1. Installation and Administration Guide
  2. OKM Console
  3. OKM Console Functions
  4. Renew the Root CA Certificate

Renew the Root CA Certificate

This OKM console function renews the Root CA Certificate, signs it using the specified signature algorithm, and reissues certificates for itself and the other KMAs in the cluster.

Renewing updates credentials for all KMAs in the cluster, but does not automatically update or invalidate credentials for Agents and Users. This means that any already-enrolled Agents and Users can continue to communicate with this OKM cluster. If you changed the signature algorithm and X.509 certificate type during the renew, you may wish to re-enroll Agents and update User passwords so they begin using the new formats (see Task 4 and Task 5 of Generate and Sign Certificates Using SHA-256). If you change the signature algorithm to SHA-256, then the cluster will use an X.509v3 certificate for the Root CA certificate and all subsequently generated entity certificates. Otherwise, the certificate version will remain at X.509v1 for legacy compatibility purposes.

Note:

Renewing the Root CA certificate impacts activity in this cluster and makes the current backups obsolete. Always plan the renew in advance.

Available to: Security Officer

This menu option only appears with replication version 16 or later.

  1. Log into OKM console. At the Please enter your choice: prompt on the main menu, select Renew Root CA Certificate and press Enter.
  2. Enter 1 for SHA256 (default) or 2 for SHA1 — If the encryption endpoints in this OKM environment will not support SHA2, enter 2. Otherwise, enter 1.
    See SHA Compatibility for information on agent compatibility.
  3. When prompted to confirm the renew, type y and press Enter.
  4. The following indicates the renew is complete and the OKM service has restarted:
    Root CA renew succeeded and OKM service has restarted. Please perform a backup as soon as possible.
  5. Press Enter to return to the main menu.
  6. You should create a new backup (see Create a Database Backup) and then destroy the older backups (see Destroy a Backup).
  7. To display properties of the new Root CA Certificate, see Show Properties of the Root CA Certificate.

SHA Compatibility

Certain types of agents (encryption endpoints) are incompatibility with some versions of SHA.

Most types of OKM encryption endpoints support SHA-2 hashing algorithms and X.509v3 certificates. You can enroll agents associated with these encryption endpoints in an OKM cluster where the Root CA certificate is an X.509v3 certificate that is signed using a SHA-2 hashing algorithm (such as SHA-256).

Some types of OKM encryption endpoints do not support SHA-2 hashing algorithms and X.509v3 certificates. You cannot enrolled agents associated with these encryption endpoints in an OKM Cluster where the Root CA certificate is an X.509v3 certificate that is signed using a SHA-2 hashing algorithm (such as SHA-256). Instead, you must enrolled the agents in an OKM Cluster where the Root CA certificate is a X.509v1 certificate that is signed using a SHA-1 hashing algorithm.

Encryption endpoints that have compatibility issues with SHA-2 certificates:

  • HP LTO4 tape drives
  • IBM LTO4/5/6/7 tape drives running Belisarius firmware version 4.x

All other encryption endpoints will work with SHA-2 certificates. Those specifically tested are:

  • HP LTO5/6 tape drives
  • IBM LTO4/5/6/7 tape drives running Belisarius firmware version 5.32.20
  • PKCS#11 applications that use the KMS PKCS#11 Provider on Oracle Solaris and Oracle Linux, including ZFS file systems on Oracle Solaris 11 servers and ZFS Storage Appliance.
  • Oracle Transparent Database Encryption (TDE) on Oracle Database servers