You can configure two-way TLS authentication for the connection between a CIS and the Certificate Factory (CF).
In such a configuration, CIS uses a TLS server certificate and a trust store of which TLS client certificates to accept, and CF uses a TLS client certificate and its database as trust store for which TLS server certificates to accept. These certificates and corresponding keys can be stored in either soft tokens, or in HSMs.
- Issue a TLS server certificate that will be used as server TLS certificate by CIS. This certificate can be issued either into a soft-token PKCS#12 file, or by using a key in an HSM. For an example of how to issue certificates, see "Changing TLS Server Certificate" in the "Systems Administrators Guide", excluding the parts about changing any configuration files.
- Update cis.conf so that CIS uses the issued TLS server certificate. To do this, read the descriptions in cis.conf for the following configuration parameters, and update them appropriately:
ssl.file
ssl.cert
ssl.tokenlabel
ssl.pin
ssl.nopin
pkcs11.1
- Issue a TLS client certificate that will be used as TLS client certificate by CF when connecting to CIS. For an example of how to issue certificates, see "Changing TLS Server Certificate" in the "Systems Administrators Guide", excluding the parts about changing any configuration files. This certificate can also be issued either into a soft-token PKCS#12 file, or by using a key in an HSM.
- Update the main configuration file, cm.conf, so that CF uses the issued TLS client certificate when connecting to CIS. To do this, read the descriptions in cm.conf for the following configuration parameters, and update them appropriately:
cis.ssl.file
cis.ssl.pin
cis.ssl.nopin
cis.ssl.tokenlabel
cisfailover.<n>.cis.ssl.file
cisfailover.<n>.cis.ssl.cert
cisfailover.<n>.cis.ssl.tokenlabel
cisfailover.<n>.cis.ssl.pin
cisfailover.<n>.cis.ssl.nopin
pkcs11.1
- Find the issuer of the TLS client certificate created in the step above.
- Export this certificate to a file.
- Update the trust store that CIS uses to validate incoming TLS client certificates by placing the exported issuer certificate file into the following directory: <configuration_root>/ config/cistrust/.
- To validate the TLS server certificate presented by CIS, CF will examine all existing CAs, and consider the certificate trusted if the chain validates, and is issued by a CA that CF recognizes. This is done automatically and no action is required.