Implementation Guide › Changing Communication Encryption Methods › SSL, Authentication, and Certificates › Enable SSL Encryption › Use a Server Certificate You Generate from a Third-Party Root Certificate

Use a Server Certificate You Generate from a Third-Party Root Certificate

If you use SSL encryption, you can create server certificates from third-party root certificates. You use these certificates to encrypt and authenticate communication between CA ControlMinder components.

You can create a password-protected server certificate; if you do, CA ControlMinder uses a specified password to protect the private key for the server certificate.

You need the following files to create a server certificate from a third-party root certificate:

• root.pem—Root certificate
• root.key—Private key for the root certificate

To use a server certificate you generate from a third-party root certificate

1. Verify that CA ControlMinder services are stopped and that SSL is enabled.
2. If you use OU password-protected certificates, verify that the value of the fips_only configuration setting in the crypto section is 0.

   Note: You cannot use password-protected certificates if CA ControlMinder is operating in FIPS-only mode.

3. Delete every file except sub_cert_info in the following directory, where ACInstallDir is the directory in which you installed CA ControlMinder:

   ACInstallDir/data/crypto
   

   Important! Do not delete the sub_cert_info file.

   The default server certificate and default key for the server certificate are deleted.

4. Replace the root certificate. Do one of the following:
   • Copy the new root certificate to the location specified in the ca_certificate configuration setting in the crypto section.
   • Edit the value of the ca_certificate configuration setting in the crypto section to specify the full path to the new root certificate.

     Note: If you install the root certificate in a new directory, write CA ControlMinder FILE rules to protect that directory.

5. Use the sechkey utility to generate a server certificate.

   Note: For more information about the sechkey utility, see the Reference Guide. You must have the ADMIN attribute to use sechkey. If you are working with a third-party program that uses the CA ControlMinder SDK, append the -s option to the sechkey command when you run sechkey.

6. (Optional) Delete the private key for the root certificate.

   If you do not want to create another server certificate from the root certificate, you can delete the private key for the root certificate.

7. Start CA ControlMinder:
   • If you are changing the encryption settings on a CA ControlMinder Enterprise Management Server, also start the CA ControlMinder Web Service.
   • If you are working with a third-party program that uses the CA ControlMinder SDK, restart the process that uses the CA ControlMinder SDK.

   SSL encryption is enabled.

Example: Use sechkey to Create a Server Certificate

This example creates a server certificate from a third-party root certificate. This example uses the default CA ControlMinder certificate information file. The private key for the root certificate is named custom_root.key and located at /opt/CA/AccessControl/data/crypto:

sechkey -e -sub -in "/opt/CA/AccessControl/data/crypto/sub_cert_info" -priv /opt/CA/AccessControl/data/crypto/custom_root.key

More information:

sechkey Utility—Configure X.509 Certificates

crypto

crypto