Generating a CA-Signed Certificate

Note NNMi 10.20 introduces a Public Key Cryptography Standards (PKCS) #12 repository to store certificates. The new PKCS #12 file-based certificate management technique is available for use as soon as you install a new instance of NNMi10.30 on a system. Environments upgraded from an older version of NNMi continue to use a JKS repository to store certificates.

In upgraded environments, you can migrate to the PKCS #12 repository by using the steps in Configure an Upgraded NNMi Environment to Use the New Keystore.

If you have upgraded to NNMi 10.30 and did not complete the steps in Configure an Upgraded NNMi Environment to Use the New Keystore, skip to Generating a CA-Signed Certificate.

To obtain and install a CA-signed certificate, follow these steps:

  1. Generate a self-signed certificate. For details, see Generating a Self-Signed Certificate.
  2. Run the following command to create a CSR (Certificate Signing Request) file:

    • Windows: %NnmInstallDir%\bin\nnmkeytool.ovpl -keystore nnm-key.p12 -certreq -storetype PKCS12 -storepass nnmkeypass -alias <alias_name> -file CERTREQFILE
    • Linux: $NnmInstallDir/bin/nnmkeytool.ovpl -keystore nnm-key.p12 -certreq -storetype PKCS12 -storepass nnmkeypass -alias <alias_name> -file CERTREQFILE

    Note  

    In the command above, <alias_name> corresponds to the alias you had provided at the time of generating the certificate.

  3. Send the CSR to your CA signing authority which signs and returns the certificate files. For information on different types of CA certificates, see Types of CA-Signed Certificates.

    The CA signing authority returns one of the following:

    • A single signed server certificate file (referred to as myserver.crt in this section). The single file contains the server certificate (the NNMi certificate that is CA-signed), one or more intermediate CA certificates, and the root CA certificate. All the certificates in this single file form a certificate chain.

    • A set of two files that includes a signed server certificate file (referred to as myserver.crt in this section) and a separate file containing the CA certificates (referred to as the myca.crt file). The myserver.crt file contains either a single server certificate or a certificate chain, but NOT the root CA certificate, which remains in the myca.crt file.

    Note If your CA returns the certificates in other forms, contact the CA provider for more information about how to obtain the separate certificate chain and Root CA Certificate.

  4. Prepare the certificate files.

    The certificate chain must be imported to the keystore file and the root CA certificate must be imported to the truststore file. Additionally, if you installed iSPIs on the NNMi management server, you must import the server-signed certificate too to the truststore file.

    Note iSPIs that reside on the NNMi management server use NNMi's certificates.

    • If you received a single file from step 3

      1. Copy the root CA certificates from that file into a separate myca.crt file.
      2. (Only if you installed iSPIs on the NNMi management server) Copy the server certificate (the NNMi certificate that is CA-signed) from that file into a separate nnmi-server.crt file.
    • If you received a set of two files from step 3

      1. (Only if you installed iSPIs on the NNMi management server) Save a copy of the myserver.crt file as nnmi-server.crt.
      2. Add the myca.crt (the root CA certificate) file content to the end of the myserver.crt file and also remove any extra intermediate certificates from the myca.crt file, if it has any. This should result in one file, myserver.crt, containing the full certificate chain and one file, myca.crt, containing the Root CA Certificate.
  5. Copy the files containing these certificates to a location on the NNMi management server. For this example, copy the files to the following location:

    • Windows: %NnmDataDir%\shared\nnm\certificates
    • Linux: $NnmDataDir/shared/nnm/certificates
  6. Change to the directory on the NNMi management server that contains the keystore and truststore files:

    • Windows: %NnmDataDir%\shared\nnm\certificates
    • Linux: $NnmDataDir/shared/nnm/certificates
  7. Run the following command to import the certificate into the keystore file:

    Windows:
    %NnmInstallDir%\bin\nnmkeytool.ovpl -importcert -trustcacerts -keystore
    nnm-key.p12 -storetype PKCS12 -storepass nnmkeypass -file
    <path_to_myserver.crt>

    Linux:

    $NnmInstallDir/bin/nnmkeytool.ovpl -importcert -trustcacerts -keystore
    nnm-key.p12 -storetype PKCS12 -storepass nnmkeypass -file
    <path_to_myserver.crt>

    Note In the above command, <path_to_myserver.crt> corresponds to the full path of the location where you have stored the CA-signed server certificate.

  8. When prompted to trust the certificate, enter: y

    Example output for importing a certificate into the keystore

    The output from the command is of the form:

    Owner: CN=NNMi_server.example.com
    Issuer: CN=NNMi_server.example.com
    Serial number: 494440748e5
    Valid from: Tue Oct 28 10:16:21 MST 2008 until: Thu Oct 04 11:16:21 MDT 2108
    Certificate fingerprints:
    MD5:  29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02
    SHA1: C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03
    Trust this certificate? [no]:  y
    Certificate was added to keystore
  9. Run the following commands to import the root certificate into the truststore file:

    • Windows:

      %NnmInstallDir%\bin\nnmkeytool.ovpl -import -alias <alias_name> -storetype PKCS12 -keystore nnm-trust.p12 -file <path_to_myca.crt> -storepass ovpass

    • Linux:

      $NnmInstallDir/bin/nnmkeytool.ovpl -import -alias <alias_name> -storetype PKCS12 -keystore nnm-trust.p12 -file <path_to_myca.crt> -storepass ovpass

    Note  

    In the above command,

    • <path_to_myca.crt> corresponds to the full path of the location where you have stored the root certificate.
    • <alias_name> corresponds to the alias you had provided at the time of generating the certificate.

