Implementation Guide › Changing Communication Encryption Methods › SSL, Authentication, and Certificates › Enable SSL Encryption › Use Third-Party Root and Server Certificates

Use Third-Party Root and Server Certificates

If you use SSL encryption, you can use third-party root and server certificates to encrypt and authenticate communication between CA ControlMinder components.

You need the following files to use third-party root and server certificates:

• root.pem—Root certificate
• server.pem—Server certificate
• server.key—Private key for the server certificate

  If you use OU password-protected server certificates, you also need the password for the private key for the server certificate.

Note: Because the server certificates are already created, you do not need the private key for the root certificate.

To use third-party root and server certificates

1. Verify that CA ControlMinder services are stopped and that SSL is enabled.
2. Replace the root certificate. Do one of the following:
   • Copy the new root certificate to the location specified in the ca_certificate configuration setting in the crypto section.
   • Edit the value of the ca_certificate configuration setting in the crypto section to specify the full path to the new root certificate.

     Note: If you install the root certificate in a new directory, write CA ControlMinder FILE rules to protect the new directory.

3. Replace the server certificate. Do one of the following:
   • Copy the new server certificate to the location specified in the subject_certificate configuration setting in the crypto section.
   • Edit the value of the subject_certificate configuration setting in the crypto section to specify the full path to the new server certificate.

     Note: If you install the server certificate in a new directory, write CA ControlMinder FILE rules to protect the new directory.

4. Replace the server key. Do one of the following:
   • Copy the new server key to the location specified in the private_key configuration setting in the crypto section.
   • Edit the value of the private_key configuration setting in the crypto section to specify the full path to the new server key.

     Note: If you install the server key in a new directory, write CA ControlMinder FILE rules to protect the new directory.

5. If you use OU password-protected certificates do the following:
   1. Verify that the value of the fips_only configuration setting in the crypto section is 0.

      Note: You cannot use password-protected certificates if CA ControlMinder is operating in FIPS-only mode.

   2. Store the password for the server certificate private key on the computer as follows:

      sechkey -g -subpwd private_key_password
      

      Note: You must have the ADMIN attribute to use sechkey.

   3. Verify that CA ControlMinder can use the stored password to open the private key:

      sechkey -g -verify
      

      If CA ControlMinder cannot open the key, repeat Step b and specify the correct password.

   Note: For more information about the sechkey utility, see the Reference Guide.

6. Start CA ControlMinder:
   • If you are changing the encryption settings on a CA ControlMinder Enterprise Management Server, also start the CA ControlMinder Web Service.
   • If you are working with a third-party program that uses the CA ControlMinder SDK, restart the process that uses the CA ControlMinder SDK.

   SSL encryption is enabled.

More information:

sechkey Utility—Configure X.509 Certificates

crypto

crypto