placing them in a password-protected zip file, sending them using SFTP, or another secure method. Use the same level of care you would employ to protect encryption keys, including encryption. In the event the private keys are compromised or lost, you should immediately replace the certificate authority on the AKM server and all client certificates in that chain of trust. See Chapter 9: Replace Certificates on the AKM Server for more information.

Limitations

The OpenSSL application for X509 certificates includes a set of options in a category called “trust settings”. These options are experimental and are not currently supported by Alliance Key Manager.

Other resources

The following documents provide additional information on the installation and use of Alliance Key Manager:

These and other resources are available on the AKM Supplemental.

Notices

This product and documentation is covered by U.S. and International copyright law. This product may incorporate software licensed under one or more open source license agreements. Government users please note that this product is provided under restricted government use license controls. Please refer to the AKM End User License Agreement for more information.

Change log

The following table provides information on the changes to this documentation:

Version Date Description
2.1.13.001 7/19/2012 Initial release.
2.1.13.002 9/10/2012 Add additional text on client certificates.
3.0.0.001 1/31/2014 Documentation name change to reflect application name (from Windows OpenSSL Certificate Utility) and updates for AKM 3.0.
3.0.0.002 3/4/2014 Updates. Add screenshots. Add chapters on importing a CA certificate, backing up certificates, and replacing certificates on the AKM server. Add note on ready to use implementations.
3.0.0.003 12/18/2014 Update “Who is this for?” section to only apply to HSM and Cloud HSM deployments.
4.0.0.001   Update for use as an optional certificate generator.
4.5.0.001 5/17/2018 New intro

Chapter 2: Preparation

Pre-requisites

The minimum operating system requirement is Windows XP. AKM Certificate Manager will require the following minimum system resources: 32Mb Ram, 200Mhz CPU, and 20MB hard drive space.

The recommended requirements are Windows 7 (all versions) and the following system resources: 128Mb Ram, 500Mhz CPU, and 50Mb hard drive space.

Install Java

Java version 1.2 or later is required. You can download Java from the following website:

http://java.com/en/

If you are running 64-bit Windows, you will need to take the following steps to set your Java path variables:

  1. From the Start menu, right-click Computer and select Properties.

  2. Click Advanced System Setting. Under the Advanced tab click Environment Variables.

  3. Under System variables, highlight the variable Path and click Edit.

  4. In the Variable Value field append ;C:\Program Files (x86)\Java\jre7\bin to the end of the string. Note that this path will vary depending on what version of Java you are running.

  5. Continue to click OK to exit.

Java is required for creating administrative certificates and must be present. Changing any of the install directories during the setup will result in program errors.

Chapter 3: Install AKM Certificate Manager

The AKM Certificate Manager install file is located in the following directory on the AKM Supplemental:

AKM_Supplemental\Certificate_Management\AKM_Certificate_Manager

Double-click AKMCertificateManager-[version].exe to begin the installation. You may receive a warning message about the application and you should select the option to run the program.

The Setup wizard will start. Click Next. Make a note of the destination folder.

IMPORTANT: Do not alter this destination path.

Click Next to continue.

Note the name of the Start menu folder and click Install (do not change the default). Click Finish to exit the wizard.

Installed components

If your system does not have the following files, you will be prompted to install them after the AKM Certificate Manager runs:

  • vcredist_x86.exe (Microsoft Visual Studio Distributable)

If you are having any problems with error messages when trying to run OpenSSL, this will likely fix the problem. This application only works with Windows 2000 and later. Although there is a newer version of this installer, this is the correct version to install.

Chapter 4: Start AKM Certificate Manager

Open AKM Certificate Manager by clicking the appropriate link in your Windows Start menu All Programs list, or the icon on your desktop or Start Screen. A command shell will open and AKM Certificate Manager will begin a check for a certificate authority (CA) certificate already present on your workstation.

If a CA certificate is not present, you will be prompted to begin certificate generation:

image alt text

Type any key to continue.

SECURITY ALERT: The certificate files, private keys, client certificates, and Java key store files must be protected during creation, distribution, and storage to prevent loss. The loss of these files will compromise the security of the AKM server. Transfer the certificate files by sharing them over a secure network, placing them in a password-protected zip file, sending them using SFTP, or using another secure method. Use the same level of care you would use to protect encryption keys from loss, including encryption. In the event the private keys are compromised or lost, you should immediately replace the certificate authority on the AKM server and all client certificates in that chain of trust. See Chapter 9: Replace Certificates on the AKM Server for more information.

Create certificates needed for AKM

You will now begin the process to create certificates needed for AKM, including a new CA certificate, two admin (Crypto Officer) certificates, a server certificate and private key, and KEK and Auth certificates and private keys. First you will create the new CA certificate.

