Previous Topic: Additional Considerations for Native InstallationsNext Topic: How to Specify That CA ControlMinder Uses a Third-Party Password-Protected Server Certificate


How to Specify That CA ControlMinder Uses a Password-Protected Root Certificate

When you install CA ControlMinder, you can configure it to use a third-party password-protected root certificate.

After you install CA ControlMinder, you use the root certificate to create CA ControlMinder server certificates. The server certificates encrypt and authenticate communication between CA ControlMinder components.

To configure CA ControlMinder to use a third-party password-protected root certificate, you must perform some additional steps when you use native packages to install CA ControlMinder, as follows:

  1. When you customize the params file as part of the native package installation, specify the following parameters in the file:
  2. After you install CA ControlMinder, do the following:
    1. Create a CA ControlMinder server certificate from the root certificate, as follows, where ACInstallDir is the directory in which you installed CA ControlMinder:
      ACInstallDir/bin/sechkey -e -sub -in /opt/CA/AccessControl/crypto/sub_cert_info -priv root_key_path -capwd password [-subpwd password]
      
      -priv root_key_path

      Specifies the file that holds the private key for the root certificate.

      -ca password

      Specifies the password for the private key of the root certificate.

      -subpwd password

      Specifies the password for the private key of the server certificate.

    2. If you specified a password for the server key, verify that CA ControlMinder can use the stored password to open the key:
      ACInstallDir/bin/sechkey -g -verify
      
    3. Change the value of the communication_mode configuration setting in the crypto section to one of the following:
      all_modes

      Specify this value if you want to enable both symmetric and SSL encryption. This value lets the computer communicate with all CA ControlMinder components.

      use_ssl

      Specify this value to enable SSL encryption only. This value lets the computer communicate with only the CA ControlMinder components that use SSL encryption.

    4. Start CA ControlMinder.

      CA ControlMinder starts and uses the CA ControlMinder server certificate to encrypt and authenticate communication.

Note: For more information about the sechkey utility, see the Reference Guide.

More information:

sechkey Utility—Configure X.509 Certificates