Page tree
Skip to end of metadata
Go to start of metadata

This article describes how to sign configuration files for Central Certificate Manager (CCM) and Certificate Issuing System (CIS). CCM and CIS are two of the server components in Nexus Certificate Manager (CM) that make up the Certificate Authority (CA).

An administration officer, with Configuration tasks privileges, has the right to sign these configuration files. If an active officer in the system has this privilege, the Configuration Signature Checker (CSC) process will verify configuration files during startup. For more detailed information on how the CSC process verifies configuration signatures and how they are signed by the officer, refer to the Technical Description.

The recommended procedure is:

  1. Assign the role 'Configuration tasks' to an officer.
  2. The officer signs the configuration file.
  3. Restart the Certificate Factory (CF).

If, for example, the configuration file is changed without being signed, the CM system will start in maintenance mode. See Change operation mode of Certificate Manager.

Expand/Collapse All

 Prerequisites

The following prerequisites apply:

  • The administration officer must have the following roles
    • Use AWB
    • Configuration tasks
  • A connection to the CM host must have been established. See Connect to a CM host.
  • The certificate to be used for the new officer must be available.

The CSC will only verify the CCM configuration files on startup, but CIS configuration files will be verified as soon as the officer is activated. Refer to the Technical Description for more details.

 Instruction

The configuration signature procedure is not part of the Administrator's workbench (AWB).

Instead, use a configuration signer command line utility located at <install_root>/tools in the CM installation and/or the CIS installation directory.

The officer certificate must have either no key usages, or non-repudiation key usage to be considered as a valid configuration signer officer.