Renew the Root CA Certificate
This OKM console function renews the Root CA Certificate, signs it using the specified signature algorithm, and reissues certificates for itself and the other KMAs in the cluster.
Note:
Renewing the Root CA certificate impacts activity in this cluster and makes the current backups obsolete. Always plan the renew in advance.Available to: Security Officer
This menu option only appears with replication version 16 or later.
SHA Compatibility
Certain types of agents (encryption endpoints) are incompatibility with some versions of SHA.
Most types of OKM encryption endpoints support SHA-2 hashing algorithms and X.509v3 certificates. You can enroll agents associated with these encryption endpoints in an OKM cluster where the Root CA certificate is an X.509v3 certificate that is signed using a SHA-2 hashing algorithm (such as SHA-256).
Some types of OKM encryption endpoints do not support SHA-2 hashing algorithms and X.509v3 certificates. You cannot enrolled agents associated with these encryption endpoints in an OKM Cluster where the Root CA certificate is an X.509v3 certificate that is signed using a SHA-2 hashing algorithm (such as SHA-256). Instead, you must enrolled the agents in an OKM Cluster where the Root CA certificate is a X.509v1 certificate that is signed using a SHA-1 hashing algorithm.
Encryption endpoints that have compatibility issues with SHA-2 certificates:
- HP LTO4 tape drives
- IBM LTO4/5/6/7 tape drives running Belisarius firmware version 4.x
All other encryption endpoints will work with SHA-2 certificates. Those specifically tested are:
- HP LTO5/6 tape drives
- IBM LTO4/5/6/7 tape drives running Belisarius firmware version 5.32.20
- PKCS#11 applications that use the KMS PKCS#11 Provider on Oracle Solaris and Oracle Linux, including ZFS file systems on Oracle Solaris 11 servers and ZFS Storage Appliance.
- Oracle Transparent Database Encryption (TDE) on Oracle Database servers