McAfee MEJCAE-AM-DA Product Guide - Page 55
Retrieving and adding the Root CA certificate to your keyring
View all McAfee MEJCAE-AM-DA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 55 highlights
Working with X.509 Certificates Getting an X.509 certificate from a CA 2 Enter information about the CA in the E-Business Server configuration file (see Specifying CA parameters in the E-Business Server configuration file on page 53). 3 Request a certificate from the CA. Your X.509 certificate request is verified and signed by the CA (see Automatically requesting a certificate from the CA on page 53). (The CA's signature on the certificate makes it possible to detect any subsequent tampering with the identifying information or the public key, and it implies that the CA considers the information in the certificate valid.) 4 Retrieve the certificate issued by the CA and add it to your key pair (see Retrieve your certificate and add it to your key pair on page 54). Retrieving and adding the Root CA certificate to your keyring Whether you are automatically requesting or manually requesting X.509 certificates to add to your keys, you must first obtain and add the Root CA certificate to your keyring. The only exception is if you are requesting a PKCS #10 certificate. Note: When you add or change information in your key pair, always update it on the key server so that your most current key can be available to anyone. See Adding your key to a key server on page 26 for instructions. To retrieve and add the Root CA certificate to your keyring: 1 Open your Web browser and connect to the CA's enrollment site. 2 Locate and examine the Root CA certificate. This process varies between Certificate Authorities. For example, if your company were using the Net Tools PKI Server, you would click the Download a CA Certificate link, and then click the Examine this Certificate button. 3 Copy the key block for the Root CA certificate and paste it into a file. 4 Add the Root CA certificate to your keyring. See Adding an X.509 certificate to your key or keyring on page 52 for instructions. Specifying CA parameters in the E-Business Server configuration file Specify the CA's URL using the CA-URL parameter. This URL must be fully qualified. For example, you might enter something like https://myca.ebs.com:444 (this is the same URL you used to retrieve the Root CA). If there is a separate URL for retrieving certificate revocation lists (CRLs), specify it using the CA-REVOCATION-URL parameter. If you do not know the URL for revocation, leave this option blank. Specify the name of certificate authority you are using with the CA-TYPE option. Your choices are: • nettools (Net Tools PKI) • verisign (VeriSign OnSite) • entrust (Entrust) • iplanet (iPlanet CMS) • win2k (Windows 2000) Specify the Root CA certificate you retrieved earlier using the CA-ROOT-CERT parameter. For more information on retrieving the Root CA certificate, see Retrieving and adding the Root CA certificate to your keyring on page 53. Automatically requesting a certificate from the CA After specifying CA parameters in the configuration file (see Specifying CA parameters in the E-Business Server configuration file on page 53), use the --cert-request option to automatically request a certificate from the CA. You can request that specific attributes be added to your new certificate using the --cert-attribute option. It is up to the CA's discretion whether or not they include these attributes. For more information on adding certificate attributes, see Specifying certificate attributes on page 51. To request a certificate: 53 E-Business Server™ 8.6 Product Guide