Cybersecurity
DevOps Cloud
IT Operations Cloud
OpenText product name changes coming to the community soon! Learn more.
How to issue certificates with Subject Alternative Name (SAN) for NNMi?
With the changing world of security and cryptography, many browsers will require from server certificates to contain Subject Alternative Name (SAN) parameter.
This is especially valid for Google Chrome browser, as it enforces this requirement on any certificate used by the servers.
Many valid certificates can still report below error in web browser:
When CA certificates are required for NNMi, the below operation can be used to generate new key-pair and add SAN parameter for the self-signed certificate and for the certificate-signing request.
The described commands, should serves as addition to the already established guide in official docs for NNMi.
- Generate new key-pair containing SAN parameter:
1. Remove nnm-key.p12 from
Windows: %NNMDataDir%\shared\nnm\certificates
Unix: /var/opt/OV/shared/nnm/certificates/
2. Run below command to generate new key-pair and nnm-key.p12 file, that contains SAN values.
Windows:
%NNMInstallDir%\bin\nnmkeytool.ovpl -genkeypair -validity 3650 -keyalg rsa -keystore %NNMDataDir%\shared\nnm\certificates\nnm-key.p12 -storetype PKCS12 -ext san=dns:host1.domain.org,dns:host2.domain.org -storepass nnmkeypass -alias <alias>
Unix:
/opt/OV/bin/nnmkeytool.ovpl -genkeypair -validity 3650 -keyalg rsa -keystore /var/opt/OV/shared/nnm/certificates/nnm-key.p12 -storetype PKCS12 -ext san=dns:host1.domain.org,dns:host2.domain.org -storepass nnmkeypass -alias <alias>
It will be good idea to use server FQDN as alias.
When viewing the newly generated self-signed certificate, the below information should be present:
- Generate CSR (Certificate Signing Request) containing SAN parameter:
1. Run below command:
Windows:
%NNMInstallDir%\bin\nnmkeytool.ovpl -certreq -keystore %NNMDataDir%\shared\nnm\certificates\nnm-key.p12 -storetype PKCS12 -storepass nnmkeypass -alias <alias> -file <file.csr> -ext san=dns:host1.domain.org,dns:host2.domain.org
Unix:
/opt/OV/bin/nnmkeytool.ovpl -certreq -keystore /var/opt/OV/shared/nnm/certificates/nnm-key.p12 -storetype PKCS12 -storepass nnmkeypass -alias <alias> -file <file.csr> -ext san=dns:host1.domain.org,dns:host2.domain.org