Certificates in Management and Security Server generally identify a client or server. (Client certificates can identify individuals.)
During authentication, Entity A presents a certificate to Entity B, which checks the signature against its store of trusted certificates. If the certificate or its root is trusted, the transaction proceeds. If not, Entity B may either reject the transaction or present Entity A's user with a warning.
Server certificates. The need for server certificates depends on the security settings that are used for your terminal sessions:
If you use TLS/SSL security, the Host needs server certificates.
If you use the Security Proxy Server, both the Management and Security Server and the Security Proxy need server certificates.
Use the Certificates panel to generate and apply a self-signed certificate for Management and Security Server or to import a signed client certificate to share.
Management and Security Server requires a certificate to connect to the Security Proxy. You can generate a self-signed certificate or import a CA-signed certificate and private key.
This form generates a self-signed Management and Security Server certificate that can be used to connect to the Security Proxy. If a self-signed server certificate already exists, the certificate generated here will replace it.
To Generate the certificate:
Enter the Common name of the site on which the certificate will be installed, such as hostname.company.com (for an external site) or hostname (for an internal site).
Enter the required information.
Open Advanced Settings, and confirm or change the settings, as desired.
Click Generate and View Details to verify your entries.
If a server certificate and private key already exist, the imported key pair will overwrite them.
To Import the key pair:
Copy the file containing the certificate and the private key into this folder on the Management and Security Server:
UNIX: /var/opt/microfocus/mss/mssdata/certificates
Windows: C:\ProgramData\Micro Focus\MSS\MSSData\Certificates
Enter the required information.
Keystore file name: the file that contains the certificate
Keystore password: that protects the file that contains the certificate
Friendly name: so you can easily identify the certificate
Click Import.
Related topics
A client certificate is used to identify users connecting to the Security Proxy or to a TLS/SSL host when client authentication is required. If all users share the same client certificate, the Administrative Server can automatically distribute it to the emulator clients when needed.
If a server certificate and private key already exist, the imported key pair will overwrite them.
To Import the key pair:
Copy the file containing the certificate and the private key into this folder on the Management and Security Server:
UNIX: /var/opt/microfocus/mss/mssdata/certificates
Windows: C:\ProgramData\Micro Focus\MSS\MSSData\Certificates
Enter the required information.
Keystore file name: the file that contains the certificate
Keystore password: that protects the file that contains the certificate
Friendly name: so you can easily identify the certificate
Click Import.
Related topics
Certificates that are needed for other functions are managed differently.
To generate other self-signed certificates or to import signed certificates to the Security Proxy, clients, or host systems, use the certificate features in those components.
Use the Security Proxy Wizard to manage the Security Proxy certificate.
Use the HTTPS Certificate Utility to administer web certificates (for use with Tomcat) or to generate a Certificate Signing Request (CSR)
This utility installs or updates a certificate for the HTTP server functionality that is included with Management and Security Server (from the Start menu). This certificate enables clients to establish secure connections (HTTPS) to the services provided by the Management and Security Server.
The HTTPS Certificate Utility also provides the option to create a private key and a Certificate Signing Request (CSR).
A Certificate Signing Request or CSR is a block of encoded text that is given to a Certificate Authority (CA) when applying for an SSL Certificate. The CSR includes identity information and a public key. A CA verifies the identity of the server's domain name and its owner and then adds a signature to the certificate to verify the server's authenticity to other computers.
The Certificate Authority uses a CSR to create your SSL certificate, but it does not need your private key. Keep your private key secret.
Choose a method to generate a CSR and obtain a CA-signed certificate:
To generate a CSR and a new private key:
Open the HTTPS Certificate Utility from the Start menu. (It installs with Management and Security Server.)
Proceed through the utility, and review your previous actions, if pertinent.
On the Select a certificate action screen, select Generate a new key pair and Certificate Signing Request.
Proceed through the screens to specify information for the certificate:
a Friendly Name
a Common Name
the certificate's organization and locality
the certificate's validity and key length
the directory that will store the private key and the CSR
the certificate store's File name, File type, and Password that will be used to store the private key and the CSR
Note the Next steps and Quit the HTTPS Certificate Utility.
.....................
Send the *.csr file from the directory you specified to the Certificate Authority (CA) of your choice. Do not send your private key.
.....................
When the signed SSL certificate is received from the CA (response time varies), return to the HTTPS Certificate Utility to import the certificate together with the private key that was generated in the previous steps.
Proceed to the Select a certificate action screen, and select Import a certificate a private key.
Enter the certificate store file name that you previously specified.
Enter the keystore's password.
Click Next to apply the configuration changes. Click Done to close the utility.
To generate a CSR and obtain a CA-signed certificate, choose a CA, follow their instructions, and use the tools they provide. Here are some examples, with links to the CSR generation instructions:
CAs provide detailed instructions for common tools such as keytool and openssl. Some have their own tools that you can download. Creating a CSR can also be done completely online. For example, see SSL Tools
If you are unable to use the HTTPS Certificate Utility or follow the instructions from a CA, you can use the manual keytool commands for CSR to perform the three steps: generate a key, generate a CSR, import the response from the CA.
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore keystore.jks
keytool -certreq -alias server -keyalg RSA -file server.csr -keystore keystore.jks
keytool -importcert -trustcacerts -file careply -keystore keystore.jks
Or, you can use the openssl tool to generate CSRs and keys in two steps: generate a key and a CSR, and import the response from the CA.
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
openssl pkcs12 -export -out keystore.p12 -in careply -inkey server.key
Related topics