Your browser does not allow storing cookies. We recommend enabling them.


Using Certificates

The CA-related configuration options for Internal and External CA Settings are defined in Settings → PKI Settings and require superuser administrator rights. See Configuring PKI Settings for CA.

Once the initial certificate enrollment has been done, Tectia Manager Internal CA will automatically renew the server host certificates. The Internal Root CA Host certificate validity period and Certificate renew marginal can be configured in Settings → PKI Settings → Internal CAs. The changes in validity period will take effect the next time a new certificate is issued, but the changes in the renewal marginal will take effect immediately (Figure 9.5).

Tectia Manager Internal CA publishes HTTP CRL(s) in port 80 when Tectia Manager is running. An external command can be used to specify a script that will publish the CRL for example to LDAP or backup HTTP server. The CRL Distibution Point(s) are included in the issued host certificates. The CRL default update period is 3 hours and the validity period 27 hours (3-hour update period, 24-hour marginal.) The CRL publishing methods, CRL update period, and CRL next update marginal can be configured in Settings → PKI Settings → Internal CAs (Figure 9.6).


The firewall configuration of the organization must allow the Tectia client-side managed hosts to access the CRL Distribution Points (by default Management Server port 80).




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now