Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Minor updates

This article describes how to sign configuration files for Central Certificate Manager (CCM) and Certificate Issuing System (CIS). CCM and CIS are two of the server components in Nexus Certificate Manager (CM) that make up the Certificate Authority (CA).

An administration officer, with Configuration tasks privileges, has the right to sign these configuration files. If an active officer in the system has this privilege, the Configuration Signature Checker (CSC) process will verify configuration files during startup. For more detailed information on how the CSC process verifies configuration signatures and how they are signed by the officer, refer to the Technical Description.

The recommended procedure is:

  1. Assign the role 'Configuration tasks' to an officer.
  2. The officer signs the configuration file.
  3. Restart the Certificate Factory (CF).

If, for example, the configuration file is changed without being signed, the CM system will start in maintenance mode. See Change operation mode of Certificate Manager.



The following prerequisites apply:

  • The administration officer must have the following roles
    • Use AWB
    • Configuration tasks
  • A connection to the CM host must have been established. See Connect to a CM host.
  • The certificate to be used for the new officer must be available.

It is highly recommended to sign the configuration files with the officer before activating it (Does 'before activating it' mean that you shall sign the configuration files before the officer is set to State = Active? That is, shall the officer be in State = Closed? And what does 'it' refer to?). The CSC will only verify the CCM configuration files on startup, but CIS configuration files will be verified as soon as the officer is activated. Refer to the Technical Description for more details.


The configuration signature procedure is not part of the Administrator's workbench (AWB).

Instead, use a configuration signer command line utility located at <install_root>/tools in the CM installation and/or the CIS installation directory.


The officer certificate must have either no key usages, or non-repudiation key usage to be considered as a valid configuration signer officer.