IMPORTANT: The only special characters allowed in the creation of the CA certificate are the @ symbol as well as commas and periods. Using any other special characters will result in an error.

Set the validity period for the CA certificate

The following pane is displayed:

image alt text

Enter the number of days (without commas) for the validity period of the new CA certificate. Type y to confirm or n to re-enter the value.

NOTE: For IBM i compatibility the maximum value is 7300 days. If the number is greater than 7300 days, you will be asked to confirm the value. Enter y to confirm or n to re-enter the value.

Enter the locality information for the CA certificate Distinguished Name (DN)

The following pane is displayed:

image alt text

Enter the country name (two characters) and press Enter.

Enter the full name of the state or province and press Enter.

Enter the city name and press Enter.

Enter the company information for the CA certificate Distinguished Name (DN)

The following pane is displayed:

image alt text

Enter the company name and press Enter.

Enter the department and press Enter.

Enter the company website URL and press Enter.

Enter the AKM server name. This is the Common Name to be assigned to the key server. Press Enter.

IMPORTANT: This is the name of the network-assigned address of the server unit. It is also known as the Fully Qualified Domain Name (FQDN) or Canonical Name (CNAME) for the server unit.

Enter the email address of the person in charge of the certificates for the key server. Press Enter.

The following pane is displayed:

image alt text

Take a screenshot or write down the values you enter here as you will need when creating client certificates or Certificate Signing Requests (CSRs) to be used with AKM.

Enter y to confirm or n to re-enter the values for the Distinguished Name.

The CA certificate and two admin certifications signed by the CA certificate will now be created.

Assign passwords

The following pane is displayed:

image alt text

Enter a password for the CA certificate java truststore file if one is desired. Although password support for the truststore is supported in the AKM Administrative Console, it is not required. Press Enter.

NOTE: Spaces and the following special characters are not allowed in passwords:

! (exclamation point), & (ampersand), ^ (caret), < (less than), > (more than), | (bar), and " (quotation mark).

The following pane is displayed:

image alt text

Enter a password for the admin certificate Java keystore file. Two admin certificate keystores will be created, both using the password entered in this step. It is recommended that the assigned password be recorded and stored in a password manager or other secure location. Press Enter.

NOTE: Spaces and the following special characters are not allowed in passwords:

! (exclamation point), & (ampersand), ^ (caret), < (less than), > (more than), | (bar), and " (quotation mark).

The following pane is displayed:

image alt text

You are now finished creating the certificates needed for AKM. The server certificate and private key and KEK and Auth certificates and private keys are created automatically. Type y to open the new certificates folder in Windows Explorer or type n to quit AKM Certificate Manager.

Next steps

You can now give the following certificates to your System Administrator to upload to the AKM server via the web interface:

  • CA certificate in PEM format (CASelfSignedCert.pem)

  • KEK and Auth certificates and private keys (AuthSignedCert.pem, AuthPrivKey.pem, KekSignedCert.pem, KekPrivKey.pem)

  • Server certificate and private key (AKMServerPrivKey.pem, AKMServerSignedCert.pem)

You can now give the following certificates and any associated passwords to the Crypto Officer(s) who will create and manage encryption keys using the AKM Administrative Console:

  • CA certificate in JKS format (truststore.jks)

  • Admin certificates (admin_one_keystore.jks, admin_two_keystore)

See Chapter 6: Location of New Certificate Files for more information on these files.

SECURITY ALERT: The certificate files, private keys, client certificates, and Java key store files must be protected during creation, distribution, and storage to prevent loss. The loss of these files will compromise the security of the AKM server. Transfer the certificate files by sharing them over a secure network, placing them in a password-protected zip file, sending them using SFTP, or using another secure method. Use the same level of care you would use to protect encryption keys from loss, including encryption. In the event the private keys are compromised or lost, you should immediately replace the certificate authority on the AKM server and all client certificates in that chain of trust. See Chapter 9: Replace Certificates on the AKM Server for more information.

Once you have completed initial creation of the CA certificate and two admin certificates, AKM Certificate Manager will display the following options when opened:

image alt text

Option 1) Open the directory with the certificate files (AKM_Certs). See Chapter 6: Location of New Certificate Files

Option 2) Sign a Certificate Signing Request (CSR). See Chapter 7: Sign a Certificate Signing Request

Option 3) Create a new certificate pair. See Chapter 5: Create Admin and Client Certificates.

Chapter 5: Create Admin and Client Certificates

Two admin (Crypto Officer) certificates are generated during initial certificate creation. To create additional admin certificates, see the section below. To create client certificates for client applications to authenticate to the AKM server for key retrieval and remote encryption, see Create client certificates.

Create additional admin certificates

Open AKM Certificate Manager and enter option 3. The following pane is displayed:

image alt text

Enter option 1 to Generate new Admin Certificate pair. The following pane is displayed:

image alt text

Enter the admin’s Common Name value (user name), without spaces.

