Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Network Node Manager i Software10.30

Administer > Manage Certificates > Using Certificates with the PKCS #12 Repository > Generating a CA-Signed Certificate

Generating a CA-Signed Certificate

Note NNMi 10.20 introduces a Public Key Cryptography Standards (PKCS) #12 repository to store certificates. The new PKCS #12 file-based certificate management technique is available for use as soon as you install a new instance of NNMi10.30 on a system. Environments upgraded from an older version of NNMi continue to use a JKS repository to store certificates.

In upgraded environments, you can migrate to the PKCS #12 repository by using the steps in Configure an Upgraded NNMi Environment to Use the New Keystore.

If you have upgraded to NNMi 10.30 and did not complete the steps in Configure an Upgraded NNMi Environment to Use the New Keystore, skip to Generating a CA-Signed Certificate.

To obtain and install a CA-signed certificate, follow these steps:

Generate a self-signed certificate. For details, see Generating a Self-Signed Certificate.
Run the following command to create a CSR (Certificate Signing Request) file:
- Windows: %NnmInstallDir%\bin\nnmkeytool.ovpl -keystore nnm-key.p12 -certreq -storetype PKCS12 -storepass nnmkeypass -alias <alias_name> -file CERTREQFILE
- Linux: $NnmInstallDir/bin/nnmkeytool.ovpl -keystore nnm-key.p12 -certreq -storetype PKCS12 -storepass nnmkeypass -alias <alias_name> -file CERTREQFILE
Note

In the command above, <alias_name> corresponds to the alias you had provided at the time of generating the certificate.
Send the CSR to your CA signing authority which signs and returns the certificate files. For information on different types of CA certificates, see Types of CA-Signed Certificates.

The CA signing authority returns one of the following:
- A single signed server certificate file (referred to as myserver.crt in this section). The single file contains the server certificate (the NNMi certificate that is CA-signed), one or more intermediate CA certificates, and the root CA certificate. All the certificates in this single file form a certificate chain.
- A set of two files that includes a signed server certificate file (referred to as myserver.crt in this section) and a separate file containing the CA certificates (referred to as the myca.crt file). The myserver.crt file contains either a single server certificate or a certificate chain, but NOT the root CA certificate, which remains in the myca.crt file.
Note If your CA returns the certificates in other forms, contact the CA provider for more information about how to obtain the separate certificate chain and Root CA Certificate.
Prepare the certificate files.

The certificate chain must be imported to the keystore file and the root CA certificate must be imported to the truststore file. Additionally, if you installed iSPIs on the NNMi management server, you must import the server-signed certificate too to the truststore file.

Note iSPIs that reside on the NNMi management server use NNMi's certificates.
- If you received a single file from step 3
  1. Copy the root CA certificates from that file into a separate myca.crt file.
  2. (Only if you installed iSPIs on the NNMi management server) Copy the server certificate (the NNMi certificate that is CA-signed) from that file into a separate nnmi-server.crt file.
- If you received a set of two files from step 3
  1. (Only if you installed iSPIs on the NNMi management server) Save a copy of the myserver.crt file as nnmi-server.crt.
  2. Add the myca.crt (the root CA certificate) file content to the end of the myserver.crt file and also remove any extra intermediate certificates from the myca.crt file, if it has any. This should result in one file, myserver.crt, containing the full certificate chain and one file, myca.crt, containing the Root CA Certificate.
Copy the files containing these certificates to a location on the NNMi management server. For this example, copy the files to the following location:
- Windows: %NnmDataDir%\shared\nnm\certificates
- Linux: $NnmDataDir/shared/nnm/certificates
Change to the directory on the NNMi management server that contains the keystore and truststore files:
- Windows: %NnmDataDir%\shared\nnm\certificates
- Linux: $NnmDataDir/shared/nnm/certificates
Run the following command to import the certificate into the keystore file:

Windows:
%NnmInstallDir%\bin\nnmkeytool.ovpl -importcert -trustcacerts -keystore nnm-key.p12 -storetype PKCS12 -storepass nnmkeypass -file <path_to_myserver.crt>

Linux:

$NnmInstallDir/bin/nnmkeytool.ovpl -importcert -trustcacerts -keystore nnm-key.p12 -storetype PKCS12 -storepass nnmkeypass -file<path_to_myserver.crt>

Note In the above command, <path_to_myserver.crt> corresponds to the full path of the location where you have stored the CA-signed server certificate.

When prompted to trust the certificate, enter: y

Example output for importing a certificate into the keystore

The output from the command is of the form:

Owner: CN=NNMi_server.example.com

Issuer: CN=NNMi_server.example.com

Serial number: 494440748e5

Valid from: Tue Oct 28 10:16:21 MST 2008 until: Thu Oct 04 11:16:21 MDT 2108

Certificate fingerprints:

MD5:  29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02

SHA1: C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03

Trust this certificate? [no]:  y

Certificate was added to keystore

Run the following commands to import the root certificate into the truststore file:
- Windows:
  
  %NnmInstallDir%\bin\nnmkeytool.ovpl -import -alias <alias_name> -storetype PKCS12 -keystore nnm-trust.p12 -file <path_to_myca.crt> -storepass ovpass
- Linux:
  
  $NnmInstallDir/bin/nnmkeytool.ovpl -import -alias <alias_name> -storetype PKCS12 -keystore nnm-trust.p12 -file <path_to_myca.crt> -storepass ovpass
Note

In the above command,
- <path_to_myca.crt> corresponds to the full path of the location where you have stored the root certificate.
- <alias_name> corresponds to the alias you had provided at the time of generating the certificate.

