Add the Root Certificate Authority to the Certificate Database

Installation and Upgrade Guides › Directory Configuration Guide › Configuring SiteMinder Connections over SSL › How to Configure an LDAP User Directory Connection over SSL › Add the Root Certificate Authority to the Certificate Database

Add the Root Certificate Authority to the Certificate Database

You add the root Certificate Authority (CA) to make it available for communication over SSL.

Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.

Important! If you are running a SiteMinder utility or executable on Windows Server 2008, be sure to open the command–line window with Administrator permissions, even if you are logged into the system as an Administrator. For more information, see the release notes for your SiteMinder component.

To add the root CA certificate to the certificate database

From a command prompt, navigate to the bin directory in the location to which you extracted the NSS utility.
Example: C:\nss\bin

Note: Windows has a native certutil utility. Ensure you are working from the bin directory of the NSS utility or you may inadvertently run the Windows certutil utility.
Run the following command to add the root CA to the database file:
```
certutil -A -n alias -t trust_arguments -i root_CA_path -d certificate_database_directory
```
- -A
  Adds a certificate to the certificate database.
- -n alias
  Specifies an alias for the certificate.
  
  Note: If the alias contains spaces, bracket the alias with quotes.
- -t trust_arguments
  Specify the trust attributes to apply to the certificate when adding it to the certificate database. There are three available trust categories for each certificate, which are expressed in this order: "SSL, email, object signing". Specify the appropriate trust arguments so that the root CA is trusted to issue SSL certificates. In each category position, you may use zero or more of the following attribute arguments.
  
  p
  
  Valid peer.
  
  P
  
  Trusted peer. This argument implies p.
  
  c
  
  Valid CA.
  
  T
  
  Trusted CA to issue client certificates. This argument implies c.
  
  C
  
  Trusted CA to issue server certificates (SSL only). This argument implies c.
  
  Important! This is a required argument for the SSL trust category.
  
  u
  
  Certificate can be used for authentication or signing.
- -i root_CA_path
  Specifies the path to the root CA file. Consider the following:
  - The path must include the certificate name.
  - Valid extensions for a certificate include .cert, .cer, and .pem.
  Note: If the file path contains spaces, bracket the path in quotes.
- -d certificate_database_directory
  Specifies the path to the directory that contains the certificate database.
  
  Note: If the file path contains spaces, bracket the path in quotes.
NSS adds the root CA to the certificate database.

Example: Adding a Root CA to the Certificate Database

certutil -A -n "My Root CA"  -t "C,," -i C:\certificates\cacert.cer -d C:\certdatabase

Email CA about this topic