10.4.3 Generating a CA-Signed Certificate
To obtain and install a CA-signed certificate, follow these steps:
-
Generate a self-signed certificate. For details, see 10.4.2 Generating a Self-Signed Certificate.
-
Run the following command to create a CSR (Certificate Signing Request) file:
-
Windows:
%jdkdir%\bin\keytool.exe -keystore nnm.keystore -certreq -storepass nnmkeypass -alias <alias_name> -file CERTREQFILE
-
Linux:
$jdkdir/bin/keytool -keystore nnm.keystore -certreq -storepass nnmkeypass -alias <alias_name> -file CERTREQFILE
- Note
-
For more information about the keytool command, search for Key and Certificate Management Tool at Oracle homepage.
-
-
Send the CSR to your CA signing authority which signs and returns the certificate files. For information on different types of CA certificates, see (1) Types of CA-Signed Certificates.
-
Copy the files containing these certificates to a location on the NNMi management server. For this example, copy the files to the following location:
-
Windows: %NnmDataDir%shared\nnm\certificates
-
Linux: $NnmDataDir/shared/nnm/certificates
-
-
Change to the directory on the NNMi management server that contains the nnm.keystore and nnm.truststore files:
-
Windows: %NnmDataDir%shared\nnm\certificates
-
Linux: $NnmDataDir/shared/nnm/certificates
-
-
Run the following command to import the certificate into the nnm.keystore file:
-
Windows:
%jdkdir%\bin\keytool.exe -importcert -trustcacerts -keystore nnm.keystore -storepass nnmkeypass -alias <alias_name> -file <myserver.crt>
-
Linux:
$jdkdir/bin/keytool -importcert -trustcacerts -keystore nnm.keystore -storepass nnmkeypass -alias <alias_name> -file <myserver.crt>
- Note
-
-
In the above command,
-
<myserver.crt> corresponds to the full path of the location where you have stored the signed server certificate.
-
<alias_name> corresponds to the alias you had provided at the time of generating the certificate.
-
-
If you use the -storepass option and provide the password, the keystore program does not prompt you for the keystore password. If you do not use the -storepass option, enter nnmkeypass when prompted for the keystore password.
-
-
-
When prompted to trust the certificate, enter: y
Example output for importing a certificate into the keystore
The output from the command is of the form:
Owner: CN=NNMi_server.example.com Issuer: CN=NNMi_server.example.com Serial number: 494440748e5 Valid from: Tue Oct 28 10:16:21 MST 2008 until: Thu Oct 04 11:16:21 MDT 2108 Certificate fingerprints: MD5: 29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02 SHA1: C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03 Trust this certificate? [no]: y Certificate was added to keystore
-
Run the following commands to import the certificate into the nnm.truststore file:
-
Windows:
%jdkdir%\bin\keytool.exe -import -alias <alias_name> -keystore nnm.truststore -file <myca.crt>
-
Linux:
$jdkdir/bin/keytool -import -alias <alias_name> -keystore nnm.truststore -file <myca.crt>
- Note
-
-
In the above command,
-
<myserver.crt> corresponds to the full path of the location where you have stored the signed server certificate.
-
<alias_name> corresponds to the alias you had provided at the time of generating the certificate.
-
-
If you use the -storepass option and provide the password, the keystore program does not prompt you for the keystore password. If you do not use the -storepass option, enter nnmkeypass when prompted for the keystore password.
-
-
-
When prompted for the truststore password, enter: ovpass.
-
Examine the contents of the truststore:
-
Windows:
%jdkdir%\bin\keytool.exe -list -keystore nnm.truststore
-
Linux:
$jdkdir/bin/keytool -list -keystore nnm.truststore
When prompted for the truststore password, enter: ovpass
Example truststore output
The truststore output is of the form:
Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry nnmi_ldap, Nov 14, 2008, trustedCertEntry, Certificate fingerprint (MD5): 29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02
- Tip
-
The truststore can include multiple certificates.
