Previous Topic: Use Third-Party Root and Server CertificatesNext Topic: Password-Protected Server Certificates


Use a Server Certificate You Generate from a Third-Party Root Certificate

If you use SSL encryption, you can create server certificates from third-party root certificates. You use these certificates to encrypt and authenticate communication between CA ControlMinder components.

You can create a password-protected server certificate; if you do, CA ControlMinder uses a specified password to protect the private key for the server certificate.

You need the following files to create a server certificate from a third-party root certificate:

To use a server certificate you generate from a third-party root certificate

  1. Verify that CA ControlMinder services are stopped and that SSL is enabled.
  2. If you use OU password-protected certificates, verify that the value of the fips_only configuration setting in the crypto section is 0.

    Note: You cannot use password-protected certificates if CA ControlMinder is operating in FIPS-only mode.

  3. Delete every file except sub_cert_info in the following directory, where ACInstallDir is the directory in which you installed CA ControlMinder:
    ACInstallDir/data/crypto
    

    Important! Do not delete the sub_cert_info file.

    The default server certificate and default key for the server certificate are deleted.

  4. Replace the root certificate. Do one of the following:
  5. Use the sechkey utility to generate a server certificate.

    Note: For more information about the sechkey utility, see the Reference Guide. You must have the ADMIN attribute to use sechkey. If you are working with a third-party program that uses the CA ControlMinder SDK, append the -s option to the sechkey command when you run sechkey.

  6. (Optional) Delete the private key for the root certificate.

    If you do not want to create another server certificate from the root certificate, you can delete the private key for the root certificate.

  7. Start CA ControlMinder:

    SSL encryption is enabled.

Example: Use sechkey to Create a Server Certificate

This example creates a server certificate from a third-party root certificate. This example uses the default CA ControlMinder certificate information file. The private key for the root certificate is named custom_root.key and located at /opt/CA/AccessControl/data/crypto:

sechkey -e -sub -in "/opt/CA/AccessControl/data/crypto/sub_cert_info" -priv /opt/CA/AccessControl/data/crypto/custom_root.key

More information:

sechkey Utility—Configure X.509 Certificates

crypto

crypto