iTP Secure WebServer System Administrator's Guide (Version 7.0)

ManualsBrandsHP ManualsServerHP NonStop G-Series

101

102

103

104

105

106

107

108

109

110

Configuring for Secure Transport

iTP Secure WebServer System Administrator’s Guide—523346-012

4-15

Using the Keyadmin Utility to Manage Keys and

Certificates

-dn 'dn'

specifies the full DN for the new key pair. Enclose this DN with apostrophes (') to

protect it from being interpreted by the shell.

Make sure to include the same field values entered on the CA request form and in

the exact order that the CA specifies. Also, enclose any value containing a comma

with quotation marks (").

The keyadmin command accepts these characters in the DN field:

A-Z a-z 0-9 (space) ' ( ) + , - . / : = ? #

-verbose

specifies that complete information associated with the command string should be

displayed.

Renewing a Certificate

While requesting a renewal certificate for the iTP Secure WebServer, you must

generate a new key pair by specifying the name of a new key database file in which

the certificate will be stored. To renew a certificate, perform these steps:

1. Generate certificate request. For more details, see Creating a Certificate Request.

2. Follow the instructions provided by your CA (for example, on their web page) and

send the resulting certificate request (in the file designated by -mkreq or in

cert-req.txt) to them via email for processing. For more details, see

Requesting a Certificate.

3. Add certificate from CA. For more details, see Adding a Certificate to the Key

Database File.

4. Update the httpd.stl.config file if the certificate is different from the request.

5. Restart the iTP WebServer.

The existing key database file renews the certificate by using any of these approaches:

•

Use the same (as it was for the existing certificate) Certificate Signing Request

(CSR) and keypair to get a certificate for the same DN with extended validity.

•

Generate a different keypair and CSR for the same DN to get a new certificate.

Note. Use keyadmin utility with the -list -keydb < keydb> command to view the

information in the keydb file. For more details, see Adding Certificates With DNs That are

Different From the Key Generation DN.

Note. If you are using the second apporach to renew a certificate, you must delete the old

entry from the key database file. Otherwise, the key database file cannot identify the proper

certificate.