McAfee MEJCAE-AM-DA Product Guide - Page 54

Working with X.509 Certificates Adding an X.509 certificate to your key or keyring Attribute Name: POBOX C (Country) DN (Distinguished Name) Description: The PO box or postal code of the holder of the certificate. The country of the holder of the certificate (e.g., "USA"). Typically the distinguished name of the company to which the certificate belongs. For a complete list of the certificate attributes that E-Business Server supports, including a list of Verisign-specific attributes, see Supported Certificate Attributes Adding an X.509 certificate to your key or keyring You may need to add an X.509 certificate to your keyring, such as a Root CA's certificate, or manually add an X.509 certificate to your key pair from a file. To do either, use the --key-add option with the --x509 modifier. ebs --key-add --x509 Where is the name of the file containing the certificate you want to add. E-Business Server supports importing of PEM, DER (PKCS #7) and PKCS #12 formatted certificates. If the file extension is .pem, E-Business Server assumes the certificate is PEM-encoded. If the file extension is .p12 or .pfx, E-Business Server assumes the certificate is PKCS #12 formatted. For example, if you enter the following command, E-Business Server automatically knows to add a PEM-encoded certificate: ebs --key-add cert.pem --x509 If the binary file is PKCS #12, then you must include the --with-private modifier (as shown below). ebs --key-add --x509 --with-private This forces the PKCS #12 import format of the X.509 certificate and includes the private portion of your key pair. Note: When you add or change information in your key pair, always update it on the key server so that your most current key can be available to anyone. See Adding your key to a key server on page 26 for instructions. Getting an X.509 certificate from a CA You can request an X.509 digital certificate and add it to your key pair using E-Business Server options and your company's Certificate Authority (CA) or a public CA (for example, VeriSign). There are two main methods for requesting and adding X.509 certificates to your keys-automatically and manually. Both methods are described in the following sections. For either method you must first obtain and add the Root CA certificate from the Certificate Authority and add it to your keyring. For instructions, see Retrieving and adding the Root CA certificate to your keyring on page 53. Automatically requesting and adding an X.509 certificate to your key Note: The instructions in this section describe how to add an X.509 certificate to your key pair if you are using the Net Tools PKI Server. The process and terminology may vary between Certificate Authorities and some of the certificate attributes and certification procedures (identity-checks) you must use when interacting with your CA is a policy decision. You may need to consult the administrator of your Certificate Authority for instructions. There are four main steps to automatically requesting and adding an X.509 certificate to your key pair: 1 Retrieve the Root CA certificate from the CA and add it to your keyring (see Retrieving and adding the Root CA certificate to your keyring). E-Business Server™ 8.6 Product Guide 52