You can use installation keys to encrypt certificate requests. You generate an installation key on the management server, and then transfer it to the node manually.
Requesting certificates with an installation key is more secure than using standard certificate requests. An installation key is unique, and you can use it to encrypt only one certificate request. If you use standard certificate requests, all nodes encrypt all requests using the same key, which is embedded in the agent software.
Also, if you request certificates with an installation key, you ensure that the node's private key never leaves the node to which it belongs. This is not the case when you install certificates manually, because you generate the node's private key and certificate on the management server and then copy it to the node.
Before you request certificates with an installation key, ensure that the HTTPS agent is running on the node. Normally, the agent sends a certificate request the first time it starts. If you then request a certificate with an installation key, the new certificate request overwrites the original certificate request on the management server. You can suppress the first certificate request by setting the parameter CERTIFICATE_DEPLOYMENT_TYPE=manual in the sec.cm.client namespace using the HTTPS agent installation defaults.
ovowcsacm
to generate an installation key. The
syntax for this command is:
ovowcsacm -genInstKey [-file <file_name>]
[-pass <password>]
Specify the options as follows:
Option | Description |
---|---|
-genInstKey
|
Specifies that you want to generate an installation key. |
-file <file_name>
|
Optional. The name of the file into which the command generates the installation key. If you omit this option, the command creates a file in the following directory:
The default file name has the following format:
|
-pass <password>
|
Optional. A password that the command uses to encrypt the installation key. You need this password when you later request the certificates from the node. If you omit this option, the command prompts you for a password. |
On nodes that run a UNIX or Linux operating system, ensure that the PATH variable contains the path to the agent commands.
export
PATH=/opt/OV/bin:$PATH
and then press Enter.export
PATH=/usr/lpp/OV/bin:$PATH
and then press
Enter.export
PATH=/usr/opt/OV/bin:$PATH
and then press
Enter.Use ovcert
to request a certificate from the
management server. The syntax for this command is:
ovcert -certreq -instkey <file_name>
The command prompts you for the password that you specified when you generated the installation key. The node then uses the installation key from the file to encrypt a certificate request, which it then sends to the management server.
The request must then be granted on the management server. You can configure this to happen automatically or manually. After this happens, the management server sends the certificates to the node.
Related Topics: