Configuring Certificates

Configuring the Communication Certificates for Crypto_fs

Perform the following steps as the HwHiAiUser user to configure the certificate and ensure that the KMSAgent service has been started. For details about the startup command, see Step 3. After setting the certificate, restart the KMSAgent service. For details, see Restart the KMSAgent service..

1. Run the KMSAgent related command to generate a CSR certificate request for Crypto_fs.

   /usr/local/Ascend/driver/tools/kmsagent tls-cfs get-csr "rsa:4096:sha256" "CN|ZHEJIANG|HANGZHOU|Huawei|Marketing" /var/kmsagentd/kmsagent.conf /var/kmsagentd/kmsconf.ksf

   The generated CSR path is the tmp directory specified by TlsCertPath under SERVER_FOR_CFS in the configuration file.

2. Apply for a certificate from your internal certificate issuing department or an external certificate issuing authority that meets your security requirements.
3. Download the issued CA certificate. This step uses the CA root certificate rsa.rca.pem, level-2 CA certificate rsa.oca.pem, root certificate chain rsa.trust.pem, and TLS certificate rsa.00638ef9df05a254695a5fab84935aff.pem as examples.
4. Import the certificates.
   1. Upload the TLS certificate, CA root certificate, and level-2 CA certificate downloaded in the previous step to the same directory.
   2. Run the following command in the directory. Before running this command, ensure that only the KMSAgent running user has the read permission on the file.

      /usr/local/Ascend/driver/tools/kmsagent tls-cfs set-cert "rsa.00638ef9df05a254695a5fab84935aff.pem rsa.rca.pem rsa.oca.pem" /var/kmsagentd/kmsagent.conf /var/kmsagentd/kmsconf.ksf

      For the rsa.00638ef9df05a254695a5fab84935aff.pem certificate, use the actual name of the download certificate.

Configuring the Communication Certificates for AI-VAULT

Perform the following steps as the HwHiAiUser user to configure the certificate and ensure that the KMSAgent service has been started. For details about the startup command, see Step 3. After setting the certificate, restart the KMSAgent service. For details, see Restart the KMSAgent service..

1. Run the KMSAgent related command to generate a CSR certificate request for AI-VAULT.

   /usr/local/Ascend/driver/tools/kmsagent tls-client get-csr "rsa:4096:sha256" "CN|ZHEJIANG|HANGZHOU|Huawei|Marketing" /var/kmsagentd/kmsagent.conf /var/kmsagentd/kmsconf.ksf

   The generated CSR path is the tmp directory specified by TlsCertPath under CLIENT_FOR_AIVAULT in the configuration file.

2. Apply for a certificate from your internal certificate issuing department or an external certificate issuing authority that meets your security requirements.
3. Download the issued CA certificate. This step uses the CA root certificate rsa.rca.pem, level-2 CA certificate rsa.oca.pem, root certificate chain rsa.trust.pem, and TLS certificate rsa.00638ef9df05a254695a5fab84935aff.pem as examples.
4. Import the certificates.
   1. Upload the TLS certificate, CA root certificate, and level-2 CA certificate downloaded in the previous step to the same directory.
   2. Run the following command in the directory. Before running this command, ensure that only the KMSAgent running user has the read permission on the file.

      /usr/local/Ascend/driver/tools/kmsagent tls-client set-cert "rsa.00638ef9df05a254695a5fab84935aff.pem rsa.rca.pem rsa.oca.pem" /var/kmsagentd/kmsagent.conf /var/kmsagentd/kmsconf.ksf

      For the rsa.00638ef9df05a254695a5fab84935aff.pem certificate, use the actual name of the download certificate.

Restart the KMSAgent service.

After configuring the certificates, disable the login status of user HwHiAiUser.

npu-smi set -t key-manage -s stop   # Stop the service.
npu-smi set -t key-manage -s start  # Start the service.