8.2 Generating a Certificate Authority certificate
If you plan to use a Certificate Authority (CA), complete the following steps to generate a CA certificate.
- Reference note
-
When you use a CA with NNMi, you must use the RSA algorithm to sign the certificate. The DSA algorithm is not supported.
-
Change to the directory on the NNMi management server that contains the nnm.keystore and nnm.truststore files:
-
Windows: %NNM_DATA%\shared\nnm\certificates
-
UNIX: $NNM_DATA/shared/nnm/certificates
-
-
Save a backup copy of the nnm.keystore file.
-
Generate a private key from your system. Use the keytool command to generate this private key.
a. Execute the following command:
- Windows:
-
%NnmInstallDir%\nonOV\jdk\nnm\bin\keytool.exe \
-genkeypair -validity 36500 -keyalg rsa -keystore \
nnm.keystore -storepass nnmkeypass \
-keypass nnmkeypass -keysize 2048 -alias \
myserver.mydomain
- UNIX:
-
$NnmInstallDir/nonOV/jdk/nnm/bin/keytool \
-genkeypair -validity 36500 -keyalg rsa -keystore \
nnm.keystore -storepass nnmkeypass \
-keypass nnmkeypass -keysize 2048 -alias \
myserver.mydomain
- Note:
-
A backslash (\) at the end of a line specifies that the line continues.
- Reference note
-
-
The alias (myserver.mydomain in this example) identifies this newly-created key. Although the alias can be any string, we recommend that you use the fully-qualified domain name (FQDN) of your system for the myserver.mydomain alias variable.
-
Linux operating systems have a keytool command that is not compatible with this keytool command or the command options used in this step.
-
b. Enter the requested information.
- Important note
-
When prompted for your first and last name, enter the fully-qualified domain name (FQDN) of your system.
-
Execute the following command to create a CSR (Certificate Signing Request) file:
- Windows:
-
%NnmInstallDir%\nonOV\jdk\nnm\bin\keytool.exe \
-keystore nnm.keystore -certreq -storepass nnmkeypass \
-alias myserver.mydomain -file CERTREQFILE
- UNIX:
-
$NnmInstallDir/nonOV/jdk/nnm/bin/keytool -keystore \
nnm.keystore -certreq -storepass nnmkeypass -alias \
myserver.mydomain -file CERTREQFILE
- Legend:
-
A backslash (\) at the end of a line specifies that the line continues.
- Reference note
-
For details about the keytool command, search for Key and Certificate Management Tool at http://www.oracle.com/technetwork/java/index.html.
-
Send the CSR to your CA signing authority.
They will provide you with one of the following:
-
A signed certificate, referred to as myserver.crt
The myserver.crt file contains both the server certificate (the top certificate contained in the file) and one or more CA (Certified Authority) certificates (the last certificates contained in the file). Copy the CA certificate into a new file, the myca.crt file. Use the myserver.crt file when importing the server certificate into the nnm.keystore file and the myca.crt file when importing the CA certificate into the nnm.truststore file.
-
Two files, named myserver.crt and CA.crt
Add the CA.crt file's contents to the end of the myserver.crt file. Use the myserver.crt file when importing the server certificate into the nnm.keystore file, and use the myca.crt file when importing the CA certificate into the nnm.truststore file.
The following examples show what the files you receive from your CA signing authority might look like:
- Separate server and multiple CA certificate files:
-
-----BEGIN CERTIFICATE-----
Sample/AVQQKExNQU0EgQ29ycG9yYXRpb24gTHRkMRAwDgYDVQQLEwd
OZXR3b3JseGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPW
NSTERpc3RyaWJ1dGlw
.......................................................
.......................................................
TZImiZPyLGQBGRYDaW50MRIwEAYKCZImiZPyLGQBGRYCc2cxEzARBgN
VBAMTCmNbpSo6o/76yShtT7Vrlfz+mXjWyEHaIy/QLCpPebYhejHEg4
dZgzWWT/lQt==
-----END CERTIFICATE-----
- Combined server and CA certificates in one file:
-
-----BEGIN CERTIFICATE-----
Sample1/VQQKExNQU0EgQ29ycG9yYXRpb24gTHRkMRAwDgYDVQQLEwd
OZXR3b3JseGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPW
NSTERpc3RyaWJ1dGlw
.......................................................
.......................................................
TZImiZPyLGQBGRYDaW50MRIwEAYKCZImiZPyLGQBGRYCc2cxEzARBgN
VBAMTCmNbpSo6o/76yShtT7Vrlfz+mXjWyEHaIy/QLCpPebYhejHEg4
dZgzWWT/lQt==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Sample2/Gh0dHA6Ly9jb3JwMWRjc2cyLnNnLmludC5wc2FnbG9iYWwu
Y29tL0NlcRaOCApwwggKYMB0GA1UdDgQWBBSqaWZzCRcpvJWOFPZ/Be
9b+QSPyDAfBgNVHSMC
.......................................................
.......................................................
