Request certificates with an installation key

You can use installation keys to encrypt certificate requests. You generate an installation key on the management server, and then transfer it to the node manually.

Requesting certificates with an installation key is more secure than using standard certificate requests. An installation key is unique, and you can use it to encrypt only one certificate request. If you use standard certificate requests, all nodes encrypt all requests using the same key, which is embedded in the agent software.

Also, if you request certificates with an installation key, you ensure that the node's private key never leaves the node to which it belongs. This is not the case when you install certificates manually, because you generate the node's private key and certificate on the management server and then copy it to the node.

Before you request certificates with an installation key, ensure that the HTTPS agent is running on the node. Normally, the agent sends a certificate request the first time it starts. If you then request a certificate with an installation key, the new certificate request overwrites the original certificate request on the management server. You can suppress the first certificate request by setting the parameter CERTIFICATE_DEPLOYMENT_TYPE=manual in the sec.cm.client namespace using the HTTPS agent installation defaults.

To request certificates with an installation key

1. Log in to the management server with an account that is a member of the HPOM administrators group. Open a command prompt.
2. Use ovowcsacm to generate an installation key. The syntax for this command is:

   ovowcsacm -genInstKey [-file <file_name>] [-pass <password>]

   Specify the options as follows:

   Option	Description
   -genInstKey	Specifies that you want to generate an installation key.
   -file <file_name>	Optional. The name of the file into which the command generates the installation key. If you omit this option, the command creates a file in the following directory: \<data_dir>\shared\server\certificates The default file name has the following format: CertificateIK_<management_server_name>_<universally_unique_id>
   -pass <password>	Optional. A password that the command uses to encrypt the installation key. You need this password when you later request the certificates from the node. If you omit this option, the command prompts you for a password.

3. Log in to the node with the same account used to install the node. Open a command or shell prompt.
4. Securely transfer the generated file to the node. The installation key is valid for any node.

5. On nodes that run a UNIX or Linux operating system, ensure that the PATH variable contains the path to the agent commands.

   • On HP-UX, Solaris, or Linux, type export PATH=/opt/OV/bin:$PATH and then press Enter.
   • On AIX, type export PATH=/usr/lpp/OV/bin:$PATH and then press Enter.
   • On Tru64, type export PATH=/usr/opt/OV/bin:$PATH and then press Enter.

6. Use ovcert to request a certificate from the management server. The syntax for this command is:

   ovcert -certreq -instkey <file_name>

   The command prompts you for the password that you specified when you generated the installation key. The node then uses the installation key from the file to encrypt a certificate request, which it then sends to the management server.

7. The request must then be granted on the management server. You can configure this to happen automatically or manually. After this happens, the management server sends the certificates to the node.

Related Topics:

• Configure HTTPS agent installation defaults
• Grant certificate requests automatically
• Grant or deny certificate requests manually