SHA-2 SSL certificate hashing is a cryptographic algorithm developed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). SHA2 certificates are more secure than all previous algorithms. In CA IdentityMinder, you can configure SHA-2 signed SSL certificates in place of certificates that are signed with the SHA-1 hash function.
Note: For more information about configuring SSL certificates, see the Installation Guide.
The following table shows the path location on the CA IdentityMinder server where you can place the SHA-2 signed certificates:
|
Certificates |
Install Location |
Description |
|---|---|---|
|
Provisioning Server Certificate |
[Provisioning Server install dir]/data/tls/server/eta2_servercert.pem [Provisioning Server install dir]/data/tls/server/eta2_serverkey.pem cs_install/ccs/data/tls/server/eta2_servercert.pem cs_install/ccs/data/tls/server/eta2_serverkey.pem cs_install/jcs/conf/eta2_server.p12 |
Used by the Provisioning Server in .pem format and by CA IAM CS in .p12 format (including signed cert, private key and root CA cert). Note: Import the eta2_server.p12 into cs_install/jcs/conf/ssl.keystore under the alias eta2_server and remove the existing entry. The ssl.keystore password is the password of the connector server that is supplied during the install. |
|
Provisioning Client Certificate |
[Provisioning Server install dir]/data/tls/client/eta2_clientcert.pem [Provisioning Server install dir]/data/tls/client/eta2_clientkey.pem [Provisioning Manager install dir]/data/tls/client/eta2_clientcert.pem [Provisioning Manager install dir]/data/tls/client/eta2_clientkey.pem cs_install/ccs/data/tls/ client/eta2_clientcert.pem cs_install/ccs/data/tls/ client/eta2_clientkey.pem cs_install/jcs/conf/eta2_client.p12 |
Used by the Provisioning Server in .pem format and by CA IAM CS in .p12 format (including signed cert, private key and root CA cert). |
|
Provisioning Directory Trusted Certificate |
cadir_install/config/ssld/impd_trusted.pem |
Used by CA Directory in .pem format. It must contain certificate content in the following structure: -----BEGIN CERTIFICATE----- Cert contents -----END CERTIFICATE----- |
|
Provisioning Directory Personality Certificate |
cadir_install/config/ssld/personalities/impd-co.pem cadir_install/config/ssld/personalities/impd-inc.pem cadir_install/config/ssld/personalities/impd-main.pem cadir_install/config/ssld/personalities/impd-notify.pem cadir_install/config/ssld/personalities/impd-router.pem |
Used by CA Directory in .pem format. |
|
Root CA Certificate |
[Provisioning Server install dir]/data/tls/et2_cacert.pem [Provisioning Manager install dir]/data/tls/et2_cacert.pem cs_install/ccs/data/tls/ et2_cacert.pem conxp_install/lib/jiam.jar [Application Server install dir]/iam_im.ear/library/jiam.jar |
Certificate is Imported into Connector Xpress keystore located at [Connector Xpress install dir]/conf/ssl.keystore. The certificate must also be imported into the jiam.jar keystore. To import, extract the jar, import the certificate into admincacerts.jks and then repackage the jar contents. The keystore password of admincacerts.jks is "changeit". Verify that all copies of jiam.jar are replaced. |
|
Copyright © 2013 CA.
All rights reserved.
|
|