After the certificate has been signed by the third-party certifying authority, two certificate files are returned by the authority for importing into the
Policy Management servers:
- A signed local client certificate (with the file suffix .crt)
- A certificate authority (CA) peer certificate (with the file suffix .pem)
Both certificates must be imported into the active CMP system for proper SSL communication.
Note: It may necessary to edit the returned files to remove extraneous debugging information in the certificate. You must use a Linux-based editor to preserve line termination style.
The only content in the files should be the blocks of data beginning with:
----BEGIN CERTIFICATE-----
and ending with:
-----END CERTIFICATE-----
All other text above or below these blocks should be removed.
A further modification needs to be made to the signed local client certificate.
For the
Policy Management servers to be able to import the local certificate successfully, the CA peer certificate must be merged into the signed local client certificate. Copy the
BEGIN/END certificate text block from the CA peer certificate into the local client certificate below the
BEGIN/END certificate text block. The final result is the original local client certificate text block immediately followed by the certificate text block of the CA peer certificate that was provided by the third-party signer. An example of what this should look like is as follows:
-----BEGIN CERTIFICATE-----
MIIC7zCCAligAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCVVMx
<text removed>
gJeTRnZwMJEXv71V85NGobVGqb1uR94kIQazFP5HC2b2C0Q=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDjTCCAvagAwIBAgIJAJCKgXrXbhQ/MA0GCSqGSIb3DQEBBQUAMIGMMQswCQYD
<text removed>
YVPOATiFnrt1B9Qb1P8kW8lwPmG88Gg6nqttolhAnIi/lWBcp+QZfJMxPBcMkH2k7A==
-----END CERTIFICATE-----
Either copy these certificate files to the Policy Management server in advance, or store them somewhere on the network accessible via SCP. They can be imported back into the system to secure the communication channel with the third-party system.
To import the certificates: