About NNMi JKS Certificates

 

Certificate Terminology

Concept

Description

Keystore and Truststore

Truststore: NNMi truststore is the nnm.truststore file in which you store public keys from sources that you want NNMi to trust.

Keystore: NNMi keystore is the nnm.keystore file in which you import NNMi server’s private key.

The nnm.truststore and nnm.keystrore files are located at:

  • Linux: $NNM_DATA/shared/nnm/certificates/

  • Windows: %NNM_DATA%\shared\nnm\certificates\

Default NNMi certificates

NNMi is installed with a self-signed certificate generated using default properties. You can replace the default certificate with another self-signed or CA-signed certificate.

Tools

Certificates are generated and managed using Java's Keytool utility. Additionally, NNMi provides the nnmmergecert.ovpl utility to merge certificates to establish trust within NNMi systems. This program is used in HA, Failover, and GNM-RNM setups.

Supported encryption algorithms

NNMi accepts certificates generated using RSA algorithm. DSA algorithm is not supported.

Self-Signed Certificate

A Self-Signed certificate is typically used for establishing secure communication between your server and a known group of clients. NNMi installs with a self-signed certificate generated using default properties.

Note NNMi instances configured to use a self-signed certificate will display a warning message when users try to access NNMi web console in a web browser.

CA-Signed Certificate

Signed server certificate that you receive in response to the Certificate Signing Request will contain the NNMi certificate that is CA signed and one or more CA certificates (if there is more than one CA certificate, this is also known as the certificate chain).

Note These certificates might be in a single file or in a two separate files.

Root CA Certificate Identifies the certificate authority that is trusted to sign certificates for servers and users.
Intermediate CA Certificate

A certificate signed by either a root or intermediate CA that is itself an authority, rather than a server or user.

Note The list of certificates from the NNMi server certificate to the root CA certificate, including any intermediate CA certificates, is known as the certificate chain.