  10. Examine the contents of the truststore:
    • Windows:

      %NnmInstallDir%\bin\nnmkeytool.ovpl -list -keystore nnm-trust.p12 -storetype PKCS12  
    • Linux:

      $NnmInstallDir/bin/nnmkeytool.ovpl -list -keystore nnm-trust.p12 -storetype PKCS12

    When prompted for the truststore password, enter: ovpass

    Example truststore output

    The truststore output is of the form:

    Keystore type: pkcs
    Keystore provider: JKS
    Your keystore contains 1 entry
    nnmi_ldap, Nov 14, 2008, trustedCertEntry,
    Certificate fingerprint (MD5): 29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02

    Tip The truststore can include multiple certificates.

  11. Import the server certificate (the NNMi certificate that is CA-signed) into the truststore file.

    Note Follow this step only if you installed iSPIs on the NNMi management server.

    Run the following commands to import the CA-signed server certificate into the truststore file:

    • Windows:

      %NnmInstallDir%\bin\nnmkeytool.ovpl -import -alias <alias_name> -storetype PKCS12 -keystore nnm-trust.p12 -file <path_to_nnmi-server.crt> -storepass ovpass
    • Linux:

      $NnmInstallDir/bin/nnmkeytool.ovpl -import -alias <alias_name> -storetype PKCS12 -keystore nnm-trust.p12 -file <path_to_nnmi-server.crt> -storepass ovpass

       

      Note  

      In the above command,

      • <path_to_nnmi-server.crt> corresponds to the full path of the location where you have stored the server certificate (the NNMi certificate that is CA-signed).
      • <alias_name> corresponds to the alias you had provided at the time of generating the certificate.

Types of CA-Signed Certificates

Note If your CA returns the certificates in other forms, contact the CA provider for instructions about obtaining the certificate chain and the Root CA Certificate.

The Certificate Authority (CA) should provide you with one of the following:

  • A signed server certificate file containing the server certificate (the NNMi certificate that is CA signed) and one or more CA certificates. This section refers to the signed server certificate as myserver.crt.

    A CA Certificate can be either of the following:

    • Root CA Certificate - Identifies the authority that is trusted to sign certificates for servers and users.
    • Intermediate CA Certificate - A certificate signed by either a root or intermediate CA that is itself an authority, rather than a server or user.

      Note The list of certificates from the NNMi server certificate to the root CA certificate, including any intermediate CA certificates, is known as the certificate chain.

  • A signed server certificate and a separate file containing one or more CA certificates. This section refers to the signed server certificate as myserver.crt and the CA certificates as myca.crt. The myserver.crt file should contain either a single server certificate or a certificate chain, but NOT the root CA certificate, which would be in the myca.crt file.

To configure NNMi with the new certificate, you must import the certificate chain into the nnm-key.p12 and the root CA Certificate into the nnm-trust.p12. Use the myserver.crt file when importing the server certificate into the nnm-key.p12 file and the myca.crt file when importing the CA certificate into the nnm-trust.p12 file.

Note If your CA returns the certificates in other forms, contact the CA provider for instructions about obtaining the separate certificate chain and root CA Certificate.

When provided with one file that contains a full certificate chain, copy the root CA certificate from that file into the myca.crt file. Use the myca.crt file to import into the nnm-trust.p12 so that NNMi trusts the CA that issued the certificate.

When provided two files, add the myca.crt file content to the end of the myserver.crt, if the file does not include it. Also, be sure to remove any extra intermediate certificates from the myca.crt file. This should result in the following files:

  • myserver.crt, containing the full certificate chain
  • myca.crt, containing the root CA Certificate

Note When using a CA, only the root CA certificate is generally added to the nnm-trust.p12. Adding intermediate CA or server certificates to the nnm-trust.p12 will cause those certificates to be explicitly trusted and not checked for additional information, such as revocation. Only add additional certificates to the nnm-trust.p12 if your CA requires it.

The following examples show what the files received from a CA signing authority might look like:

Separate server and CA certificate files:

-----BEGIN CERTIFICATE-----
Sample/AVQQKExNQU0EgQ29ycG9yYXRpb24gTHRkMRAwDgYDVQQLEwdOZXR3b3Js
eGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlw
................................................................
................................................................
TZImiZPyLGQBGRYDaW50MRIwEAYKCZImiZPyLGQBGRYCc2cxEzARBgNVBAMTCmNb
pSo6o/76yShtT7Vrlfz+mXjWyEHaIy/QLCpPebYhejHEg4dZgzWWT/lQt==
-----END CERTIFICATE-----

Combined server and CA certificates in one file:

-----BEGIN CERTIFICATE-----
Sample1/VQQKExNQU0EgQ29ycG9yYXRpb24gTHRkMRAwDgYDVQQLEwdOZXR3b3Js
eGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlw
................................................................
................................................................
TZImiZPyLGQBGRYDaW50MRIwEAYKCZImiZPyLGQBGRYCc2cxEzARBgNVBAMTCmNb
pSo6o/76yShtT7Vrlfz+mXjWyEHaIy/QLCpPebYhejHEg4dZgzWWT/lQt==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Sample2/Gh0dHA6Ly9jb3JwMWRjc2cyLnNnLmludC5wc2FnbG9iYWwuY29tL0Nlc
RaOCApwwggKYMB0GA1UdDgQWBBSqaWZzCRcpvJWOFPZ/Be9b+QSPyDAfBgNVHSMC
................................................................
................................................................
Wp5Lz1ZJAOu1VHbPVdQnXnlBkx7V65niLoaT90Eqd6laliVlJHj7GBriJ90uvVGu
BQagggEChoG9bGRhcDovLy9DTj1jb3JwMWRjc2cyL==
-----END CERTIFICATE-----