User-Supplied TLS Certificate Requirements

If you create your own TLS certificates to import onto the library for use with Scalar Key Manager (SKM), you must observe all of the following requirements.

When providing your own certificates, it is assumed you understand the concepts of PKI and have access to the tools or third-party resources needed to generate or obtain certificates.

You need to provide the following certificates:

Root Certificate (also called the CA certificate, or Certificate Authority Certificate)
Server Certificate
Admin Certificate

These files must be in the proper format, as follows. If any of the below requirements is not met, none of the certificates will be imported.

The Root Certificate must be 2048 bits.
The Root Certificate must be in PEM format.
The Admin and Server certificates must be in pkcs12 (.p12) format, with a separate certificate and private key contained in each.
The Admin and Server certificates must be at least 1024 bits.

NOTE: SKM-attached Scalar libraries support communication certificate key lengths of 1024 bits. Communication certificates larger than 1024 bits, such as 2048 and 4096 bit key lengths, are supported by the i500 i8.2 (and later) release. (Refer to the Scalar library release notes or contact Quantum/ support for additional information and availability of required library firmware). Note however, that the use of communication certificates with key bit lengths larger than 1024 bits will affect library performance with respect to encryption key retrieval times and encryption key generation, import and export operations. While certificate key lengths of 2048 bits slightly slow operations in single and multi-library attached SKM server environments, the use of communication certificates with a key length of 4096 bits should be avoided in SKM configuration environments where multiple Scalar tape libraries are attached to a single SKM server pair.

The Admin and Server certificates must be signed by the Root Certificate.
Certificates must have the Organization name (O) set in their Issuer and Subject info.
The Admin certificate must have its Organizational Unit name (OU) set as “akm_admin” in its Subject Info.
The same Root Certificate must be installed on the SKM servers and the library.
All the certificates must have a valid validity period according to the date and time settings on the SKM server.

See also:

Importing TLS Certificates