Previous Topic: Basic Host Identity CertificatesNext Topic: Creation of New Certificates

CA ITCM Security FeaturesAuthenticationCertificate Distribution

Certificate Distribution

Certificate distribution must be covered before certificate creation. Depending on the method of certificate creation chosen (see description in "Basic Host Identity Certificates"), certificate distribution can be quite complex.

CA ITCM does not provide any automated certificate distribution technology. It comes delivered with default certificates for each CA ITCM node and application-specific certificates.

To migrate away from the default certificates after a default install, the certificates should be distributed in the following (simplified) way. This allows a successful migration of trust without causing any downtime in communications and authentication due to the parallel use of trusted roots.

  1. Create new root certificate. Ensure that the root name (DN) is different from the existing CA ITCM root certificate.
  2. Schedule the distribution of the new root DER encoded certificate to all nodes within the CA ITCM infrastructure. This will enable the root as a trusted root authority to all CA ITCM nodes.
  3. Create new security profiles in the CA ITCM management database to replace the existing application-specific certificate profiles. Do not delete the old profiles yet.
  4. Schedule the distribution of new certificates to all of the CA ITCM nodes.
  5. After the certificate distribution is successful, schedule the deletion of the previous CA ITCM certificates.
  6. Delete the old security profiles for the application-specific certificates.

This list is not exhaustive. Contact CA Technologies's Technical Support for advice on major-scale certificate distribution and replacement with a full scale PKI implementation.