Server Certificate objects are created in the container that holds the server's eDirectory object. Depending on your needs, you might create a separate Server Certificate object for each cryptography-enabled application on the server, or you might create one Server Certificate object for all applications used on that server.
NOTE:The terms Server Certificate object and Key Material object (KMO) are synonymous. The schema name of the eDirectory object is NDSPKI:Key Material.
When you install NetIQ Certificate Server, the Server Certificate object is created with the default parameters and placed in the container where the target server resides. If you ever need to overwrite or create new default certificates, you can use the Create Default Certificates Wizard. See Section 3.2.2, Creating Default Server Certificate Objects.
If you want more control over the creation of the Server Certificate object, you can create the Server Certificate object manually. You can also create additional Server Certificate objects.
Log in to the eDirectory tree as an administrator with the appropriate rights.
To view the appropriate rights for this task, see Section B.0, Entry Rights Needed to Perform Tasks.
On themenu, click > .
This opens the Create a Server Certificate dialog box and the corresponding wizard that creates the Server Certificate object. Follow the prompts to create the object. For specific information on the dialog box or any of the wizard pages, click.
During the Server Certificate object creation process, you are prompted to name the key pair and choose the server that the key pair will be associated with. The Server Certificate object is generated by NetIQ Certificate Server, and its name is based on the key pair name that you choose.
If you choose the Custom creation method, you are also prompted to specify whether the Server Certificate object will be signed by your organization's Organizational Certificate Authority or by an external certificate authority. For information about making this decision, see Section 2.1, Deciding Which Type of Certificate Authority to Use.
If you decide to use your organization's Organizational CA, the server that the Server Certificate object is associated with must be able to communicate with the server that hosts the Organizational CA, or it must be the same server. These servers must be running the same protocol (IP/IPX).
If you decide to use an external certificate authority to sign the certificate, the server that the Server Certificate object is associated with generates a certificate signing request that you need to submit to the external certificate authority.
After the certificate is signed and returned to you, you need to install it into the Server Certificate object, along with the trusted root for the external Certificate Authority.
After you have created the Server Certificate object, you can configure your applications to use it. (See Section 2.5, Configuring Cryptography-Enabled Applications.) Keys are referenced in the application's configuration by the key pair name that you entered when you created the Server Certificate object.