Previous Topic: Create the Certificate Database FilesNext Topic: Add the Server Certificate to the Certificate Database

Installation and Upgrade GuidesDirectory Configuration GuideConfiguring SiteMinder Connections over SSLHow to Configure an LDAP User Directory Connection over SSLAdd the Root Certificate Authority to the Certificate Database

Add the Root Certificate Authority to the Certificate Database

You add the root Certificate Authority (CA) to make it available for communication over SSL.

Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.

Important! Before running a SiteMinder utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

To add the root CA certificate to the certificate database

  1. From a command prompt, navigate to the bin directory in the location to which you extracted the NSS utility.

    Example: C:\nss\bin

    Note: Windows has a native certutil utility. Verify that you are working from the bin directory of the NSS utility, or you can inadvertently run the Windows certutil utility.

  2. Run the following command to add the root CA to the database file: 
    certutil -A -n alias -t trust_arguments -i root_CA_path -d certificate_database_directory
    -A

    Adds a certificate to the certificate database.

    -n alias

    Specifies an alias for the certificate.

    Note: If the alias contains spaces, bracket the alias with quotes.

    -t trust_arguments

    Specify the trust attributes to apply to the certificate when adding it to the certificate database. There are three available trust categories for each certificate, which are expressed in this order: "SSL, email, object signing". Specify the appropriate trust arguments so that the root CA is trusted to issue SSL certificates. In each category position, you may use zero or more of the following attribute arguments.

    p

    Valid peer.

    P

    Trusted peer. This argument implies p.

    c

    Valid CA.

    T

    Trusted CA to issue client certificates. This argument implies c.

    C

    Trusted CA to issue server certificates (SSL only). This argument implies c.

    Important! This is a required argument for the SSL trust category.

    u

    Certificate can be used for authentication or signing.

    -i root_CA_path

    Specifies the path to the root CA file. Consider the following:

    • The path must include the certificate name.
    • Valid extensions for a certificate include .cert, .cer, and .pem.

    Note: If the file path contains spaces, bracket the path in quotes.

    -d certificate_database_directory

    Specifies the path to the directory that contains the certificate database.

    Note: If the file path contains spaces, bracket the path in quotes.

    NSS adds the root CA to the certificate database.

Example: Adding a Root CA to the Certificate Database

certutil -A -n "My Root CA"  -t "C,," -i C:\certificates\cacert.cer -d C:\certdatabase