10.1 About NNMi Certificates

Caution

NNMi 11-50 or later version introduce a Public Key Cryptography Standards (PKCS) #12 repository to store certificates. The new PKCS #12 file-based certificate management technique is available for use as soon as you install a new instance of NNMi 11-50 or later version on a system. Environments upgraded from an older version of NNMi continue to use a JKS repository to store certificates.

In upgraded environments, you can migrate to the PKCS #12 repository by using the steps in 10.2 Configuring an Upgraded NNMi Environment to Use the New Keystore.

This section describes useful terminology to help you work with certificates.

Table 10‒1: Certificate Terminology
Concept	Description
Keystore and Truststore	Truststore : NNMi truststore is the file in which you store public keys from sources that you want NNMi to trust. In a newly installed instance of NNMi 11-50 or later version, the name of the truststore file is `nnm-trust.p12`. Caution On a management server where NNMi was upgraded to 11-50 or later version from an older version, the truststore file name is `nnm.truststore`. You can, however, perform additional steps (described in 10.2 Configuring an Upgraded NNMi Environment to Use the New Keystore) to migrate the `nnm.truststore` file to the `nnm-trust.p12` file. Keystore : NNMi keystore is the file in which you import NNMi server's private key. In a newly installed instance of NNMi 11-50 or later version, the name of the keystore file is `nnm-key.p12`. Caution On a management server where NNMi was upgraded to 11-50 or later version from an older version, the keystore file name is `nnm.keystore`. You can, however, perform additional steps (described in 10.2 Configuring an Upgraded NNMi Environment to Use the New Keystore) to migrate the `nnm.keystore` file to the `nnm-key.p12` file. These files are located at: Windows: `%NNM_DATA%\shared\nnm\certificates\` Linux: `$NNM_DATA/shared/nnm/certificates/`
Default NNMi certificates	NNMi is installed with a self-signed certificate generated using default properties. You can replace the default certificate with another self-signed or CA-signed certificate.
Tools	Certificates are generated and managed using the nnmkeytool.ovpl utility (which uses Java's Keytool utility). Additionally, NNMi provides the nnmmergecert.ovpl utility to merge certificates to establish trust within NNMi systems. This program is used in HA, Failover, and Global Network Management setups.
Supported encryption algorithms	NNMi accepts certificates generated using RSA algorithm. DSA algorithm is not supported.
Self-Signed Certificate	A Self-Signed certificate is typically used for establishing secure communication between your server and a known group of clients. NNMi installs with a self-signed certificate generated using default properties. Note: NNMi instances configured to use a self-signed certificate will display a warning message when users try to access NNMi web console in a web browser.
CA-Signed Certificate	Signed server certificate that you receive in response to the Certificate Signing Request will contain the NNMi certificate that is CA signed and one or more CA certificates (if there is more than one CA certificate, this is also known as the certificate chain). Note: These certificates might be in a single file or in a two separate files.
Root CA Certificate	Identifies the certificate authority that is trusted to sign certificates for servers and users.
Intermediate CA Certificate	A certificate signed by either a root or intermediate CA that is itself an authority, rather than a server or user. Note: The list of certificates from the NNMi server certificate to the root CA certificate, including any intermediate CA certificates, is known as the certificate chain.

To Page Top