Enter the admin’s email address.

IMPORTANT: Do not leave any of these fields blank, as doing so will result in an error.

Enter y to confirm or n to re-enter the values. The following pane is displayed:

image alt text

Enter the number of days (without commas) for the validity period of the new certificate pair. Enter y to confirm or n to re-enter the value. For IBM i compatibility the maximum value is 7300 days. The new admin certificate will now be created. The following pane is displayed:

image alt text

Enter a passphrase for the new admin certificate Java keystore file.

IMPORTANT: Spaces and the following special characters are not allowed in passwords:

! (exclamation point), & (ampersand), ^ (caret), < (less than), > (more than), (bar), and “ (quotation mark).

SECURITY ALERT: Passphrases for the keystore are highly recommended.

Press any key to return to the main menu.

Create client certificates

To create client certificates, open AKM Certificate Manager and enter option 3. The following pane is displayed:

image alt text

Enter option 2 to Generate new Client Certificate pair. The following pane is displayed:

image alt text

IMPORTANT: Do not leave any of these fields blank, as doing so will result in an error.

Enter the key access (User) name.

Enter the key access (Group) name.

IMPORTANT: Take note of the User and Group name, as these values must be duplicated in the User and Group fields when defining key access policy in the AKM Administrative Console.

Enter the client’s email address.

Enter y to confirm or n to re-enter the values. The following pane is displayed:

image alt text

Enter the number of days (without commas) for the validity period of the new certificate pair. Enter y to confirm or n to re-enter the value. For IBM i compatibility the maximum value is 7300 days. The following pane is displayed:

image alt text

Enter a nickname (without spaces) for the client certificate. The client certificate will now be created. The following pane is displayed:

image alt text

Assign a password for the PKCS12 certificate bundle.

IMPORTANT: Passwords are not required.

To create additional client certificates, return to the main menu and follow the steps listed above.

You are now ready to give client certificates and any associated passwords to Key Clients performing key retrieval and remote encryption in their applications.

SECURITY ALERT: The certificate files, private keys, client certificates, and Java key store files must be protected during creation, distribution, and storage to prevent loss. The loss of these files will compromise the security of the AKM server. Transfer the certificate files by sharing them over a secure network, placing them in a password-protected zip file, sending them using SFTP, or using another secure method. Use the same level of care you would use to protect encryption keys from loss, including encryption. In the event the private keys are compromised or lost, you should immediately replace the certificate authority on the AKM server and all client certificates in that chain of trust. See Chapter 9: Replace Certificates on the AKM Server for more information.

Chapter 6: Location of New Certificate Files

The new certificates and container files are now located in the Windows user profile directory. For example:

C:\Users\[UserName]\AKMCerts\AKM_Certs

In this directory and sub-directories you will find the generated CA certificate and all of the required certificates, private keys, and Java keystore files needed for setting up the AKM server, performing key management tasks via the AKM Administrative Console, and performing key retrieval and remote encryption operations in client applications.

SECURITY ALERT: In order to support dual control for the key server, two pairs of admin keys (for two Crypto Officers) are generated automatically. Both key pairs are valid for use with the AKM Administrative Console. If only one Crypto Officer is needed, either key can be used.

List of directories and files

The following is a list of the created directories and created certificate files in path \AKM_Certs\:

admin_keypair_one\

  • admin_one_keystore.jks This is the first Java keystore container with the admin certificate and private key file.

admin_keypair_two\

  • admin_two_keystore.jks This is the second Java keystore container with the admin certificate and private key file.

certificate_authority\

  • CASelfSignedCert.der This is the CA self-signed certificate in DER or CER format.

  • CASelfSignedCert.pem This is the CA self-signed certificate in PEM or Base64 format

  • CATrustStore.jks This is the Java truststore container file for the CA self-signed certificate.

client_name\ (only available after client certificate pairs have been created)

  • der\client_name_cert.der (DER/CER format client private key file)

  • der\client_name_key.der (DER/CER format client signed cert)

  • keystore\client_name_cert_keystore.jks (Java keystore container with the admin signed certificate and private key file)

  • p12\client_name_certBundle.p12 (PKCS12 bundle for client private key, signed certificate and CA self signed cert)

  • pem\client_name_cert.pem (PEM/Base64 format client private key file)

  • pem\client_name_key.pem (PEM/Base64 format client private key file)

enc_keypairs\ (These certificate pairs will be uploaded to the AKM server via the web interface):

  • AuthPrivKey.pem

  • AuthSignedCert.pem

  • KekPrivKey.pem

  • KekSignedCert.pem

server_keypair\ (These server certificate pairs will be uploaded to the AKM server via the web interface) :

  • AKMServerPrivKey.pem

  • AKMServerSignedCert.pem

Chapter 7: Sign a Certificate Signing Request

Place a valid CSR file with the strict name new.csr in the AKMCerts\to_sign\ directory.

