Certificate Authority signature constraint to use keyUsage as critical
Document ID :
Last Modified Date :
Show Technical Document Details
CA Release Automation
CA RELEASE AUTOMATION Data Management SERVER:RADBMS
As per security consideration in our organization we have a constraints to use permitted certificates generated via certificate Authority signature from certificate authority process. As per our security standards it is mandate for us to have certificates with keyUsage=critical
As per the
it is mentioned that
"The certificate/keystore used to sign the jar file (during the jarsigner step) cannot have the combination of KeyUsage = critical and ExtendedKeyUsage = serverAuth. The combination is not allowed to sign code."
Question: How can we configure the Secure communication for Release Operation Center (ROC) UI and ASAP studio aligned to our security policy?
The consideration for enabling SSL with respect to various component of CA Release Automation (CA RA) is mentioned below:
For a Certificate Authority signature, ensure that the client certificate allows the use of the "ServerAuth" and "ClientAuth". This feature enables the Agent to Execution Server communication.
The certificate/keystore with combination of keyUsage=
is not a valid code-signing combination required to enable SSL for ASAP studio.
The certificate with combination having only keyUsage=
not sufficient combination to configure SSL for ROC UI
, as the server will not be presenting the certificates to client like web browser
CA RA: 6.5, 6.6 and higher
Note: It may also be applicable for the lower release versions. However the document is validated with most recent version of RA
Generate two certificates with below combinations
Import key's pertaining to both certificate in custom-keystore.jks file
Use 1st certificate to enable SSL for ROC i.e. pointing this particular certificate alias etc. in
of Data Management Server
Use 2nd certificate to enable SSL for ASAP by using it to generate
custom-truststore.jar and signing
Note: For more details around steps on how to enable SSL for CA RA please visit product document the reference of which is provided in additional information section.
Secure Communication CA Release Automation
Was this information helpful?