When you enable encryption with key servers, two types of certificates are required to ensure secure communication between the system and the encryption key server.
In general, certificates are the primary method that is used by the key servers to authenticate the system and for the system to authenticate to the key servers. The exchange of these certificates verifies that access to the encryption keys that are stored on the key servers is permitted. The authentication of the system ensures that the key servers do not give access to keys to an untrusted party. The authentication of the key servers ensures that the system does not ask for sensitive keys to be stored by an untrusted party. Security of the system relies on two factors. First, the public certificates of the key servers and the system must be exchanged securely so that each device can trust the other. Second, the key servers and the system must keep their private key, which is associated with the certificate, secure.
The key server certificates, which are used by the key servers to verify the system, require that the certificate authority (CA) or self-signed certificate to be transferred to the system. The key servers can use either a certificate from a trusted third party, a self-signed certificate, or a combination of these certificates. If IBM Security Key Lifecycle Manager servers are configured for automatic replication, this certificate is copied from the primary key server to all secondary key servers. All IBM Security Key Lifecycle Manager instances are connected to over secure connections with the same key server certificate. If replication is used on the IBM Security Key Lifecycle Manager, only one key server certificate needs to be installed. The IBM Security Key Lifecycle Manager uses this single certificate to replicate keys with each other. If the IBM Security Key Lifecycle Manager servers are not configured for automatic replication, you must install separate certificates for each stand-alone key server. However, if the key servers use self-signed certificates, the certificates must be uploaded separately to the system. Any self-signed certificates take priority over any CA-signed certificate that is installed on the system for the key servers. In addition, a system encryption certificate must be installed on each of the configured key servers. The key server administrator accepts the certificate to grant access to the key servers. If automatic replication is configured on the IBM Security Key Lifecycle Manager, the system certificate is copied to the primary key server and automatically distributed to the other configured key servers. The system encryption certificate can also be a self-signed certificate or from a certificate authority. To configure system encryption certificates for secure communications, select .