Ccisslcfg Utility--Specify Certificate Location

Securing CA NSM › Communication Protocol Security › Common Communications Interface (CAICCI) › CAICCI Secure Sockets Facility (CCISSF) › Configuring CCISSF › Ccisslcfg Utility--Specify Certificate Location

Ccisslcfg Utility--Specify Certificate Location

CCISSF looks in a predetermined location for items such as a host’s certificate or root certificate (see Default Certificate). However, users may want to keep them in other locations and tell CCISSF of the change. The ccisslcfg utility lets you do this. When executed, ccisslcfg prompts for the following:

Host’s certificate and private key file.
How to get the corresponding passphrase of the private key file, which can be one of the following options:
- By typing in the passphrase and ccisslcfg will store it in an encrypted form for you.
- By specifying the absolute path of a file that contains the passphrase in unencrypted form.
- By specifying that you will provide the passphrase in the password_cb() callback in the cauccissl/libccissl library.
- By stating that the private key is not protected with a passphrase.
Whether to use OpenSSL’s default root certificate authority locations. CCISSF will use these locations in addition to any locations you specify in the following items below:
- Any number of root certificates
- Any number of directories containing root certificates (when specifying a directory, it is assumed that the files inside are all named with the convention of using the hash value of the issuer’s subject name. OpenSSL will not be able to correctly look up these files if they are not named with this convention. Read the OpenSSL documentation for more information.)
The location of any certificate revocation lists (CRLs), which can be any number of files or directories (As stated before, when specifying a directory, we assume the files inside are all named with the convention of using the hash value of the issuer’s subject name.)

After ccisslcfg prompts you for all these settings, it will write them in encrypted form to the file %CAILOCL0000%\ccissl.cfg.

Ccisslcfg will overwrite any previous settings you may have set in the past. Because this configuration file is encrypted, only the ccisslcfg utility can change these settings. Note that although the contents of this file are encrypted, we recommend that the permissions are set so that only administrators and CCISSF have access to this file.

The presence of this file overrides CCISSF’s default behavior with respect to where it looks for certificates. This configuration utility does not need to be used if you plan to use the default CCISSF certificate locations along with providing the password_cb() callback in the cauccissl\libccissl library.