Previous Topic: Default Master Certificate DetailsNext Topic: Back up the Private Key

Network Integration GuideDecoding SSL CommunicationsHow to Set up SSL DecodeCustomize the Master CertificateGenerate Customized Master Certificates

Generate Customized Master Certificates

Before you distribute the NBA master certificates to your clients, you must customize the certificate details. Do one of the following to customize and regenerate NBA master certificates.

To change the master certificate using the NBA console

  1. Log on to the NBA console and go to the SSL tab.
  2. Click the Master Certificates option.
  3. Change the Common name, Organization, Locality, Province, Country and Validity Period settings as required.

    The Common Name is the most important because this name is usually presented as the signing root authority when a user checks their SSL connection. They do this by clicking the padlock icon in the address bar of their browser.

    Use your organization's name as the Common Name to make the origin of the certificate clear. You may also want to add a note explaining the purpose of the certificate.

  4. Click Generate.
  5. The console displays a warning that the new public certificate and private key pairs will become active immediately and overwrite the current public certificate and private key pairs.
  6. Type ‘confirm’ in the input box and click Generate.

    The NBA generates the Trusted certificate and Revoked certificate and saves them on the Network appliance. (The Revoked certificate is optional.)

To change the master certificate using FTP

  1. Using FTP, browse to the /config folder on the NBA appliance.
  2. Edit nbaconfig.xml and change the following lines: 
    <commonname type="stringType" value="CA DataMinder Network"/>
<organizationname type="stringType" value="CA Technologies"/>
<localityname type="stringType" value="Islandia"/>
<provincename type="stringType" value="NY"/>
<countryname type="stringType" value="US"/>
<validityperioddays type="numberType" value="730"/>

    The <commonname> is the most important setting because this name is usually presented as the signing root authority when a user checks their SSL connection. They do this by clicking the padlock icon in the address bar of their browser.

    Use your organization's name as the Common Name to make the origin of the certificate clear. You may also want to add a note explaining the purpose of the certificate.

  3. Log on to the NBA console using SSH.
  4. Run this command to prepare the NBA command environment: 
    . /usr/local/share/nba/nbarc

    Note: Do not omit the space between the period and the first slash.

  5. Change into the NBA executable directory: 
    cd /home/nba/bin
  6. Run this command to generate the new master certificate: 
    ./nbacmd SSL_GENERATE

    This generates the following output:

    2010/12/23 11:26:43.963997 CMD: SSL certificate regeneration completed.
  7. Using FTP, browse to the /config folder on the NBA appliance.

    The nbaroot (trusted) and nbarevoked (untrusted) certificates are available for download in both .p7b and .crt formats.