Certificate Authority signature constraint to use keyUsage as critical

Document ID : KB000126345
Last Modified Date : 07/02/2019
Show Technical Document Details
As per security consideration in our organization we have a constraints to use permitted certificates generated via certificate Authority signature from certificate authority process. As per our security standards it is mandate for us to have certificates with keyUsage=critical

As per the documentation it is mentioned that  "The certificate/keystore used to sign the jar file (during the jarsigner step) cannot have the combination of KeyUsage = critical and ExtendedKeyUsage = serverAuth. The combination is not allowed to sign code."

Question: How can we configure the Secure communication for Release Operation Center (ROC) UI and ASAP studio aligned to our security policy?

The consideration for enabling SSL with respect to various component of CA Release Automation (CA RA) is mentioned below:
  1. For a Certificate Authority signature, ensure that the client certificate allows the use of the "ServerAuth" and "ClientAuth". This feature enables the Agent to Execution Server communication.
  2. The certificate/keystore with combination of keyUsage=critical and extendedKeyUsage=serverAuth is not a valid code-signing combination required to enable SSL for ASAP studio.
  3. The certificate with combination having only keyUsage=clientAuth and extendedKeyUsage=clientAuth is not sufficient combination to configure SSL for ROC UI, as the server will not be presenting the certificates to client like web browser
CA RA: 6.5, 6.6 and higher

Note: It may also be applicable for the lower release versions. However the document is validated with most recent version of RA
  • Generate two certificates with below combinations
    • Certificate one: keyUsage=critical,digitalsignature extendedKeyUsage=serverAuth,clientAuth
    • Certificate two: keyUsage=critical,digitalsignature extendedKeyUsage=codeSigning
  • Import key's pertaining to both certificate in custom-keystore.jks file
  • Use 1st certificate to enable SSL for ROC i.e. pointing this particular certificate alias etc. in server.xml of Data Management Server
  • Use 2nd certificate to enable SSL for ASAP by using it to generate custom-truststore.jar and signing the same.
Note: For more details around steps on how to enable SSL for CA RA please visit product document the reference of which is provided in additional information section.
Additional Information:
Secure Communication CA Release Automation: https://docops.ca.com/ca-release-automation/6-6/en/installation/ca-release-automation-security/secure-communications