Administration Guide › Custom Certificates › Implementing Custom Certificates

Implementing Custom Certificates

The installation process generates two certificates and places them in the /opt/CA/SharedComponents/iTechnology directory of the CA Enterprise Log Manager server. You can use the installed certificates as is. These certificates have the following names, where ApplicationName is CAELM for the CA Enterprise Log Manager product.

• ApplicationNameCert.cer

  This certificate is used by all CA Enterprise Log Manager services to communicate with the management server. The entry for this certificate also exists under the CALM.cnf file.

• ApplicationName_AgentCert.cer

  This certificate is used by all the Agents to communicate with the CA Enterprise Log Manager server.

  Important! Replacing the CAELM_AgentCert.cer certificate with a custom certificate in an environment with active agents requires reinstallation of these agents.

To use custom certificates, you must first obtain a trusted root certificate from a Root Certificate Authority (CA). A certificate authority can issue multiple certificates in the form of a tree structure. All certificates below the trusted root certificate inherit the trustworthiness of the root certificate. This process assumes that if both certificates are being replaced, the custom service certificate and the custom agent certificate have the same trusted root.

Only custom certificates with .cer extensions are supported. After you obtain a trusted root certificate, the typical sequence of actions to implement custom certificates follows:

1. Add the Trusted Root certificate to iAuthority.conf on the management CA Enterprise Log Manager server or standalone CA EEM.
2. If you are replacing CAELM_AgentCert.cer, add the Trusted Root certificate to iControl.conf on the management CA Enterprise Log Manager, then repeat this addition on every other CA Enterprise Log Manager.
3. If you are replacing CAELMCert.cer, add this custom certificate's common name to the AdministerObjects scoping policy on the management CA Enterprise Log Manager or standalone CA EEM.
4. Add the custom certificates to the iTechnology folder of each CA Enterprise Log Manager server and add the name and password for each certificate in separate configuration files.

More information:

Add the Trusted Root Certificate to the Management CA Enterprise Log Manager Server

Add the Trusted Root Certificate to All Other CA Enterprise Log Manager Servers

Add the Certificate Common Name to an Access Policy

Deploy the New Certificates

Agents and the Agent Certificate