How do I re-import the Certificates Files needed for the ITCM Agent?

Document ID : KB000021512
Last Modified Date : 14/02/2018
Show Technical Document Details


It may become necessary to re-import the default CA Client Automation certificates due to missing or corrupt certificates on agents or other CA Client Automation components. 



The list of Certificate Files that get installed on an agent are found in the cfcert.ini file on the CA Client Automation Installation Media.

This file is located in the ...\WindowsProductFiles_x86\Manager\Program Files\CA\DSM\bin directory of DVD #1.

The associated commands to import these certificates are also listed in this file in the "Files" section of cfcert.ini.

For example, the Files section is posted below.

itrm_dsm_r11_root.der=cacertutil import -i:itrm_dsm_r11_root.der -it:x509v3
basic_id.p12=cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon
ccsm.p12=cacertutil import -i:ccsm.p12 -t:csm -ip:enc:IWhun2x3ys7y1FM8Byk2LMs56Rr8KmXQ
itrm_dsm_r11_cmdir_eng.p12=cacertutil import -i:itrm_dsm_r11_cmdir_eng.p12 -ip:enc:gYuzGzNcIYzWjHA6w542pW68E8FobJhv -t:dsm_cmdir_eng
itrm_dsm_r11_sd_catalog.p12=cacertutil import -i:itrm_dsm_r11_sd_catalog.p12 -ip:enc:wdyZd4DXpx6j5otwKY0jSaOOVLLi0txQruDVOslGOlNIMZw96c85Cw -t:dsmsdcat
itrm_dsm_r11_agent_mover.p12=cacertutil import -i:itrm_dsm_r11_agent_mover.p12 -ip:enc:sytOQtZteLopAt1CX0jIJUJcpqBWrb7G7VegY7F7udogc1c5kLIylw -t:dsmagtmv
registration.p12=cacertutil import -i:registration.p12 -ip:enc:z5jLhmvfkaAF4DLMDp3TWuC7nG8yh3dfvmN668thfrU -t:dsm_csvr_reg
babld.p12=cacertutil import -i:babld.p12 -ip:enc:TrdWglmuNCdeOAfj2j3vMwywVbGnlIvX -t:babld_server
dsmpwchgent.p12=cacertutil import -i:dsmpwchgent.p12 -ip:enc:QWF8vknD5aZsU1j5RLzgt1NQgF5DcXj4v1vS4ewDzOA -t:ent_access
dsmpwchgdom.p12=cacertutil import -i:dsmpwchgdom.p12 -ip:enc:sqb9qO2SGjbYqzIvwM7HEbx0M6UJk8Dc82EvUoDeJmE -t:dom_access
dsmpwchgrep.p12=cacertutil import -i:dsmpwchgrep.p12 -ip:enc:x901eho57IZ19zg6g97rQetHjA1461na7nhBmJl7mcc -t:rep_access
babldstsrv.p12=cacertutil import -i:babldstsrv.p12 -ip:enc:decsZwCNcvGIN6MlopBq2QpsynMKYh9yqlxHiAlkfXg -t:babld_staging_server
babldwebsrv.p12=cacertutil import -i:babldwebsrv.p12 -ip:enc:wJGYDv5lmFCMwQMlE0tu8X5ggNO2As9dnzZuXt14pX4 -t:babld_web_service



CA Client Automation - All Versions



The command to import each certificate is a subset of the lines listed under [Files] in cfcert.ini.

For example, consider this line from above:
basic_id.p12=cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon

The import command used would be:
cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon

To run this successfully, these commands must be run from the %sdroot%\..\bin directory(DSM\bin).

Make sure CAF is stopped before running the imports.

To see if the certificates are now valid you can run the following command:
cacertutil list -v

If successful for the above example, an item like the following will be in the output:
dsmcommon = CN=Generic Host Identity,O=Computer Associates,C=US

Notice that 'dsmcommon' is the string after the '-t:' in the command to generate the certificate.


Agent Certificate Install Procedure:

For the agent components you can skip the "ccsm.p12", "babldstsrv.p12 abd", and the "babldwebsrv.p12".

For other CA Client Automation components such as Scalability Servers and Domain Managers,

you can verify which Certificate files need to be imported by seeing which *.p12 files are in your DSM\bin directory.

In most cases the agent should only need to run the commands below from the DSM\bin directory...

  1. cacertutil import -i:itrm_dsm_r11_root.der -it:x509v3 -trust

  2. cacertutil import -i:basic_id.p12 -ip:enc:uAa8VNL4DKZlUUtFk5INPnr2RCLGb4h0 -h -t:dsmcommon -identity

  3. cacertutil import -i:itrm_dsm_r11_cmdir_eng.p12 -ip:enc:gYuzGzNcIYzWjHA6w542pW68E8FobJhv -t:dsm_cmdir_eng -identity

  4. cacertutil import -i:itrm_dsm_r11_sd_catalog.p12 -ip:enc:wdyZd4DXpx6j5otwKY0jSaOOVLLi0txQruDVOslGOlNIMZw96c85Cw -t:dsmsdcat -identity

  5. cacertutil import -i:registration.p12 -ip:enc:z5jLhmvfkaAF4DLMDp3TWuC7nG8yh3dfvmN668thfrU -t:dsm_csvr_reg -identity

  6. cacertutil import -i:dsmpwchgent.p12 -ip:enc:QWF8vknD5aZsU1j5RLzgt1NQgF5DcXj4v1vS4ewDzOA -t:ent_access -identity

  7. cacertutil import -i:dsmpwchgdom.p12 -ip:enc:sqb9qO2SGjbYqzIvwM7HEbx0M6UJk8Dc82EvUoDeJmE -t:dom_access -identity

  8. cacertutil import -i:dsmpwchgrep.p12 -ip:enc:x901eho57IZ19zg6g97rQetHjA1461na7nhBmJl7mcc -t:rep_access -identity


Additional Information:

For more details on importing certificates please review the CA Implementation guide