sechkey Utility—Configure X.509 Certificates

Reference Guide › Utilities › sechkey Utility › sechkey Utility—Configure X.509 Certificates

sechkey Utility—Configure X.509 Certificates

The sechkey utility configures the root and server certificates that CA ControlMinder uses to authenticate communication between components.

You can use the sechkey utility to perform the following tasks:

Configure CA ControlMinder to use third-party root and server certificates, including OU password-protected certificates
Create a server certificate from a third-party root certificate
Save the password of a password-protected certificate on the computer

You must stop CA ControlMinder before you use sechkey to configure X.509 certificates. You must have the ADMIN attribute to use sechkey.

Note: If CA ControlMinder is operating in FIPS-only mode, you cannot use password-protected certificates. CA ControlMinder operates in FIPS-only mode when the value of the fips_only configuration token in the crypto section is 1. This restriction prevents you from encrypting passwords within the certificate with a non-FIPS compliant method.

This command has the following format to create an X.509 root or server certificate:

sechkey -e {-ca|-sub [-priv privfilepath]} [-in infilepath] [-out outfilepath] [-capwd password] [-subpwd password]

This command has the following format to use OU password-protected server certificates:

sechkey -g {-subpwd password | -verify}

-ca

Specifies that sechkey creates a self-signed certificate that is used as a CA (root) certificate.

sechkey stores the certificate and private key in the PEM file defined by the ca_certificate configuration setting in the crypto section.

-capwd password

Specifies the password for the private key of the root certificate that sechkey uses to generate a server (subject) certificate.

-e

Specifies that sechkey creates an X.509 certificate.

-g

Specifies that CA ControlMinder uses third-party server certificates. Save the third-party server certificate in the location specified in the subject_certificate configuration setting in the crypto section, or edit the value of the subject_certificate configuration setting in the crypto section to specify the full path to the third-party server certificate.

Note: If you install the server certificate in a new directory, write CA ControlMinder FILE rules to protect the new directory.

-in infilepath

Specifies the input file that contains the certificate information. If -in is not specified, sechkey reads the information from the standard input.

sechkey requires the following information to create a certificate:

Serial Number
Subject
Not Before (First valid day for certificate)
Not After (Last valid day for certificate)

sechkey can use the following information, but the information is not mandatory:

Email
URI (often named URL)
DNS name
IP Address

-out outfilepath

Specifies the output file to put the certificate information. The output file is a copy of the input information. If -out is not specified, sechkey does not duplicate the input information.

-priv privfilepath

Specifies the file that holds the private key associated with the certificate. This option is only valid when used with the -sub option.

-sub

Specifies that sechkey creates a server (subject) certificate.

sechkey stores the certificate and private key in the PEM file defined by the subject_certificate configuration setting in the crypto section.

If -priv is not specified, the private_key configuration setting in the crypto section defines the file that holds the private key associated with the certificate.

If you create a password-protected server certificate, sechkey does not encrypt the certificate. If you create a server certificate that is not password-protected, sechkey encrypts the certificate using AES256 and the CA ControlMinder encryption key.

-subpwd password

Specifies the password for the private key of the server (subject) certificate. sechkey stores the password in the crypto.dat file in the ACInstallDir/Data/crypto directory, where ACInstallDir is the directory in which you installed CA ControlMinder. The crypto.dat file is hidden, encrypted, read-only, and protected by CA ControlMinder. If CA ControlMinder is stopped, only the superuser can access the password.

-verify

Verifies that CA ControlMinder can use the stored password to open the password-protected server key.

Example: Create a Server Certificate from an OU Password-Protected Third-Party Root Certificate

The following command creates a server certificate from an OU password-protected third-party root certificate, using the following values:

The path to the input file that contains the certificate information is C:\Program Files\CA\AccessControl\data\crypto\sub_cert_info
The path to the private key for the root certificate is C:\Program Files\CA\AccessControl\data\crypto\ca.key

The password for the private key for the root certificate is P@ssw0rd

sechkey -e -sub -in "C:\Program Files\CA\AccessControl\data\crypto\sub_cert_info" -priv "C:\Program Files\CA\AccessControl\data\crypto\ca.key" -capwd P@ssw0rd

Example: Input File

The following is an example of an input file that contains certificate information:

SERIAL: 00-15-58-C3-5E-4B
SUBJECT: CN=192.168.0.1
NOTBEFORE: “12/31/08”
NOTAFTER: "12/31/09"
E-MAIL: john.smith@example.com
URI: http://www.example.com
DNS: 168.192.0.100
IP:  168.192.0.1

More information:

Use Third-Party Root and Server Certificates

Use a Server Certificate You Generate from a Third-Party Root Certificate