10.3.2 Generating a CA-Signed Certificate
- Caution
-
NNMi 11-50 or later version introduce a Public Key Cryptography Standards (PKCS) #12 repository to store certificates. The new PKCS #12 file-based certificate management technique is available for use as soon as you install a new instance of NNMi 11-50 or later version on a system. Environments upgraded from an older version of NNMi continue to use a JKS repository to store certificates.
In upgraded environments, you can migrate to the PKCS #12 repository by using the steps in 10.2 Configuring an Upgraded NNMi Environment to Use the New Keystore.
To obtain and install a CA-signed certificate, follow these steps:
-
Generate a self-signed certificate. For details, see 10.3.1 Generating a Self-Signed Certificate.
-
Run the following command to create a CSR (Certificate Signing Request) file:
-
Windows:
%NnmInstallDir%bin\nnmkeytool.ovpl -keystore nnm-key.p12 -certreq -storetype PKCS12 -storepass nnmkeypass -alias <alias_name> -file CERTREQFILE
-
Linux:
$NnmInstallDir/bin/nnmkeytool.ovpl -keystore nnm-key.p12 -certreq -storetype PKCS12 -storepass nnmkeypass -alias <alias_name> -file CERTREQFILE
- Note
-
-
In the command above, <alias_name> corresponds to the alias you had provided at the time of generating the certificate.
-
To print the contents of CERTREQFILE, run the following command.
-
Windows:
%NnmInstallDir%bin\nnmkeytool.ovpl -printcertreq -file CERTREQFILE -storetype PKCS12
-
Linux:
$NnmInstallDir/bin/nnmkeytool.ovpl -printcertreq -file CERTREQFILE -storetype PKCS12
-
-
-
-
Send the CSR to your CA signing authority which signs and returns the certificate files. For information on different types of CA certificates, see (1) Types of CA-Signed Certificates.
The CA signing authority returns one of the following:-
A single signed server certificate file (referred to as myserver.crt file in this section). The single file contains the server certificate (the NNMi certificate that is CA-signed), one or more intermediate CA certificates, and the root CA certificate. All the certificates in this single file form a certificate chain.
-
A set of two files that includes a signed server certificate file (referred to as myserver.crt file in this section) and a separate file containing the CA certificates (referred to as the myca.crt file). The myserver.crt file contains either a single server certificate or a certificate chain, but NOT the root CA certificate, which remains in the myca.crt file.
- Note
-
If your CA returns the certificates in other forms, contact the CA provider for more information about how to obtain the separate certificate chain and root CA certificate. NNMi supports PEM (Privacy Enhanced Mail) format certificates only. Please get PEM format certificates.
-
-
Prepare the certificate files.
The certificate chain must be imported to the keystore file and the root CA certificate must be imported to the truststore file.
-
If you received a single file from step 3
Copy the root CA certificates from that file into a separate myca.crt file.
-
If you received a set of two files from step 3
Add the myca.crt (the root CA certificate) file content to the end of the myserver.crt file and also remove any extra intermediate certificates from the myca.crt file, if it has any. This should result in one file, myserver.crt, containing the full certificate chain and one file, myca.crt, containing the root CA certificate.
-
-
Copy the files containing these certificates to a location on the NNMi management server. For this example, copy the files to the following location:
-
Windows: %NnmDataDir%shared\nnm\certificates
-
Linux: $NnmDataDir/shared/nnm/certificates
-
-
Change to the directory on the NNMi management server that contains the keystore and truststore files:
-
Windows: %NnmDataDir%shared\nnm\certificates
-
Linux: $NnmDataDir/shared/nnm/certificates
-
-
Run the following command to import the certificate into the keystore file:
-
Windows:
%NnmInstallDir%bin\nnmkeytool.ovpl -importcert -trustcacerts -keystore nnm-key.p12 -storetype PKCS12 -storepass nnmkeypass -alias <alias_name> -file <path_to_myserver.crt>
-
Linux:
$NnmInstallDir/bin/nnmkeytool.ovpl -importcert -trustcacerts -keystore nnm-key.p12 -storetype PKCS12 -storepass nnmkeypass -alias <alias_name> -file <path_to_myserver.crt>
- Note
-
In the above command,
- <path_to_myserver.crt> corresponds to the full path of the location where you have stored the CA-signed server certificate.
- <alias_name> corresponds to the alias you had provided at the time of generating the certificate.
-
-
When prompted to trust the certificate, enter: y
Example output for importing a certificate into the keystore
The output from the command is of the form:
Owner: CN=NNMi_server.example.com Issuer: CN=NNMi_server.example.com Serial number: 494440748e5 Valid from: Tue Oct 28 10:16:21 MST 2008 until: Thu Oct 04 11:16:21 MDT 2108 Certificate fingerprints: MD5: 29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02 SHA1: C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03 Trust this certificate? [no]: y Certificate was added to keystore
-
Run the following commands to import the root certificate into the truststore file:
-
Windows:
%NnmInstallDir%bin\nnmkeytool.ovpl -import -alias <alias_name> -storetype PKCS12 -keystore nnm-trust.p12 -file <path_to_myca.crt> -storepass ovpass
-
Linux:
$NnmInstallDir/bin/nnmkeytool.ovpl -import -alias <alias_name> -storetype PKCS12 -keystore nnm-trust.p12 -file <path_to_myca.crt> -storepass ovpass
- Note
-
In the above command,
-
<path_to_myca.crt> corresponds to the full path of the location where you have stored the root certificate.
