Dell Security Management Server and Virtual Server SSL and TLS Certificate Minimum Requirements

Affected Products:

• Dell Security Management Server
• Dell Data Protection | Enterprise Edition
• Dell Security Management Server Virtual
• Dell Data Protection | Virtual Edition

Dell Data Security includes the convenience of creating and using a self-signed certificate for secure communication between the server and clients. However, as with all self-signed certificates, there are security considerations when choosing what type of certificate to use.

To enhance security, it is recommended to request an SSL/TLS certificate using an internal or well-known third-party Certificate Authority (CA).

The recommendations and minimum requirements for an SSL/TLS certificate for use by the Dell Data Security server are:

• Certificate Signing Requests (CSRs) must include a Common Name (CN).
• Certificate Signing Requests (CSRs) must include a Subject Alternative Name (SAN). This must be a DNS entry that matches the Common Name.
• Include other common fields such as Country (C), State (ST), and Organization (O).
• Use at least SHA-256 (SHA-2 signing should be used on the request. This may be unnecessary if the CA overrides the algorithm that is specified in the request. The resulting certificate must be SHA-2 signed. MD5 and SHA-1 are deprecated and no longer supported).
• Private keys must be at least RSA 2048-bit.
• Private keys must be exportable.
• Version 9.3 and earlier, each certificate in the chain must have an AuthorityKeyIdentifier which matches the signing certificate’s SubjectKeyIdentifier.
  Note: If any DNS names are specified in the Subject Alternative Name (SAN) extension that is in the request, then the CN field is not matched when validating the certificate as specified in section 6.4.4 of RFC 6125.

Unsupported configurations:

• RSA Probabilistic Signature Scheme (RSASSA-PSS) is not a supported signature algorithm.
• Private keys that are generated using the Microsoft Key Storage Provider are supported in server v10.2.12 and later.
  Note:

  • Wildcard certificates are supported but are not recommended.
  • For possible next step, reference How to update the certificate for Dell Encryption services using an existing certificate in the Microsoft keystore

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.