2.2 Creating an Organizational Certificate Authority Object

By default, the NetIQ Certificate Server installation process creates the Organizational Certificate Authority (CA) for you. You are prompted to specify an Organizational CA name. When you click Finish, the Organizational CA is created with the default parameters and placed in the Security container.

If you want more control over the creation of the Organizational CA, you can create the Organizational CA manually by using iManager. Also, if you delete the Organizational CA, you need to re‑create it.

During the creation process, you are prompted to name the Organizational Certificate Authority object and to choose a server to host the Organizational CA service (the server the Organizational CA service will run on). In determining the server to host the Organizational CA service, consider the following:

  • Select a server that is physically secure.

    Physical access to the CA server is an important part of the security of the system. If the CA server is compromised, all certificates issued by the CA are also compromised.

  • Select a server that is highly available, stable, and robust.

    If the CA service is not available, certificates cannot be created. This affects installation of new servers because certificates need to be created during install.

  • Select a server that only runs software you trust.

    Running unknown or questionable software might compromise the CA service.

  • Select a server that will not be removed from the tree.

    If the server is removed from the tree, you need to either re-create the CA object by using a backup you made before removing the CA, or you need to create a new CA. If you create a new CA, you might need to replace your existing server and user certificates.

  • Select a server that runs a protocol that is compatible with other servers in your tree.

    Examples are IP, IPX, or IP/IPX.

To create the Organizational Certificate Authority object:

  1. Launch iManager.

  2. Log in to the eDirectory tree as an administrator with the appropriate rights.

    To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.

  3. On the Roles and Tasks menu, click NetIQ Certificate Server > Configure Certificate Authority.

    If no Organizational Certificate Authority object exists, this opens the Create an Organizational Certificate Authority Object dialog box and the corresponding wizard that creates the object. Follow the prompts to create the object. For specific information on the dialog box or any of the wizard pages, click Help.

  4. After you have finished creating the Certificate Authority, we recommend that you make a backup of the CA’s public/private key pair and store this in a safe and secure place. See Backing Up an Organizational CA.

NOTE:You can have only one Organizational CA for your eDirectory tree.