Wp5Lz1ZJAOu1VHbPVdQnXnlBkx7V65niLoaT90Eqd6laliVlJHj7GBr
iJ90uvVGuBQagggEChoG9bGRhcDovLy9DTj1jb3JwMWRjc2cyL==
-----END CERTIFICATE-----
-
-
Copy the files containing these certificates to a location on the NNMi management server. For this example, copy the files to the following location:
-
Windows: %NNM_DATA%\shared\nnm\certificates
-
UNIX: $NNM_DATA/shared/nnm/certificates
-
Use the certificates you generated in the previous steps to replace the self-signed certificate:
-
Change to the directory on the NNMi management server that contains the nnm.keystore and nnm.truststore files:
-
Windows: %NNM_DATA%\shared\nnm\certificates
-
UNIX: $NNM_DATA/shared/nnm/certificates
-
-
Execute the following command to import the server certificate and the CA certificate into the NNMi nnm.keystore file:
- Windows:
-
%NnmInstallDir%\nonOV\jdk\nnm\bin\keytool.exe \
-importcert -trustcacerts -keystore nnm.keystore \
-storepass nnmkeypass -alias myserver.mydomain \
-file myserver.crt
- UNIX:
-
$NnmInstallDir/nonOV/jdk/nnm/bin/keytool\
-importcert -trustcacerts -keystore nnm.keystore \
-storepass nnmkeypass -alias myserver.mydomain \
-file myserver.crt
- Legend:
-
A backslash (\) at the end of a line specifies that the line continues.
- Reference note
-
If you use the -storepass option and provide the password, the keystore program does not prompt you for the keystore password. If you do not use the -storepass option, enter nnmkeypass when prompted for the keystore password.
-
When prompted to trust the certificate, enter y.
Example output for importing a certificate into the keystore
This command's output format is as follows:
Owner: CN=NNMi_server.example.com Issuer: CN=NNMi_server.example.com Serial number: 494440748e5 Valid from: Tue Oct 28 10:16:21 MST 2008 until: Thu Oct 04 11:16:21 MDT 2108 Certificate fingerprints: MD5: 29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02 SHA1: C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03 Trust this certificate? [no]: y Certificate was added to keystore
-
Execute the following commands to import the CA certificate into the NNMi nnm.truststore file:
- Windows:
-
%NnmInstallDir%\nonOV\jdk\nnm\bin\keytool.exe -import \
-alias myca -keystore nnm.truststore -file myca.crt
- UNIX:
-
$NnmInstallDir/nonOV/jdk/nnm/bin/keytool -import \
-alias myca -keystore nnm.truststore -file myca.crt
- Legend:
-
A backslash (\) at the end of a line specifies that the line continues.
-
When prompted for the truststore password, enter ovpass.
-
Check the contents of truststore:
- Windows:
-
%NnmInstallDir%\nonOV\jdk\nnm\bin\keytool.exe -list \
-keystore nnm.truststore
- UNIX:
-
$NnmInstallDir/nonOV/jdk/nnm/bin/keytool -list \
-keystore nnm.truststore
- Legend:
-
A backslash (\) at the end of a line specifies that the line continues.
When prompted for the truststore password, enter ovpass.
- Example truststore output
-
The truststore output format is as follows. The truststore can include multiple certificates:
Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry nnmi_ldap, Nov 14, 2008, trustedCertEntry, Certificate fingerprint (MD5): 29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02
-
Assume that the myca.crt file contains the following two certificate entries:
-----BEGIN CERTIFICATE----- IntermediateCert/lots of content : -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- RootCAcert/lots of content : -----END CERTIFICATE-----The first certificate was imported to the nnm.truststore file in steps 4 through 6. To import other certificates, import them one at a time to the nnm.truststore file.
In this example, you would do the following to import the second and subsequent certificates:
- a.
-
Copy the second certificate entry from myca.crt to new file rootCa.crt.
The truststore can contain multiple certificates.
In steps 4 through 6, the first certificate is imported from the myca.crt file. If the myca.crt file contains multiple certificates and the certificates are indicated by multiple blocks of BEGIN CERTIFICATE and END CERTIFICATE, those certificates must also be imported to the nnm.truststore file.
- b.
-
Import the second certificate separately to the nnm.truststore file.
-
Windows
%NnmInstallDir%\nonOV\jdk\nnm\bin\keytool.exe -import -alias \
myrootca -keystore nnm.truststore -file rootCA.crt
-
UNIX
$NnmInstallDir/nonOV/jdk/nnm/bin/keytool -import -alias \
myrootca -keystore nnm.truststore -file rootCA.crt
- Legend:
-
A backslash (\) at the end of a line specifies that the line continues.
- c.
-
Repeat steps a and b for each additional certificate to be imported to the nnm.truststore file.
-
Edit the following file:
-
Windows: %NNM_CONF%\nnm\props\nms-local.properties
-
UNIX: $NNM_CONF/nnm/props/nms-local.properties
-
-
Update the com.hp.ov.nms.ssl.KEY_ALIAS variable to the value you used for myserver.mydomain.
Make sure to save your work.
-
Execute the following commands to restart NNMi:
a. ovstop
b. ovstart
-
Test HTTPS access to the NNMi console using the syntax https://fully-qualified-domain-name:port-number/nnm/.
If the browser trusts the CA, it will trust the HTTPS connection to the NNMi console.