SSH

Using Certificates

The CA-related configuration options for Internal and External CA Settings are defined in Settings → PKI Settings and require superuser administrator rights. See Configuring PKI Settings for CA.

Once the initial certificate enrollment has been done, Tectia Manager Internal CA will automatically renew the server host certificates. The Internal Root CA Host certificate validity period and Certificate renew marginal can be configured in Settings → PKI Settings → Internal CAs. The changes in validity period will take effect the next time a new certificate is issued, but the changes in the renewal marginal will take effect immediately (Figure 9.5).

Tectia Manager Internal CA publishes HTTP CRL(s) in port 80 when Tectia Manager is running. An external command can be used to specify a script that will publish the CRL for example to LDAP or backup HTTP server. The CRL Distibution Point(s) are included in the issued host certificates. The CRL default update period is 3 hours and the validity period 27 hours (3-hour update period, 24-hour marginal.) The CRL publishing methods, CRL update period, and CRL next update marginal can be configured in Settings → PKI Settings → Internal CAs (Figure 9.6).

[Note]Note

The firewall configuration of the organization must allow the Tectia client-side managed hosts to access the CRL Distribution Points (by default Management Server port 80).