Importing the Third-party Signed Certificates

After the certificate has been signed by the third-party certifying authority, two certificate files are returned by the authority for importing into the Policy Management servers:
  • A signed local client certificate (with the file suffix .crt)
  • A certificate authority (CA) peer certificate (with the file suffix .pem)

Both certificates must be imported into the active CMP system for proper SSL communication.

Note: It may necessary to edit the returned files to remove extraneous debugging information in the certificate. You must use a Linux-based editor to preserve line termination style.

The only content in the files should be the blocks of data beginning with:

----BEGIN CERTIFICATE-----

and ending with:

-----END CERTIFICATE-----

All other text above or below these blocks should be removed.

A further modification needs to be made to the signed local client certificate.

For the Policy Management servers to be able to import the local certificate successfully, the CA peer certificate must be merged into the signed local client certificate. Copy the BEGIN/END certificate text block from the CA peer certificate into the local client certificate below the BEGIN/END certificate text block. The final result is the original local client certificate text block immediately followed by the certificate text block of the CA peer certificate that was provided by the third-party signer. An example of what this should look like is as follows:
-----BEGIN CERTIFICATE-----
MIIC7zCCAligAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCVVMx
<text removed>
gJeTRnZwMJEXv71V85NGobVGqb1uR94kIQazFP5HC2b2C0Q=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDjTCCAvagAwIBAgIJAJCKgXrXbhQ/MA0GCSqGSIb3DQEBBQUAMIGMMQswCQYD
<text removed>
YVPOATiFnrt1B9Qb1P8kW8lwPmG88Gg6nqttolhAnIi/lWBcp+QZfJMxPBcMkH2k7A==
-----END CERTIFICATE-----

Either copy these certificate files to the Policy Management server in advance, or store them somewhere on the network accessible via SCP. They can be imported back into the system to secure the communication channel with the third-party system.

To import the certificates:

  1. Log in to the platcfg utility using one of two methods, either from the system console using root or through an SSH remote session using admusr.
    • To access the platcfg utility from the system console:
      1. Log in as root.
      2. Enter su - platcfg.
    • To access the platcfg utility through an SSH remote session:
      1. Log in as admusr.
      2. Enter sudo su - platcfg.

    Note: The dash (-) is required in the su - platcfg or the sudo su - platcfg command to ensure proper permissions.

  2. Select Policy Configuration from the Main Menu screen and press Enter.
  3. Select SSL Key Configuration from the Policy Configuration Menu screen and press Enter.
  4. Select Configure keystore from the Configure SSL keys Menu screen and press Enter.
  5. To import the local signed certificate, select Import trusted key from the Operate keystore Menu screen and press Enter.
  6. Enter the Keystore Password, select OK, and press Enter.

    You are prompted for the location of the certificate to be imported.

  7. Select or enter the location where the local signed certificate is located and the certificate alias name, select OK, and press Enter.

    The certificate data screen opens for verification. To avoid confusion, though they may be different, ensure that the Owner and Issuer names used for the certificate match the host name of the server where the certificate is being created.

    Note: The alias entered must match the alias originally used to create the certificate request.

  8. To import the CA signed certificate as a peer certificate, select Import trusted key from the Operate cacerts Menu and press Enter.
  9. Enter the Keystore Password, select OK, and press Enter.

    You are prompted for the location of the certificate to be imported.

  10. Select or enter the location where the CA peer certificate is located and the certificate alias name, select OK, and press Enter.

    The certificate data screen opens for verification. To avoid confusion, though they may be different, ensure that the Owner and Issuer names used for the certificate match the host name of the server the certificate is being created on. If all certificate information is correct, the next operation is to import the CA certificate as a peer certificate.
    Note: The alias entered must match the alias originally used to create the Certificate Request.