6.11 Creating SSL Certificate for Distributed Deployment

The following procedure explains how to create an SSL Certificate for distributed deployment:

  1. Run the following command to set the Java path:

    export PATH=/opt/netiq/common/jre/bin:$PATH

    Ensure that java path is set on the server. For example:

    export PATH=/opt/netiq/common/jre/bin/:$PATH

  2. Create a sample working directory.

    mkdir -p /opt/certs

  3. Generate the PKCS keystore:

    keytool -genkey -alias < alias_name > -keyalg RSA -keystore <absolute path of keystore > -validity 3650 -keysize 1024 -dname "CN=<Subject Alternate Name>" -keypass <keypass> -storepass <storepass>

  4. Generate the CSR (Certificate Signing Request):

    keytool -certreq -v -alias < alias_name >  -file < name of the csr file > -keypass < keypass >  -keystore < absolute path of the keystore >  -storepass < storepass >

  5. Generate a self-signed certificate:

    1. Log in to iManager as an administrator.

    2. Navigate to Roles and Tasks > NetIQ Certificate Server > Issue Certificate.

    3. Browse to the .csr file created in step 4. For example: ua.csr.

    4. Click Next.

    5. Specify the key usage and click Next.

    6. For the certificate type, select Unspecified.

    7. Click Next.

    8. Specify the validity of the certificate and click Next.

    9. Select the File in binary DER format radio button.

    10. Click Next.

    11. Click Finish.

    12. Download the certificate and copy the downloaded certificate to the /data directory.

  6. Export the root certificate in .der format:

    1. Log in to iManager as an administrator.

    2. Navigate to Roles and Tasks > NetIQ Certificate Access > Server Certificates.

    3. Select the SSL CertificateDNS check box and click Export.

    4. In the Certificates drop-down list, select Organizational CA.

    5. In the Export Format drop-down list, select DER.

    6. Click Next.

    7. Download the certificate and copy the downloaded certificate to the /data directory.

  7. Import the certificates into the PKCS keystore as explained earlier.

    keytool -import -trustcacerts -alias root -keystore <name of the keystore> -file <root certificate > -storepass <password> -noprompt

    For example:

    keytool -import -alias <alias name> -keystore <name of the keystore> -file <self-signed certificate> -storepass <password> -noprompt

  8. Repeat the above procedure for each of the osp, userapp and reporting if they are used in different machines.