Generating a CA-Signed Certificate

To obtain and install a CA-signed certificate, follow these steps:

  1. Generate a self-signed certificate. For details, see Generating a Self-Signed Certificate.
  2. Run the following command to create a CSR (Certificate Signing Request) file:

    • Windows:%jdkdir%\bin\keytool.exe -keystore nnm.keystore -certreq -storepass nnmkeypass -alias <alias_name> -file CERTREQFILE
    • Linux: $jdkdir/bin/keytool -keystore nnm.keystore -certreq -storepass nnmkeypass -alias <alias_name> -file CERTREQFILE

    Note  

    • In the command above, <alias_name> corresponds to the alias you had provided at the time of generating the certificate.
    • For more information about the keytool command, search for “Key and Certificate Management Tool” at http://www.oracle.com/technetwork/java/index.html.
  3. Send the CSR to your CA signing authority which signs and returns the certificate files. For information on different types of CA certificates, see Types of CA-Signed Certificates.
  4. Copy the files containing these certificates to a location on the NNMi management server. For this example, copy the files to the following location:

    • Windows: %NnmDataDir%\shared\nnm\certificates
    • Linux: $NnmDataDir/shared/nnm/certificates
  5. Change to the directory on the NNMi management server that contains the nnm.keystore and nnm.truststore files:

    • Windows: %NnmDataDir%\shared\nnm\certificates
    • Linux: $NnmDataDir/shared/nnm/certificates
  6. Run the following command to import the certificate into the nnm.keystore file:

    Windows:

    • %jdkdir%\bin\keytool.exe -importcert -trustcacerts -keystore nnm.keystore -storepass nnmkeypass -alias <alias_name> -file <myserver.crt>

    Linux:

    • $jdkdir/bin/keytool -importcert -trustcacerts -keystore nnm.keystore -storepass nnmkeypass -alias <alias_name> -file <myserver.crt>

      Note  

      • In the above command,
        • <myserver.crt> corresponds to the full path of the location where you have stored the signed server certificate.
        • <alias_name> corresponds to the alias you had provided at the time of generating the certificate.
      • If you use the -storepass option and provide the password, the keystore program does not prompt you for the keystore password. If you do not use the -storepass option, enter nnmkeypass when prompted for the keystore password.
  7. When prompted to trust the certificate, enter: y

    Example output for importing a certificate into the keystore

    The output from the command is of the form:

    Owner: CN=NNMi_server.example.com
    Issuer: CN=NNMi_server.example.com
    Serial number: 494440748e5
    Valid from: Tue Oct 28 10:16:21 MST 2008 until: Thu Oct 04 11:16:21 MDT 2108
    Certificate fingerprints:
    MD5:  29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02
    SHA1: C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03
    Trust this certificate? [no]:  y
    Certificate was added to keystore
  8. Run the following commands to import the certificate into the nnm.truststore file:

    • Windows:

      %jdkdir%\bin\keytool.exe -import -alias <alias_name> -keystore nnm.truststore -file <myca.crt>
    • Linux:

      $jdkdir/bin/keytool -import -alias <alias_name> -keystore nnm.truststore -file <

      myca.crt>

      Note  

      • In the above command,
        • <myca.crt> corresponds to the full path of the location where you have stored the CA certificates.
        • <alias_name> corresponds to the alias you had provided at the time of generating the certificate.
      • If you use the -storepass option and provide the password, the keystore program does not prompt you for the keystore password. If you do not use the -storepass option, enter nnmkeypass when prompted for the keystore password.
  9. When prompted for the truststore password, enter: ovpass.
  10. Examine the contents of the truststore:
    • Windows:

      %jdkdir%\bin\keytool -list -keystore nnm.truststore
    • Linux:

      $jdkdir/bin/keytool -list -keystore nnm.truststore

    When prompted for the truststore password, enter: ovpass

    Example truststore output

    The truststore output is of the form:

    Keystore type: jks
    Keystore provider: SUN
    Your keystore contains 1 entry
    nnmi_ldap, Nov 14, 2008, trustedCertEntry,
    Certificate fingerprint (MD5): 29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02

    Tip The truststore can include multiple certificates.