Examine the contents of the truststore:

Windows:

%NnmInstallDir%\bin\nnmkeytool.ovpl -list -keystore nnm-trust.p12 -storetype PKCS12

Linux:

$NnmInstallDir/bin/nnmkeytool.ovpl -list -keystore nnm-trust.p12 -storetype PKCS12

When prompted for the truststore password, enter: ovpass

Example truststore output

The truststore output is of the form:

Keystore type: pkcs

Keystore provider: JKS

Your keystore contains 1 entry

nnmi_ldap, Nov 14, 2008, trustedCertEntry,

Certificate fingerprint (MD5): 29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02

Tip The truststore can include multiple certificates.

Import the server certificate (the NNMi certificate that is CA-signed) into the truststore file.

Note Follow this step only if you installed iSPIs on the NNMi management server.

Run the following commands to import the CA-signed server certificate into the truststore file:
- Windows:
  %NnmInstallDir%\bin\nnmkeytool.ovpl -import -alias <alias_name> -storetype PKCS12 -keystore nnm-trust.p12 -file <path_to_nnmi-server.crt> -storepass ovpass
- Linux:
  $NnmInstallDir/bin/nnmkeytool.ovpl -import -alias <alias_name> -storetype PKCS12 -keystore nnm-trust.p12 -file <path_to_nnmi-server.crt> -storepass ovpass
  Note
  In the above command,
  - <path_to_nnmi-server.crt> corresponds to the full path of the location where you have stored the server certificate (the NNMi certificate that is CA-signed).
  - <alias_name> corresponds to the alias you had provided at the time of generating the certificate.

Types of CA-Signed Certificates

Note If your CA returns the certificates in other forms, contact the CA provider for instructions about obtaining the certificate chain and the Root CA Certificate.

The Certificate Authority (CA) should provide you with one of the following:

A signed server certificate file containing the server certificate (the NNMi certificate that is CA signed) and one or more CA certificates. This section refers to the signed server certificate as myserver.crt.

A CA Certificate can be either of the following:
- Root CA Certificate - Identifies the authority that is trusted to sign certificates for servers and users.
- Intermediate CA Certificate - A certificate signed by either a root or intermediate CA that is itself an authority, rather than a server or user.
  
  Note The list of certificates from the NNMi server certificate to the root CA certificate, including any intermediate CA certificates, is known as the certificate chain.
A signed server certificate and a separate file containing one or more CA certificates. This section refers to the signed server certificate as myserver.crt and the CA certificates as myca.crt. The myserver.crt file should contain either a single server certificate or a certificate chain, but NOT the root CA certificate, which would be in the myca.crt file.

To configure NNMi with the new certificate, you must import the certificate chain into the nnm-key.p12 and the root CA Certificate into the nnm-trust.p12. Use the myserver.crt file when importing the server certificate into the nnm-key.p12 file and the myca.crt file when importing the CA certificate into the nnm-trust.p12 file.

Note If your CA returns the certificates in other forms, contact the CA provider for instructions about obtaining the separate certificate chain and root CA Certificate.

When provided with one file that contains a full certificate chain, copy the root CA certificate from that file into the myca.crt file. Use the myca.crt file to import into the nnm-trust.p12 so that NNMi trusts the CA that issued the certificate.

When provided two files, add the myca.crt file content to the end of the myserver.crt, if the file does not include it. Also, be sure to remove any extra intermediate certificates from the myca.crt file. This should result in the following files:

myserver.crt, containing the full certificate chain
myca.crt, containing the root CA Certificate

Note When using a CA, only the root CA certificate is generally added to the nnm-trust.p12. Adding intermediate CA or server certificates to the nnm-trust.p12 will cause those certificates to be explicitly trusted and not checked for additional information, such as revocation. Only add additional certificates to the nnm-trust.p12 if your CA requires it.

The following examples show what the files received from a CA signing authority might look like:

Separate server and CA certificate files:

-----BEGIN CERTIFICATE-----

Sample/AVQQKExNQU0EgQ29ycG9yYXRpb24gTHRkMRAwDgYDVQQLEwdOZXR3b3Js

eGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlw

................................................................

................................................................

TZImiZPyLGQBGRYDaW50MRIwEAYKCZImiZPyLGQBGRYCc2cxEzARBgNVBAMTCmNb

pSo6o/76yShtT7Vrlfz+mXjWyEHaIy/QLCpPebYhejHEg4dZgzWWT/lQt==

-----END CERTIFICATE-----

Combined server and CA certificates in one file:

-----BEGIN CERTIFICATE-----

Sample1/VQQKExNQU0EgQ29ycG9yYXRpb24gTHRkMRAwDgYDVQQLEwdOZXR3b3Js

eGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlw

................................................................

................................................................

TZImiZPyLGQBGRYDaW50MRIwEAYKCZImiZPyLGQBGRYCc2cxEzARBgNVBAMTCmNb

pSo6o/76yShtT7Vrlfz+mXjWyEHaIy/QLCpPebYhejHEg4dZgzWWT/lQt==

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Sample2/Gh0dHA6Ly9jb3JwMWRjc2cyLnNnLmludC5wc2FnbG9iYWwuY29tL0Nlc

RaOCApwwggKYMB0GA1UdDgQWBBSqaWZzCRcpvJWOFPZ/Be9b+QSPyDAfBgNVHSMC

................................................................

................................................................

Wp5Lz1ZJAOu1VHbPVdQnXnlBkx7V65niLoaT90Eqd6laliVlJHj7GBriJ90uvVGu

BQagggEChoG9bGRhcDovLy9DTj1jb3JwMWRjc2cyL==

-----END CERTIFICATE-----

Send Help Center feedback