000020208 - How to create SSL certificate for Keon Certificate Authority API applications

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000020208
Applies ToKeon Certificate Authority API
IssueHow to create SSL certificate for Keon Certificate Authority API applications
ResolutionYou can use any type of SSL certificate and key with a Keon Certificate Authority API application; you only have to properly modify LDAP access control rules. For instance, you can generate a new key and certificate through KCA API sample program CASignCertificate. A few important notes here on using CASignCertificate:

- By default, the key is saved in a format different than admin.key (in the directory WebServer\ssl\private)
- The header/footer of the certificate and key files is added as "----- BEGIN..." which could cause problems because there is an additional un-necessary space between "-----" and "BEGIN..." that should be removed (both in header and footer)

Additionally, the keys are handled within KCA API in two different formats. See the solution titled Why can't I use a private key object with some Keon Certificate Authority API function calls? for more information on what those type of keys are, and which KCA API functions can be used with each type of key.

If your new KCA API application will issue certificates and will use the new SSL key and certificate, add an LDAP rule to allow this new certificate permission to the backend signing engine. To do so, go to System Configuration Workbench on Keon CA Admin interface, click LDAP Rules, and find a rule similar to the following:

  # CA admin server access to CA operations
  # (signing) backend.
  access to dn="o=ca,o=services"
    by dn="md5=<MD5-of-SentryCA-admin-server-cert>" write
    by dn=".*" none

Immediately before the 'by dn=".*" none' line, add the line 'by dn="md5=<MD5-of-your-cert>" write', where you would fill in the md5 of the certificate that you want to give permission to. Then click the 'Save ACL rules to database' button.

If you wanted to allow the new certificate access to only one CA then you would create a complete new LDAP rule and add it immediately before the above mentioned lines.  The rule in this case would look like:

  access to dn="md5=<MD5-of-CA-cert>,o=ca,o=services"
     by dn="md5=<MD5-of-SentryCA-admin-server-cert>" write
     by dn="md5=<MD5-of-your-cert>" write
     by dn=".*" none

If you have installed Keon RA with a target CA in this Keon CA installation, there may already be a specific rule added to the LDAP rules for that target CA, which may look like the following:

  # Admin server has write access to the CA operations (signing)
  # backend -- access is denied to all other clients.
  # RA admin and scep server access to Target CA operations
  # (signing) backend.
  access to dn="md5=<MD5-of-targetCA-cert>,o=ca,o=services"
     by dn="md5=<MD5-of-SentryRA-admin-server-cert>" write
     by dn="md5=<MD5-of-SentryCA-admin-server-cert>" write
     by dn=".*" none

In this case, you would just need to add the above mentioned new line to this rule. Now you can use the new certificate and key with your new KCA API application to issue additional certificates.

NOTE: See the solution regarding Why can't I use a private key object with some Keon Certificate Authority API function calls? for additional related information
Legacy Article IDa15223