-
<alias_name> corresponds to the alias you had provided at the time of generating the certificate.
-
-
-
Examine the contents of the truststore:
-
Windows:
%NnmInstallDir%bin\nnmkeytool.ovpl -list -keystore nnm-trust.p12 -storetype PKCS12 -storepass ovpass
-
Linux:
$NnmInstallDir/bin/nnmkeytool.ovpl -list -keystore nnm-trust.p12 -storetype PKCS12 -storepass ovpass
Example truststore output
The truststore output is of the form:
Keystore type: PKCS12 Keystore provider:BCFIPS Your keystore contains 1 entry nnmi_ldap, Nov 14, 2008, trustedCertEntry, Certificate fingerprint (MD5):29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02
- Tip
-
The truststore can include multiple certificates.
-
- Organization of this subsection
(1) Types of CA-Signed Certificates
- Note
-
If your CA returns the certificates in other forms, contact the CA provider for instructions about obtaining the certificate chain and the Root CA Certificate.
The Certificate Authority (CA) should provide you with one of the following:
-
A signed server certificate file containing the server certificate (the NNMi certificate that is CA signed) and one or more CA certificates. This section refers to the signed server certificate as myserver.crt file.
A CA Certificate can be either of the following:
-
Root CA Certificate: Identifies the authority that is trusted to sign certificates for servers and users.
-
Intermediate CA Certificate: A certificate signed by either a root or intermediate CA that is itself an authority, rather than a server or user.
- Note
-
The list of certificates from the NNMi server certificate to the root CA certificate, including any intermediate CA certificates, is known as the certificate chain.
-
-
A signed server certificate and a separate file containing one or more CA certificates. This section refers to the signed server certificate as myserver.crt file and the CA certificates as myca.crt file. The myserver.crt file should contain either a single server certificate or a certificate chain, but NOT the root CA certificate, which would be in the myca.crt file.
To configure NNMi with the new certificate, you must import the certificate chain into the nnm-key.p12 file and the root CA Certificate into the nnm-trust.p12 file. Use the myserver.crt file when importing the server certificate into the nnm-key.p12 file and the myca.crt file when importing the CA certificate into the nnm-trust.p12 file.
- Note
-
If your CA returns the certificates in other forms, contact the CA provider for instructions about obtaining the separate certificate chain and root CA Certificate.
When provided with one file that contains a full certificate chain, copy the root CA certificate from that file into the myca.crt file. Use the myca.crt file to import into the nnm-trust.p12 file so that NNMi trusts the CA that issued the certificate.
When provided two files, add the myca.crt file content to the end of the myserver.crt file, if the file does not include it, and also remove any extra intermediate certificates from the myca.crt file, if it has any. This should result in one file, myserver.crt, containing the full certificate chain and one file, myca.crt file, containing the root CA Certificate.
- Note
-
When using a CA, only the root CA certificate is generally added to the nnm-trust.p12 file. Adding intermediate CA or server certificates to the nnm-trust.p12 file will cause those certificates to be explicitly trusted and not checked for additional information, such as revocation. Only add additional certificates to the nnm-trust.p12 file if your CA requires it.
The following examples show what the files received from a CA signing authority might look like:
Separate server and CA certificate files:
-----BEGIN CERTIFICATE----- Sample/AVQQKExNQU0EgQ29ycG9yYXRpb24gTHRkMRAwDgYDVQQLEwdOZXR3b3JseGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlw ................................................................ ................................................................ TZImiZPyLGQBGRYDaW50MRIwEAYKCZImiZPyLGQBGRYCc2cxEzARBgNVBAMTCmNbpSo6o/76yShtT7Vrlfz+mXjWyEHaIy/QLCpPebYhejHEg4dZgzWWT/lQt== -----END CERTIFICATE-----
Combined server and CA certificates in one file:
-----BEGIN CERTIFICATE----- Sample1/VQQKExNQU0EgQ29ycG9yYXRpb24gTHRkMRAwDgYDVQQLEwdOZXR3b3JseGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlw ................................................................ ................................................................ TZImiZPyLGQBGRYDaW50MRIwEAYKCZImiZPyLGQBGRYCc2cxEzARBgNVBAMTCmNbpSo6o/76yShtT7Vrlfz+mXjWyEHaIy/QLCpPebYhejHEg4dZgzWWT/lQt== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Sample2/Gh0dHA6Ly9jb3JwMWRjc2cyLnNnLmludC5wc2FnbG9iYWwuY29tL0NlcRaOCApwwggKYMB0GA1UdDgQWBBSqaWZzCRcpvJWOFPZ/Be9b+QSPyDAfBgNVHSMC ................................................................ ................................................................ Wp5Lz1ZJAOu1VHbPVdQnXnlBkx7V65niLoaT90Eqd6laliVlJHj7GBriJ90uvVGuBQagggEChoG9bGRhcDovLy9DTj1jb3JwMWRjc2cyL== -----END CERTIFICATE-----