Certificate requirements

Conjur Enterprise uses certificates for communication between the Leader and Standby nodes in Conjur cluster. Certificates are required for any Conjur cluster. The information in this topic applies to all Conjur clusters, whether or not they are configured for auto-failover.

You can choose to use either self-signed certificates generated by Conjur Enterprise or third-party TLS certificates obtained from an independent certificate authority (CA).

Self-signed certificates

Certificates are generated automatically during Leader configuration. A parameter in the configuration command controls the names of the Leader and Standbys that are included in the generated certificate. If that parameter contains the correct values, no additional steps are required regarding certificate generation.

For more information, see Configure the Leader.

 

While self-signed certificates can be useful for development or proof-of-concept deployments, Conjur Enterprise production deployments should always use third-party certificates issued by a trusted Root Certificate Authority. This also ensures clients can trust Conjur Enterprise certificates without being provided a self-signed CA certificate.

Third-party signed certificates

You can use the TLS certificates issued by a third-party instead of Conjur Enterprise self-signed certificates. As part of the Conjur cluster configuration process, you import the certificates received from the third-party onto the Leader. A certificate import replaces any existing certificates on the Leader.

The configuration procedures assume that you use one shared certificate with the DNS names of the Leader, all of the Standbys, and the DNS load balancer that sits in front of the Conjur cluster.

Certificate specifications for Leader and Standbys

Your certificate request to the third-party issuer must include the following:

 

Attribute

Required values

Common Name (CN)

The DNS name for the load balancer that sits in front of the Conjur cluster.

Subject Alternate Name (SAN)

  • Must include the DNS names for the load balancer, Leader, and all of the names for each of the Standbys in the cluster.

  • Must include the Common Name (CN) specified above.

  • May include additional DNS names (for alternate domains) of the Leader, Standbys, and load balancer.

X509v3 Extended Key Usage

Must include:

  • TLS Web Server Authentication (serverAuth)

  • TLS Web Client Authentication (clientAuth)

Key usage

If present, must allow key encipherment and digital signature.

Certificate specifications for Followers

CyberArk recommends issuing shared third-party certificates for Followers that include the following values:

Attribute

Required values for the follower certificate

Common Name (CN)

The DNS name of the load balancer that coordinates the Follower communications.

Subject Alternate Name (SAN)

Must include the Common Name (CN) specified above and may list additional DNS names (for alternate domains) for the load balancer.

X509v3 Extended Key Usage

If present, must allow both client and server authentication by including:

  • TLS Web Server Authentication (serverAuth)

  • TLS Web Client Authentication (clientAuth)

Key usage

If present, must allow key encipherment and digital signature.