sechkey Utility Configure X.509 Certificates
The sechkey utility configures the root and server certificates that uses to authenticate communication between components.
capamsc141
The sechkey utility configures the root and server certificates that
PAM Server Control
uses to authenticate communication between components.You can use the sechkey utility to perform the following tasks:
- ConfigurePAM Server Controlto use third-party root and server certificates, including OU password-protected certificates
- Create a server certificate from a third-party root certificate
- Save the password of a password-protected certificate on the computerS
top
PAM Server Control
before you use sechkey to configure X.509 certificates. You must have the ADMIN attribute to use sechkey. If
PAM Server Control
is operating in FIPS-only mode, you cannot use password-protected certificates. PAM Server Control
operates in FIPS-only mode when the value of the fips_only configuration token in the crypto section is 1. This restriction prevents you from encrypting passwords within the certificate with a non-FIPS compliant method.This command has the following format to create an X.509 root or server certificate:
sechkey -e {-ca|-sub [-priv privfilepath]} [-in infilepath] [-out outfilepath] [-capwd password] [-subpwd password]
This command has the following format to use OU password-protected server certificates:
sechkey -g {-subpwd password | -verify}
- -caSpecifies that sechkey creates a self-signed certificate that is used as a CA (root) certificate.sechkey stores the certificate and private key in the PEM file that is defined by the ca_certificate configuration setting in the crypto section.
- -capwdpasswordSpecifies the password for the private key of the root certificate that sechkey uses to generate a server (subject) certificate.
- -eSpecifies that sechkey creates an X.509 certificate.
- -gSpecifies thatPAM Server Controluses third-party server certificates. Save the third-party server certificate in the location that is specified in the subject_certificate configuration setting in the crypto section. you can also edit the value of the subject_certificate configuration setting in the crypto section to specify the full path to the third-party server certificate.If you install the server certificate in a new directory, writePAM Server ControlFILE rules to protect the new directory.
- -ininfilepathSpecifies the input file that contains the certificate information. If -in is not specified, sechkey reads the information from the standard input.sechkey requires the following information to create a certificate:
- Serial Number
- Subject
- Not Before (First valid day for certificate)
- Not After (Last valid day for certificate)
- Email
- URI (often named URL)
- DNS name
- IP Address
- -outoutfilepathSpecifies the output file to put the certificate information. The output file is a copy of the input information. If -out is not specified, sechkey does not duplicate the input information.
- -privprivfilepathSpecifies the file that holds the private key that is associated with the certificate. This option is only valid when used with the -sub option.
- -subSpecifies that sechkey creates a server (subject) certificate.sechkey stores the certificate and private key in the PEM file that is defined by the subject_certificate configuration setting in the crypto section.If -priv is not specified, the private_key configuration setting in the crypto section defines the file that holds the private key that is associated with the certificate.If you create a password-protected server certificate, sechkey does not encrypt the certificate. If you create a server certificate that is not password-protected, sechkey encrypts the certificate using AES256 and thePAM Server Controlencryption key.
- -subpwdpasswordSpecifies the password for the private key of the server (subject) certificate. sechkey stores the password in the crypto.dat file in theACInstallDir/Data/crypto directory, whereACInstallDiris the directory in which you installedPAM Server Control. The crypto.dat file is hidden, encrypted, read-only, and protected byPAM Server Control.PAM Server Controlis stopped, only the superuser can access the password.
- -verifyVerifies thatPAM Server Controlcan use the stored password to open the password-protected server key.
Example: Create a Server Certificate from an OU Password-Protected Third-Party Root Certificate
The following command creates a server certificate from an OU password-protected third-party root certificate, using the following values:
- The path to the input file that contains the certificate information is C:\Program Files\CA\PAMSC\data\crypto\sub_cert_info
- The path to the private key for the root certificate is C:\Program Files\CA\PAMSC\data\crypto\ca.key
- The password for the private key for the root certificate is P@ssw0rd
sechkey -e -sub -in "C:\Program Files\CA\PAMSC\data\crypto\sub_cert_info" -priv "C:\Program Files\CA\PAMSC\data\crypto\ca.key" -capwd P@ssw0rd
Example: Input File
The following is an example of an input file that contains certificate information:
SERIAL: 00-15-58-C3-5E-4BSUBJECT: CN=192.168.0.1NOTBEFORE: “12/31/08”NOTAFTER: "12/31/09"E-MAIL: [email protected]URI: http://www.example.comDNS: 168.192.0.100IP: 168.192.0.1