The sechkey utility configures the root and server certificates that CA ControlMinder uses to authenticate communication between components.
You can use the sechkey utility to perform the following tasks:
You must stop CA ControlMinder before you use sechkey to configure X.509 certificates. You must have the ADMIN attribute to use sechkey.
Note: If CA ControlMinder is operating in FIPS-only mode, you cannot use password-protected certificates. CA ControlMinder operates in FIPS-only mode when the value of the fips_only configuration token in the crypto section is 1. This restriction prevents you from encrypting passwords within the certificate with a non-FIPS compliant method.
This command has the following format to create an X.509 root or server certificate:
sechkey -e {-ca|-sub [-priv privfilepath]} [-in infilepath] [-out outfilepath] [-capwd password] [-subpwd password]
This command has the following format to use OU password-protected server certificates:
sechkey -g {-subpwd password | -verify}
Specifies that sechkey creates a self-signed certificate that is used as a CA (root) certificate.
sechkey stores the certificate and private key in the PEM file defined by the ca_certificate configuration setting in the crypto section.
Specifies the password for the private key of the root certificate that sechkey uses to generate a server (subject) certificate.
Specifies that sechkey creates an X.509 certificate.
Specifies that CA ControlMinder uses third-party server certificates. Save the third-party server certificate in the location specified in the subject_certificate configuration setting in the crypto section, or edit the value of the subject_certificate configuration setting in the crypto section to specify the full path to the third-party server certificate.
Note: If you install the server certificate in a new directory, write CA ControlMinder FILE rules to protect the new directory.
Specifies the input file that contains the certificate information. If -in is not specified, sechkey reads the information from the standard input.
sechkey requires the following information to create a certificate:
sechkey can use the following information, but the information is not mandatory:
Specifies the output file to put the certificate information. The output file is a copy of the input information. If -out is not specified, sechkey does not duplicate the input information.
Specifies the file that holds the private key associated with the certificate. This option is only valid when used with the -sub option.
Specifies that sechkey creates a server (subject) certificate.
sechkey stores the certificate and private key in the PEM file defined by the subject_certificate configuration setting in the crypto section.
If -priv is not specified, the private_key configuration setting in the crypto section defines the file that holds the private key associated with the certificate.
If you create a password-protected server certificate, sechkey does not encrypt the certificate. If you create a server certificate that is not password-protected, sechkey encrypts the certificate using AES256 and the CA ControlMinder encryption key.
Specifies the password for the private key of the server (subject) certificate. sechkey stores the password in the crypto.dat file in the ACInstallDir/Data/crypto directory, where ACInstallDir is the directory in which you installed CA ControlMinder. The crypto.dat file is hidden, encrypted, read-only, and protected by CA ControlMinder. If CA ControlMinder is stopped, only the superuser can access the password.
Verifies that CA ControlMinder can use the stored password to open the password-protected server key.
Example: Create a Server Certificate from an OU Password-Protected Third-Party Root Certificate
The following command creates a server certificate from an OU password-protected third-party root certificate, using the following values:
sechkey -e -sub -in "C:\Program Files\CA\AccessControl\data\crypto\sub_cert_info" -priv "C:\Program Files\CA\AccessControl\data\crypto\ca.key" -capwd P@ssw0rd
Example: Input File
The following is an example of an input file that contains certificate information:
SERIAL: 00-15-58-C3-5E-4B SUBJECT: CN=192.168.0.1 NOTBEFORE: “12/31/08” NOTAFTER: "12/31/09" E-MAIL: john.smith@example.com URI: http://www.example.com DNS: 168.192.0.100 IP: 168.192.0.1
Copyright © 2013 CA Technologies.
All rights reserved.
|
|