Certificate Authority signature constraint to use keyUsage as critical

Document ID : KB000126345
Last Modified Date : 07/02/2019
Show Technical Document Details
Introduction:
As per security consideration in our organization we have a constraints to use permitted certificates generated via certificate Authority signature from certificate authority process. As per our security standards it is mandate for us to have certificates with keyUsage=critical

As per the documentation it is mentioned that  "The certificate/keystore used to sign the jar file (during the jarsigner step) cannot have the combination of KeyUsage = critical and ExtendedKeyUsage = serverAuth. The combination is not allowed to sign code."

Question: How can we configure the Secure communication for Release Operation Center (ROC) UI and ASAP studio aligned to our security policy?



 
Background:
The consideration for enabling SSL with respect to various component of CA Release Automation (CA RA) is mentioned below:
  1. For a Certificate Authority signature, ensure that the client certificate allows the use of the "ServerAuth" and "ClientAuth". This feature enables the Agent to Execution Server communication.
  2. The certificate/keystore with combination of keyUsage=critical and extendedKeyUsage=serverAuth is not a valid code-signing combination required to enable SSL for ASAP studio.
  3. The certificate with combination having only keyUsage=clientAuth and extendedKeyUsage=clientAuth is not sufficient combination to configure SSL for ROC UI, as the server will not be presenting the certificates to client like web browser
Environment:
CA RA: 6.5, 6.6 and higher

Note: It may also be applicable for the lower release versions. However the document is validated with most recent version of RA
Instructions:
Solution/Recommendation:
  • Generate two certificates with below combinations
    • Certificate one: keyUsage=critical,digitalsignature extendedKeyUsage=serverAuth,clientAuth
    • Certificate two: keyUsage=critical,digitalsignature extendedKeyUsage=codeSigning
  • Import key's pertaining to both certificate in custom-keystore.jks file
  • Use 1st certificate to enable SSL for ROC i.e. pointing this particular certificate alias etc. in server.xml of Data Management Server
  • Use 2nd certificate to enable SSL for ASAP by using it to generate custom-truststore.jar and signing the same.
Note: For more details around steps on how to enable SSL for CA RA please visit product document the reference of which is provided in additional information section.
Additional Information:
Secure Communication CA Release Automation: https://docops.ca.com/ca-release-automation/6-6/en/installation/ca-release-automation-security/secure-communications