Open AKM Certificate Manager. A command shell begins a check for a CA certificate and prompts it to begin. If no CA certificate is present, you will be prompted to begin certificate generation. See Chapter 4: Start AKM Certificate Manager.

If a CA certificate is present, AKM Certificate Manager will display the following options:

image alt text

Enter option 2 to Sign a CSR. The following pane is displayed:

image alt text

Enter option 1 for Sign a CSR to sign the file new.csr.

IMPORTANT: If new.csr is not present, the option to open the AKMCerts\to_sign directory will be presented, and the command interface will pause until the file has been placed there.

The following pane is displayed:

image alt text

Enter a name for the new certificate file.

IMPORTANT: This will also be the name for the path of the new signed certificate folder.

The following pane is displayed:

image alt text

Enter a number of days (without commas) for the validity period for the new signed certificate file.

IMPORTANT: If IBM i is being used, do not enter a value larger than 2000.

Enter y to confirm or n to re-enter the value.

The new certificates will be in the following directory and will contain both PEM and DER format certificate files:

\AKMCerts\AKM_Certs\newname_certs 

The originating CSR will be renamed to avoid trying to reassign a CSR. The new name is in the format:

csr.signed_on_%DATE%_%TIME%

The following info will be presented to the location of the newly signed certificates:

INFO : CSR SUCCESSFULLY SIGNED
New signed cert files in path :
<\Users\certadmin\AKMCerts\AKM_Certs\newlysigned_certs\>
Copy of signed csr :
<C:\Users\certadmin\AKMCerts\to_sign\csr.signed_on_07092012_514>
...

Chapter 8: Back up Certificates

You should back up and store the certificates used by the AKM server. Locate the certificate files in C:\Windows\User\<UserName>\AKMCerts\AKM_Certs and back these files up securely.

 

Chapter 9: Replace Certificates on the AKM Server

In the event that certificates are compromised or lost, you will need to replace the certificate authority on the AKM server and all client certificates in that chain of trust.

Back up secret keys

Do a secret key backup before continuing. This backs up the Key Encryption Key (KEK) and Authentication (Auth) Key. The KEK and Auth Key protect the AKM key database and must remain on the AKM server. See the AKM Server Management Guide for information on doing a secret key backup.

Delete certificates from the AKM server

Log in to the web interface and click on the link for File Manager in the navigation pane. Remove the following certificates from the AKM server:

  • etc/AKM/CACerts/CASelfSignedCert.pem

  • etc/AKM/Certs/AKMServerSignedCert.pem

  • etc/AKM/PrivateKeys/AKMServerPrivKey.pem

NOTE: If you originally created these certificates and private keys using a method other than the AKM Certificate Manager application, the names of these files may be different.

IMPORTANT: Do not delete the Auth and KEK certificates and private keys. These must remain on the AKM server.

Create new certificates

IMPORTANT: If you have previously created certificates on your workstation using AKM Certificate Manager, you will need to delete or move these certificate files before proceeding. Navigate to the AKMCerts folder located in the C:\Windows\Users[UserName] directory. Delete or move the AKMCerts folder.

Follow the steps in Chapters 4 and 5 to create a new CA certificate, server certificates, new admin certificates, and new client certificates. Distribute admin certificates to your Crypto Officer(s) and client certificates to your Key Clients.

Upload new certificates to the AKM server

Follow the steps in the AKM Server Management Guide for uploading the CA certificate, server signed certificate, and server private key to the AKM server.

NOTE: If you originally created these certificates and private keys using a method other than AKM Certificate Manager, you will need to update the AKM configuration file (akm.conf) with the new file names.

IMPORTANT: Do not upload the Auth and KEK certificates and private keys to the AKM server.

Restart the AKM server

In the web interface, click on the link for Custom Commands in the navigation pane. Click the Stop AKM button. Click Start AKM. Click Set Permissions.

Roll the KEK and Auth Keys

Click on the link for Custom Commands in the navigation pane. Under the “Rollover AKM KEK & Auth Keys” button, enter “DELETE-KEK-AUTH” in the Confirmation field. Click Rollover AKM KEK & Auth Keys.

Chapter 10: Back up or Uninstall AKM Certificate Manager

Back up AKM Certificate Manager

Navigate to the \Program Files\Townsend Security\AKM Certificate Manager directory, save all files and sub-directories, and copy them to a secure location.

Uninstall AKM Certificate Manager

The uninstall file is located at \Program Files\Townsend Security\AKM Certificate Manager and is called uninst.exe. Double-click this file to uninstall AKM Certificate Manager.

All of the files in this directory will be deleted. However, the certificate files in the AKMCerts folder will remain intact unless they are moved or manually deleted.