Create Certificates

Contents
casp1032
Secure Domain Manager uses digital certificates to ensure the security. The default certificates are provided with your
DX NetOps Spectrum
installation and site-specific certificates can be created using the CertGen tool.
Default Certificates
If you want to use the default certificates, do not perform any actions. All default files reside in the <
$SPECROOT
>/SDM/cert directory and include the following files:
  • SDMCA.pem
    Certificate authority. Distribute this file to any computer that uses Secure Domain Manager or Secure Domain Connector in any capacity and can be treated as a trusted CA file.
  • SDMCAKey.pem
    Private key of CA. It can be used to issue certificates but should not necessarily be distributed to any machines.
  • SDMCert.p12
    Application certificate that is signed by SDMCA.pem. This is the certificate file that is used between SDManager and SDConnector. It should be carefully distributed to computers that deserve trust and used to assert the identity of those computers.
  • CertGen[.exe]
    Program that is used to generate the site-specific certificate authority, key file, and certificate file. Run CertGen -h to review all certificate options available.
  • openssl[.exe]
    OpenSSL open source implementation of the SSL protocol.
Site-Specific Certificates
If you want to create site-specific certificates, move the default certificate files (*.pem and *.p12) to another location on the hard drive. Perform the following procedures to create and deploy the custom certificates.
Create Site-Specific Certificates
Create site-specific certificates for better security. Create these certificates on a single computer that only qualified personnel can access. This computer can be the SDManager host.
You must have administrator or root privileges to create the SSL certificates for Secure Domain Manager.
Follow these steps:
  1. Run the following command to create a certificate authority certificate and the private key for the certificate authority certificate:
    CertGen -t ca -c US
    You only have to perform this step once to create the necessary certificate authority certificate for your organization.
    The following files are created:
    1. SDMCA.pem
    2. SDMCAKey.pem
    The default certificate authority and key file that come with Secure Domain Manager are read-only files. If you receive a permission error, check your user privileges or move SDMCA.pem and SDMCAKey.pem to another location and run the command again.
  2. Run the following command to create a certificate for the SDManager:
    CertGen -t cert -c <Country Code>
    The SDMCert.01.p12 file is created.
  3. (Optional) For the added security, use the -p option to generate the certificate with a password as follows:
    CertGen -t cert -p <password> -c <Country Code>
    Enter the password in the sdc.config file and sdm.config file.
  4. Rename SDMCert.01.p12 to SDMCert.p12.
    The new site-specific certificate is ready for use.
Deploy Site-Specific Certificates
After you create your certificate files, perform the following tasks:
  • Deploy the certificate files on the SDManager hosts and on the SDConnector hosts.
  • Restart the SpectroSERVER on the SDManager hosts and the SDConnector process on the SDC hosts.
To deploy certificates, copy the SDMCA.pem file that you created to the 
<$SPECROOT>
/SDM/cert directory on the SDManager host computer and to the cert directory under the SDConnector installation on the SDConnector hosts that will connect to the SDManager host. Administrator, or root should own the SDMCert.p12 file.
Retain the SDMCAKey.pem file on the computer where you plan to create more certificates. Restrict the file to authorized personnel only. This computer can be the SDManager host computer but is not a requirement.
After the certificates have been deployed, restart both the SpectroSERVER on the SDManager hosts and the SDConnector process on the SDC hosts. For information on restarting the SDConnector Process, see Start, Stop, and Restart the SDConnector Process on Windows or Start, Stop, and Restart the SDConnector Process on Linux.