Configure Certificate Issuing System in Certificate Manager

The configuration options for the CIS are set up in configuration files that are edited with a text editor. The configuration files are located in the directory <configuration_root>/config.

• In the cis.conf configuration file, there are various sections with configuration parameters for the CIS and one section for each of the configured signing devices. The parameters of cis.conf are well commented in the file.

• The algorithms.conf configuration file is where “friendly names” are mapped to object identities of available signature and key algorithms. The syntax is described in the file.

Date, time and time zone settings (in the Control Panel) must be the same on both the CIS and the CF (Certificate Factory, that is, the CM servers).

All certificate and CRL signing requests are optionally logged in the CIS. This log is digitally signed.

1. To disable the audit log, use the parameter cis.audit.logenabled in cis.conf.
2. To specify the key to be used when signing the log entries, use cis.audit.logsignkey.

You can configure two-way TLS authentication for the connection between a CIS and the Certificate Factory (CF). 

In such a configuration, CIS uses a TLS server certificate and a trust store of which TLS client certificates to accept, and CF uses a TLS client certificate and its database as trust store for which TLS server certificates to accept. These certificates and corresponding keys can be stored in either soft tokens, or in HSMs.

1. Issue a TLS server certificate that will be used as server TLS certificate by CIS. This certificate can be issued either into a soft-token PKCS#12 file, or by using a key in an HSM. For an example of how to issue certificates, see "Changing TLS Server Certificate" in the "Systems Administrators Guide", excluding the parts about changing any configuration files.
2. Update cis.conf so that CIS uses the issued TLS server certificate. To do this, read the descriptions in cis.conf for the following configuration parameters, and update them appropriately:
   • ssl.file
   • ssl.cert
   • ssl.tokenlabel
   • ssl.pin
   • ssl.nopin
   • pkcs11.1
3. Issue a TLS client certificate that will be used as TLS client certificate by CF when connecting to CIS. For an example of how to issue certificates, see "Changing TLS Server Certificate" in the "Systems Administrators Guide", excluding the parts about changing any configuration files. This certificate can also be issued either into a soft-token PKCS#12 file, or by using a key in an HSM.
4. Update the main configuration file, cm.conf, so that CF uses the issued TLS client certificate when connecting to CIS. To do this, read the descriptions in cm.conf for the following configuration parameters, and update them appropriately:
   • cis.ssl.file
   • cis.ssl.pin
   • cis.ssl.nopin
   • cis.ssl.tokenlabel
   • cisfailover.<n>.cis.ssl.file
   • cisfailover.<n>.cis.ssl.cert
   • cisfailover.<n>.cis.ssl.tokenlabel
   • cisfailover.<n>.cis.ssl.pin
   • cisfailover.<n>.cis.ssl.nopin
   • pkcs11.1
5. Find the issuer of the TLS client certificate created in the step above.
   1. Export this certificate to a file.
   2. Update the trust store that CIS uses to validate incoming TLS client certificates by placing the exported issuer certificate file into the following directory: <configuration_root>/ config/cistrust/.
6. To validate the TLS server certificate presented by CIS, CF will examine all existing CAs, and consider the certificate trusted if the chain validates, and is issued by a CA that CF recognizes. This is done automatically and no action is required.

1. Restart the CIS service after saving the changes.
2. If CIS is running within the CF service (see Configure the Certificate Factory in Certificate Manager, also restart CF after the CIS configuration changes.