How to apply CA (Certificate Authority) signed certificates to your EEM (Embedded Entitlements Manager) Server.

Document ID : KB000010732
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

     How to apply CA (Certificate Authority) signed certificates to your EEM (Embedded Entitlements Manager) Server.

Instructions:

*On a Linux/Unix environment, you would need to ‘su – dsa’ in order to run the below commands.

 

You can use the provided DXcertgen Tool to create the CSR, that will be sent to your Certificate Authority for signing.

The below is the link to the DXcertgen Tool's switches, to specify key length, expiry date, etc.

https://docops.ca.com/ca-directory/12-0-18/en/administrating/tools-to-manage-ca-directory/dxtools/dxcertgen-tool-generate-and-work-with-certificates

 

If you will be using the provided DXcertgen tool for creating the CSR please do the following:

  • Navigate to the DXHOME folder ($DXHOME/config/ssld or %DXHOME%\config\ssld) and run the following command:  dxcertgen certreq
  • This command will create the CSR that you will send to our signing authority, and the private key. 
  • After the CSR is sent to the Certificate Authority for signing, you should receive a signed server certificate and a trusted root certificate.
  • You will then run the 'certmerge' command from the Dxcertgen utiltiy, to merge the newly signed server Cert with the original private key.  Which will add it to the personalities folder (%DXHOME%\config\ssld\personalities\itechpoz.pem).
  • This is the command you would run:    dxcertgen -D itechpoz -n <name-of-new-cert-file> certmerge
  • Run the 'importca' command to import the trusted root certificate to the trusted.pem (%DXHOME%\config\ssld).
  • Run this command:   dxcertgen -n <name-of-trusted-root-file> importca
  • Once imported, copy the contents of the trusted.pem to the itechpoz-trusted.pem file (this is the file EEM reads).  Both files are located in %DXHOME%\config\ssld.
  • Restart the DSA so that it can read the new certificates, by running the following commands:    

     dxserver stop itechpoz

     dxserver start itechpoz

 

Instructions for EEM Servers in Failover/Replication mode 

When you have a two are more EEM Servers that are in Failover/Replication mode, you will need to import as follows:

  • On the Primary server, you must perform the 'certmerge' command, against its respective server certificate.
  • On the Secondary server, you must perform the 'certmerge' command, against its certificate (repeat on the Tertiary, Quaternary, etc).
  • Run the following command on both (or all EEM) servers:   dxcertgen -D itechpoz -n <name-of-new-cert-file> certmerge 
  • On the Primary Sever run the 'importca' command to import the trusted root certificate to the trusted.pem (%DXHOME%\config\ssld).
  • Run this command:   dxcertgen -n <name-of-trusted-root-file> importca
  • Once imported, copy the contents of the trusted.pem to the itechpoz-trusted.pem file (%DXHOME%\config\ssld).
  • Now copy the itechpoz-trusted.pem from the Primary server to the same location on the Secondary server (and all servers).  Now all the EEM server share the 'Trust Store'.
  • Restart the DSAs on all EEM servers, so that it can read the new certificates, by running the following commands:

 dxserver stop itechpoz

     dxserver start itechpoz