Previous Topic: Add the Root Certificate Authority to the Certificate DatabaseNext Topic: List the Certificates in the Certificate Database

Installation and Upgrade GuidesDirectory Configuration GuideConfiguring SiteMinder Connections over SSLHow to Configure an LDAP User Directory Connection over SSLAdd the Server Certificate to the Certificate Database

Add the Server Certificate to the Certificate Database

You add the server certificate to the certificate database to make it available for communication over SSL.

Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.

Important! Before running a SiteMinder utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

To add the server certificate to the certificate database

  1. From a command prompt, navigate to the bin directory in the location to which you extracted the NSS utility.

    Example: C:\nss\bin

    Note: Windows has a native certutil utility. Verify that you are working from the bin directory of the NSS utility, or you can inadvertently run the Windows certutil utility.

  2. Run the following command to add the root certificate to the database file: 
    certutil -A -n alias -t trust_arguments -i server_certificate_path -d certificate_database_directory
    -A

    Adds a certificate to the certificate database.

    -n alias

    Specifies an alias for the certificate.

    Note: If the alias contains spaces, bracket the alias with quotes.

    -t trust_arguments

    Specify the trust attributes to apply to the certificate when adding it to the certificate database. There are three available trust categories for each certificate, which are expressed in this order: "SSL, email, object signing". Specify the appropriate trust arguments so that the certificate is trusted. In each category position, you may use zero or more of the following attribute arguments:

    p

    Valid peer.

    P

    Trusted peer. This argument implies p.

    Important! This is a required argument for the SSL trust category.

    -i server_certificate_path

    Specifies the path to the server certificate. Consider the following:

    • The path must include the certificate name.
    • Valid extensions for a certificate include .cert, .cer, and .pem.

    Note: If the file path contains spaces, bracket the path in quotes.

    -d certificate_database_directory

    Specifies the path to the directory that contains the certificate database.

    Note: If the file path contains spaces, bracket the path in quotes.

    NSS adds the server certificate to the certificate database.

Example: Adding a Server Certificate to the Certificate Database

certutil -A -n "My Server Certificate" -t "P,," -i C:\certificates\servercert.cer -d C:\certdatabase