-
- Organization of this subsection
(1) Types of CA-Signed Certificates
- Note
-
If your CA returns the certificates in other forms, contact the CA provider for instructions about obtaining the certificate chain and the Root CA Certificate. NNMi supports PEM (Privacy Enhanced Mail) format certificates only. Please get PEM format certificates.
The Certificate Authority (CA) should provide you with one of the following:
-
A signed server certificate file containing the server certificate (the NNMi certificate that is CA signed) and one or more CA certificates. This section refers to the signed server certificate as myserver.crt.
A CA Certificate can be either of the following:
-
Root CA Certificate - Identifies the authority that is trusted to sign certificates for servers and users.
-
Intermediate CA Certificate - A certificate signed by either a root or intermediate CA that is itself an authority, rather than a server or user.
- Note
-
The list of certificates from the NNMi server certificate to the root CA certificate, including any intermediate CA certificates, is known as the certificate chain.
-
-
A signed server certificate and a separate file containing one or more CA certificates. This section refers to the signed server certificate as myserver.crt and the CA certificates as myca.crt. The myserver.crt file should contain either a single server certificate or a certificate chain, but NOT the root CA certificate, which would be in the myca.crt file.
To configure NNMi with the new certificate, you must import the certificate chain into the nnm.keystore and the root CA Certificate into the nnm.truststore. Use the myserver.crt file when importing the server certificate into the nnm.keystore file and the myca.crt file when importing the CA certificate into the nnm.truststore file.
- Note
-
The list of certificates from the NNMi server certificate to the root CA certificate, including any intermediate CA certificates, is known as the certificate chain.
When provided with one file that contains a full certificate chain, copy the root CA certificate from that file into the myca.crt file. Use the myca.crt file to import into the nnm.truststore so that NNMi trusts the CA that issued the certificate.
When provided two files, add the myca.crt file content to the end of the myserver.crt, if the file does not include it, and also remove any extra intermediate certificates from the myca.crt, if it has any. This should result in one file, myserver.crt, containing the full certificate chain and one file, myca.crt, containing the root CA Certificate.
- Note
-
When using a CA, only the root CA certificate is generally added to the nnm.truststore. Adding intermediate CA or server certificates to the nnm.truststore will cause those certificates to be explicitly trusted and not checked for additional information, such as revocation. Only add additional certificates to the nnm.truststore if your CA requires it.
The following examples show what the files received from a CA signing authority might look like:
Separate server and CA certificate files:
-----BEGIN CERTIFICATE----- Sample/AVQQKExNQU0EgQ29ycG9yYXRpb24gTHRkMRAwDgYDVQQLEwdOZXR3b3JseGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlw ................................................................ ................................................................ TZImiZPyLGQBGRYDaW50MRIwEAYKCZImiZPyLGQBGRYCc2cxEzARBgNVBAMTCmNbpSo6o/76yShtT7Vrlfz+mXjWyEHaIy/QLCpPebYhejHEg4dZgzWWT/lQt== -----END CERTIFICATE-----
Combined server and CA certificates in one file:
-----BEGIN CERTIFICATE----- Sample1/VQQKExNQU0EgQ29ycG9yYXRpb24gTHRkMRAwDgYDVQQLEwdOZXR3b3JseGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlw ................................................................ ................................................................ TZImiZPyLGQBGRYDaW50MRIwEAYKCZImiZPyLGQBGRYCc2cxEzARBgNVBAMTCmNbpSo6o/76yShtT7Vrlfz+mXjWyEHaIy/QLCpPebYhejHEg4dZgzWWT/lQt== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Sample2/Gh0dHA6Ly9jb3JwMWRjc2cyLnNnLmludC5wc2FnbG9iYWwuY29tL0NlcRaOCApwwggKYMB0GA1UdDgQWBBSqaWZzCRcpvJWOFPZ/Be9b+QSPyDAfBgNVHSMC ................................................................ ................................................................ Wp5Lz1ZJAOu1VHbPVdQnXnlBkx7V65niLoaT90Eqd6laliVlJHj7GBriJ90uvVGuBQagggEChoG9bGRhcDovLy9DTj1jb3JwMWRjc2cyL== -----END CERTIFICATE-----