sechkey Utility Configure X.509 Certificates

The sechkey utility configures the root and server certificates that  uses to authenticate communication between components.
capamsc141
The sechkey utility configures the root and server certificates that
Privileged Access Manager
uses to authenticate communication between components.
You can use the sechkey utility to perform the following tasks:
  • Configure
    Privileged Access Manager
    to use third-party root and server certificates, including OU password-protected certificates
  • Create a server certificate from a third-party root certificate
  • Save the password of a password-protected certificate on the computer
Stop
Privileged Access Manager
before you use sechkey to configure X.509 certificates. You must have the ADMIN attribute to use sechkey.
If
Privileged Access Manager
is operating in FIPS-only mode, you cannot use password-protected certificates.
Privileged Access Manager
operates in FIPS-only mode when the value of the fips_only configuration token in the crypto section is 1. This restriction prevents you from encrypting passwords within the certificate with a non-FIPS compliant method.
This command has the following format to create an X.509 root or server certificate:
sechkey -e {-ca|-sub [-priv privfilepath]} [-in infilepath] [-out outfilepath] [-capwd password] [-subpwd password]
This command has the following format to use OU password-protected server certificates:
sechkey -g {-subpwd password | -verify}
  • -ca
    Specifies that sechkey creates a self-signed certificate that is used as a CA (root) certificate.
    sechkey stores the certificate and private key in the PEM file that is defined by the ca_certificate configuration setting in the crypto section.
  • -capwd
    password
    Specifies the password for the private key of the root certificate that sechkey uses to generate a server (subject) certificate.
  • -e
    Specifies that sechkey creates an X.509 certificate.
  • -g
    Specifies that
    Privileged Access Manager
    uses third-party server certificates. Save the third-party server certificate in the location that is specified in the subject_certificate configuration setting in the crypto section.  you can also edit the value of the subject_certificate configuration setting in the crypto section to specify the full path to the third-party server certificate.
    If you install the server certificate in a new directory, write
    Privileged Access Manager
    FILE rules to protect the new directory.
  • -in
    infilepath
    Specifies the input file that contains the certificate information. If -in is not specified, sechkey reads the information from the standard input.
    sechkey requires the following information to create a certificate:
    • Serial Number
    • Subject
    • Not Before (First valid day for certificate)
    • Not After (Last valid day for certificate)
    sechkey can use the following information, but the information is not mandatory:
    • Email
    • URI (often named URL)
    • DNS name
    • IP Address
  • -out
    outfilepath
    Specifies the output file to put the certificate information. The output file is a copy of the input information. If -out is not specified, sechkey does not duplicate the input information.
  • -priv
    privfilepath
    Specifies the file that holds the private key that is associated with the certificate. This option is only valid when used with the -sub option.
  • -sub
    Specifies that sechkey creates a server (subject) certificate.
    sechkey stores the certificate and private key in the PEM file that is defined by the subject_certificate configuration setting in the crypto section.
    If -priv is not specified, the private_key configuration setting in the crypto section defines the file that holds the private key that is associated with the certificate.
    If you create a password-protected server certificate, sechkey does not encrypt the certificate. If you create a server certificate that is not password-protected, sechkey encrypts the certificate using AES256 and the
    Privileged Access Manager
    encryption key.
  • -subpwd
    password
    Specifies the password for the private key of the server (subject) certificate. sechkey stores the password in the crypto.dat file in the
    ACInstallDir
    /Data/crypto directory, where
    ACInstallDir
    is the directory in which you installed
    Privileged Access Manager
    . The crypto.dat file is hidden, encrypted, read-only, and protected by
    Privileged Access Manager
    .
    Privileged Access Manager
    is stopped, only the superuser can access the password.
  • -verify
    Verifies that
    Privileged Access Manager
    can use the stored password to open the password-protected server key.
Example: Create a Server Certificate from an OU Password-Protected Third-Party Root Certificate
The following command creates a server certificate from an OU password-protected third-party root certificate, using the following values:
  • The path to the input file that contains the certificate information is C:\Program Files\CA\PAMSC\data\crypto\sub_cert_info
  • The path to the private key for the root certificate is C:\Program Files\CA\PAMSC\data\crypto\ca.key
  • The password for the private key for the root certificate is P@ssw0rd
sechkey -e -sub -in "C:\Program Files\CA\PAMSC\data\crypto\sub_cert_info" -priv "C:\Program Files\CA\PAMSC\data\crypto\ca.key" -capwd P@ssw0rd
Example: Input File
The following is an example of an input file that contains certificate information with IPv4 addresses:
SERIAL: 00-15-58-C3-5E-4B
SUBJECT: CN=192.168.0.1
NOTBEFORE: “12/31/08”
NOTAFTER: "12/31/09"
URI: http://www.example.com
DNS: 168.192.0.100
IP: 168.192.0.1
For IPv6, the DNS and IP addresses are shown below:
... DNS: fd6d:8d64:af0c:1:0:242:22:233
IP: ssl://[fd6d:8d64:af0c:1:0: 242:22:233]:61616