Previous Topic: Basic Host Identity CertificatesNext Topic: Creation of New Certificates

Client Automation Security FeaturesAuthenticationCertificate Distribution

Certificate Distribution

Certificate distribution must be covered before certificate creation. Depending on the method of certificate creation chosen (see description in "Basic Host Identity Certificates"), certificate distribution can be quite complex.

Client Automation does not provide any automated certificate distribution technology. It comes delivered with default certificates for each Client Automation node and application-specific certificates.

To migrate away from the default certificates after a default install, the certificates should be distributed in the following (simplified) way. This allows a successful migration of trust without causing any downtime in communications and authentication due to the parallel use of trusted roots.

  1. Create new root certificate. Ensure that the root name (DN) is different from the existing Client Automation root certificate.
  2. Schedule the distribution of the new root DER encoded certificate to all nodes within the Client Automation infrastructure. This will enable the root as a trusted root authority to all Client Automation nodes.
  3. Create new security profiles in the Client Automation management database to replace the existing application-specific certificate profiles. Do not delete the old profiles yet.
  4. Schedule the distribution of new certificates to all of the Client Automation nodes.
  5. After the certificate distribution is successful, schedule the deletion of the previous Client Automation certificates.
  6. Delete the old security profiles for the application-specific certificates.

This list is not exhaustive. Contact CA Technologies's Technical Support for advice on major-scale certificate distribution and replacement with a full scale PKI implementation.