10.1 About NNMi Certificates
- Caution
-
NNMi 11-50 or later version introduce a Public Key Cryptography Standards (PKCS) #12 repository to store certificates. The new PKCS #12 file-based certificate management technique is available for use as soon as you install a new instance of NNMi 11-50 or later version on a system. Environments upgraded from an older version of NNMi continue to use a JKS repository to store certificates.
In upgraded environments, you can migrate to the PKCS #12 repository by using the steps in 10.2 Configuring an Upgraded NNMi Environment to Use the New Keystore.
This section describes useful terminology to help you work with certificates.
Concept |
Description |
---|---|
Keystore and Truststore |
Truststore : NNMi truststore is the file in which you store public keys from sources that you want NNMi to trust. In a newly installed instance of NNMi 11-50 or later version, the name of the truststore file is nnm-trust.p12.
Keystore : NNMi keystore is the file in which you import NNMi server's private key. In a newly installed instance of NNMi 11-50 or later version, the name of the keystore file is nnm-key.p12.
These files are located at:
|
Default NNMi certificates |
NNMi is installed with a self-signed certificate generated using default properties. You can replace the default certificate with another self-signed or CA-signed certificate. |
Tools |
Certificates are generated and managed using the nnmkeytool.ovpl utility (which uses Java's Keytool utility). Additionally, NNMi provides the nnmmergecert.ovpl utility to merge certificates to establish trust within NNMi systems. This program is used in HA, Failover, and Global Network Management setups. |
Supported encryption algorithms |
NNMi accepts certificates generated using RSA algorithm. DSA algorithm is not supported. |
Self-Signed Certificate |
A Self-Signed certificate is typically used for establishing secure communication between your server and a known group of clients. NNMi installs with a self-signed certificate generated using default properties. Note: NNMi instances configured to use a self-signed certificate will display a warning message when users try to access NNMi web console in a web browser. |
CA-Signed Certificate |
Signed server certificate that you receive in response to the Certificate Signing Request will contain the NNMi certificate that is CA signed and one or more CA certificates (if there is more than one CA certificate, this is also known as the certificate chain). Note: These certificates might be in a single file or in a two separate files. |
Root CA Certificate |
Identifies the certificate authority that is trusted to sign certificates for servers and users. |
Intermediate CA Certificate |
A certificate signed by either a root or intermediate CA that is itself an authority, rather than a server or user. Note: The list of certificates from the NNMi server certificate to the root CA certificate, including any intermediate CA certificates, is known as the certificate chain. |